I haven’t posted in  and I have gotten some flack. Between several major changes this has been put on the back burner.  I am now back in the saddle though.  I have changed roles at WWT where I have been for over a year.  They have moved me into the Consulting Systems Engineering role.  This has been a huge change, exciting and intense.

On the security front, I went down to LA last weekend and took my CISSP.  It is pretty much what everyone everywhere has said.  Not very deep but incredibly wide.  Also many of the questions are poorly worded.  I believe I passed but won’t find out for another week or two.  I would be happy to answer questions in a broad sense if anyone has any on the CISSP.

Additionally outside of the security realm I will be tackling both the NetApp ASAP and VMWare exams here this month.

Finally in working on my GIAC GOLD paper for the Incident Handler branch I am trying to get a copy of the COFEE program from Microsoft.  If I can get it I will definitely complete a write up on it.

Helix is already out on the market in the free world.  This looks interesting though.  I am hoping to take it for a spin this weekend.

Apparently some students at Edith Cowan University’s School of Computing and Information Sciences in Australia have developed a Linux-based tool to help collect cyber evidence without compromising its integrity.  The idea arose after the Western Australian Police asked the University for help two years ago.

I guess the police hadn’t utilized Helix or any of the other tools available. Normally, the police take PCs back to the station to gather evidence, but this tool allows them to collect it on site.  Now I am not sure if this does a bit by bit copy or what have you, but I know that in the US there will be a significant problem with chain of custody and the desire to see the original evidence if a case goes to court.

Supposedly the tool searches out certain file types, which saves the police a great deal of time.  To make sure the original evidence will still be admissible in court, the tool’s developers “removed all network support and the ability to write to disk.  If for some reason a disk is writeable, the system will halt automatically.” Write blocks are an important aspect.  More to be analyzed – the jury is still out on this tool.

http://www.zdnetasia.com/news/security/0,39044215,62038612,00.htm

Adam Boileau (Metlstorm) has released a script (winlockpwn) written in Python, which allows a device running Linux to be connected to the FireWire port of a target workstation running Windows XP to get full read/write memory access and bypass Windows authentication. He demonstrated the tool in 2006, but didn’t release it until a few days ago. And this type of attack is also apparently effective against other OSes such Linux and OS X. And if the device doesn’t have a FireWire port, you’re not necessarily out of luck. If it has a slot for a PCMCIA card, a PCMCIA FireWire card will do the trick. And if you don’t have Linux on your laptop, just run your favorite Linux Live CD distro and grab the winlockpwn code and go.

Of course, it always makes sense to disable services and ports that aren’t needed, but we all know that’s not always done and it’s not always trivial to do. Besides, some users may have a business need for the FireWire port. Ah, the challenges of physiscal security!

Tool Physically Hacks Windows

http://www.darkreading.com/document.asp?doc_id=147713&WT.svl=news2_2

No Firewire for Hack? No Problem

http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=147718&WT.svl=blogger2_2

Windows XP FireWire Attack Also Defeats Windows Vista

http://www.informationweek.com/news/showArticle.jhtml?articleID=206901949

Hit by a Bus: Physical Access Attacks with FireWire

http://www.ruxcon.org.au/files/2006/firewire_attacks.pdf

storm.net.nz Projects - Firewire, DMA & Windows

http://www.storm.net.nz/projects/16

Dr. Eric Cole the author of Security 401: SANS Security Essentials, is providing an extracted 30 minute module on Vulnerability Assessment from Security 401. Dr. Cole believes that this will help you to improve the security of your organization. SANS is making this segment available through SANS OnDemand at no cost. Give it a try at
http://www.sans.org/info/25398

As a SANS student and participant in one of Dr. Cole’s classes I am sure that it will be worth while.  Besides you can’t beat free.

Ok maybe I need to rethink associating all Online Password Storage groups in the same realm as Dogbert. Think think think think…hmmmm….NOPE!

A nice aspect of the blog that I put out for me is the backend shows me where a referral comes from and recently one came from http://www.notsorelevant.com/2008-01-30/is-giving-away-passwords-cool-again/ while the information with in the article was interesting especially the new German application Allyve I thought the author missed the mark comparing this product to OpenID or OAuth. Allyve works more along the lines of any of the top 3 hits that Google brings back when searching for Online Password Storage. Agatra – Comodo – Handypassword

While I won’t go into detail about these applications directly I would like to talk about their overall purpose. All 4 of these previous listed applications are truly designed to store your password online and make them accessible from anywhere. This, as a security officer, absolutely scares me from a couple of different angles.

First and foremost in my mind is; why would I ever want to create an attack vector for Mr. BadGuy that is available 24×7. A fundamental rule of security is, never store your key where an avenue is accessible for both the key and the area that the key unlocks.

Second, why would I want to utilize a service that holds my digital identity with out reparation. If a company held my most valuable information and is unwilling to put their financial butt on the line for offering these services I would recommend taking a second look. Most of them list this information in the Terms of Service that everyone automatically checks as read when they first sign up.

While perhaps not for the individual user online passwords alternatives are OpenID or OAuth. At least with both of these tools your organization still retains control over your passwords. On a negative note you could become responsible for your users personal passwords. It is all ugly!!

The best solution once again comes down to policy and I would advise all organizations to not allow online password storage for any corporate assets.

I was talking with a coworker the other day about password cracking and I wanted to write up another post regarding that conversation and Michael Coates comments on a previous article that I wrote.

http://secauditor.wordpress.com/2008/02/21/what-is-more-important-password-expiration-complexity-or-something-else/

There are two main areas that must be looked at anytime an organization enters into password cracking. First is the transportation and storage of the password database and the non-repudiation aspect of users once password cracking is entered into. For this article I want to look at the later. Let’s look at a scenario to start with.

Company A conducts quarterly password cracking on their entire user base. In a separate event unrelated to this action user Joe Schmoe is annoyed with his lack of a bonus and decides to delete critical data. Joe’s supervisor decides to terminate Joe over this event. Joe files a wrongful termination suit against Company A based on this termination. Now you might say, Company A was completely justified with terminating Joe. Joe’s lawyer calls you to the stand and says “Do you use a password cracking program” and “how many people have access to the information gathered from this program?” Here is where the catch is, now you can’t dispute that multiple people have access to the password, how can you prove it was Joe?

Does this mean no more password cracking to ensure strength and protection? Not in the least. There are several areas that must be addressed though.

1. Your policies must be solid and identify exactly what you are looking for in a password. (i.e. one letter, one number, one special character)
2. You need to ensure that you have defined how you handle the situation once you find a password is non-compliant. (i.e. the user is notified and a password change is required.)
3. Document how you conduct password cracking. (i.e. you can crack any passwords that are all numbers, all letters, all special characters, or a combination of any two of these) This ensures that if a password meets you policy it will not be cracked.

Now you have ensured that passwords that are in compliance are not cracked, you have notified and forced change for those whose password is out of compliance, and you have ensured that a user’s actions are truly their own.

Today a notice hit http://www.sophos.com about a Trojan infecting phones utilizing Microsoft Windows Mobile. This is making its way across China when the phone accesses one of several websites over there. It is only a matter of time before this affects Europe and North America.

The trojan, called winCE//infojack, it is wrapped together with several legitimate mini-games, including Mahjongg and a version of Tetris. The trojan is written in such a way that an unsuspecting user will install the package” on the mobile device.

Once downloaded, the trojan lowers the security settings on the device so it the user doesn’t know that the applications are unsigned. Like any other version of Windows this is done through a registry edit.

The trojan also includes self-replication capabilities that can infect memory cards connected to the device, researchers said. This ensures that the infection is executed every time the card is plugged in.

Once installed on the mobile device, the trojan can steal confidential information — such as username, password and financial data — from the phone and send it back to the malware’s author.

Being a mobile phone user myself I naturally wanted to try to find ways to protect my information stored on my phone. I found F-Secure’s AV for Windows Mobile at http://mobile.f-secure.com available for trial download. I hate participating in the Fear Uncertainty and Doubt (FUD) Factor but why not look to prevent something from happening. Now not that I know if this will help to prevent infection (other than the age old adage never install anything that you don’t know where it comes from). I hope that the F-Secure Anti-Virus application for Windows Mobile will help prevent some of this activity.

While we are on the certification bandwagon I must apologize for the lack of material over the course of the last several days. I have been guilty of competing in the certification dance. This last weekend I took the GIAC PCI exam and this week I will be taking Cisco’s Wide Area Application Services exam. I will complete a post regarding these two exams later this week.

On to the news. Trusecure was recently sold off to Verizon (via CyberTrust). With this transaction happening the TICSA certification has been shut down. Now this might not be the most recognized certification around but it did hold some value. The nice thing is ISC is allowing holders of the certification to get there SSCP.

Here is the message from Verizon/CyberTrust/Trusecure:

I would like to take this opportunity to thank TICSA Certified Practitioners for their ongoing support, and trust that you have found value in your status. As we start this New Year we have made a decision to discontinue the TICSA security professional certification.

We are happy to announce however, that we have coordinated with (ISC)2, who has agreed to accept applications for entrance into the SSCP program from all TICSA Certified Practitioners. This enrollment period will start March 1, 2008 and run thru April 15, 2008, at which time the offer will no longer be valid.

In order to transition your TICSA certification you will not be required to take the SSCP exam so long as there is proof that you have passed the TICSA exam. You will be required to complete the (ISC)² SSCP application along with agreeing to (ISC)²’s “Code of Ethics”. ISC2 will review and validate the information including the exam score with Cybertrust / Verizon Business prior to approving the application for SSCP certification.

Should you be interested in taking advantage of the opportunity to transfer your TICSA certification to the (ISC)2 SSCP program, please visit www.isc2.org/TICSA and follow the instructions provided. We trust that you will continue to demonstrate your knowledge and abilities to be active stakeholders in today’s enterprise security, helping your organization and perhaps others to achieve a more secure operational posture.

I am giving some big kudos to Stephen Moore, Shane Castle and Nathaniel Hall who helped me sort through some issues I was having regarding web servers pulling dynamic data off of SQL servers. I decided I wanted to base a little article around this. Let’s set the scenario an outside system hits the DMZ based web server which in turn pulls information from an internal SQL box.

My initial thought was how can I secure this better than a one to one ACL that is only allowed across an SQL port? My goal was to find an alternative solution that provided better granularity.

Now this solution is predominately supported by the majority of IT personnel out there. Technically it is a sound solution that limits the exposure while not breaking the bank.

Another option that was discussed was the placement of a secondary SQL box into a separate DMZ context and have the web server pull information directly from that box.

This appears to me to gain limited security value while both increasing the cost and complexity of the solution. You will still need holes through your firewall, if your web server is compromised there is the additional step that the attacker will now need to gain access to the first SQL box before attacking the primary SQL box.

I think ultimately the best solution is insuring both your SQL box and web server are hardened. Deploy some for of an application firewall to try to stop SQL injections and change the default port from the standard port of 1433 to something different.

Additionally it would be beneficial to look at utilizing local authorization for authentication over SQL authentication. Finally, a look at utilizing some form of encryption for this data could be extremely beneficial a great free program to look at for this would be Stunnel.

Stunnel can be found at http://www.stunnel.org/ Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon’s code.

In a recent release Google has release Google Apps Team Edition. As an administrator for your organization you need to get out and set this up so you have control over this function for your organization rather than Joe Blow user.

I decided I wanted to take a look at this to figure out how an organization can limit access or take control over this app for an organization. I have a feeling that many companies “would not” like to have their employees use this for collaboration. However any employee can go and register using company domain and get started.
Some questions that came up are is it possible for the authorized IT Admin in the company to make sure that nobody opens a Team Edition account in the name of the company domain?

I opened up one of the free accounts, then I had to dig through a few pages to find how to set myself up as an admin for the domain. It involved putting a page containing a special string either on a website hosting the root of my domain (http://mydomain.com) or a special entry in my DNS servers for mydomain.com.

This is proof enough to Google that you are authorized to take over admin rights for the domain. Once that was done, it is no longer possible for other folks to setup an account using my domain without the admins approval.

Here are some notes from Google on this.

If you’re the IT admin for your domain, you can verify domain ownership to begin managing Google Apps. As a Google Apps admin, you’ll have access to the following features in addition to the services included in the Team Edition:

• Email for your domain, powered by Gmail
• Additional customization features: customize your domain’s start page, logo and login page
• Domain web pages, powered by Google Page Creator
• Management features: create and delete user accounts, control document and calendar sharing settings, and much more!

To begin managing Google Apps, you’ll need to prove that you control your domain. Here’s how to get started:

1. Log in to your Google Apps dashboard at http://www.google.com/a/your_domain.com. Make sure to replace ‘your_domain.com’ with your actual domain name.
2. Near the bottom of the page you’ll see the text ‘If you are the IT administrator, you can access administrative features for your organization. Learn How.’ Click on ‘Learn how.’
3. Enter a contact email address outside your domain.
4. Review the Terms and Conditions and click ‘I accept. Continue to activate.’
5. Verify domain ownership using the instructions provided. You can verify by creating a CNAME record we specify, or by uploading an HTML file with your domain host.
6. Once you’ve made the necessary changes with your domain host, click on ‘Verify.’
7. If you’re unable to verify your account right away, click ‘I will verify later’ to cancel verification and return to the Team Edition. You can restart the verification process at any time. If you have trouble making the required changes, you can contact your domain host for assistance.

Now that you have become the Administrator for this app you can disable all of the services. Then if anyone signs up you can ensure that nothing can be done.
You can disable the service by following these steps:

1. Log in to your control panel.
2. From the Service settings drop-down menu, select the service that you’d like to disable.
3. Click Disable (service) at the bottom of the page.
4. After reading the possible issues relating to disabling that service, click Yes, disable (service).

My recommendations are that all administrators head this off at the pass before your users over run you and you are forced to play catch up.

-secauditor