Anthony M. Freed's Open Salon Blog

Extensive User and Group Privileges

Mon, 16 Aug 2010 11:08:00 -0400

Article by Alex Rothacker

Application Security, Inc.'s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research) has researched the Top 10 Database Vulnerabilities in order to provide you with the most up-to-date vulnerabilities, risk and remediation information.

Today we will cover the third database vulnerability - extensive privileges assigned directly to users or indirectly through user groups.

There are two very important concepts that apply to information systems security controls: separation of duties and the principle of least privileges.

Separation of duties manages conflicts of interest and implements an appropriate level of checks and balances on an individual's activities to ensure they do not have toxic privilege combinations.

The principle of least privileges requires that users have the least amount of privileges required to perform their specific tasks - only they the data they need and nothing more.

The process of collecting a comprehensive list of all rights that a user has can become a daunting task. Privileges aren't typically just assigned directly to the users they also inherit privileges from groups or roles they belong to.

In this week's edition of our Database Vulnerability of the day series, we will highlight several important rights, privileges and common groups to look out for when reviewing user and group rights, as well as group membership. We will also let you know how and what to check for to mitigate these risks.

To stay informed on the Top 10 Database Vulnerabilities follow @TeamSHATTER on Twitter.

Alex Rothacker is the manager of Application Security, Inc.'s Team SHATTER (Security Heuristics of Application Testing Technology for Enterprise Research). Team SHATTER has been providing its customers and database vendors with the most up-to-date database vulnerability information to ensure the security of information stored in databases.

How to Do Application Logging Right

Mon, 16 Aug 2010 03:08:00 -0400

Just wanted to highlight another useful resource on logging: "How to Do Application Logging Right” by Gunnar Peterson and myself.

Following on our previous IEEE paper (here [PDF]), we explored application logging from a developer's perspective. As Gunnar already pointed out, “audit logs are one of the quick, dirty and cheap things that can improve enterprise security.”

Here is a fun except:

“Organizations have finally gotten network device logging and—to some extent—server logging under control. However, after getting used to neat Cisco Adaptive Security Appliance or other firewall logs and Linux “password accepted” messages, security incident investigators trying to respond to the next wave of attacks have been thrust into the horrific world of application logging.”

and

“We can start by establishing criteria for good security audit logs (which we just call “logs” from now on). […] On the basis of the six Ws, the following list [see paper] provides a starting point for what to include [in each application log message]”

and

“Software architects and developers must “get” logging; there’s no other way. This is because infrastructure logging from network devices and operating systems won’t cut it for detecting and investigating application-level threats. Security teams will need to guide developers and architects through useful, effective logging.”

Grab the paper here [PDF] and enjoy!

And, Raffy, you owe me another beer for “We thank Raffy Marty of Loggly for his thoughtful review of the draft article.” :-) In fact, I think me using the word “thoughtful” here justifies “beer+2”…

Cross-posted from Security Warror

Hacking Forensic Security channel update July

Mon, 16 Aug 2010 03:08:00 -0400

This was crossposted from christiaan008.blogspot.com, a blog about the youtube channel Hacking Forensic Security

First off thanks to all the subscribers, the channel has over 700 subscribers. The channel is growing steady.

This time I'll start with a couple of ideas I have for the channel, after that the channel update and channel statistics. Since I've been late writing a new blog post, this post will be a little bit longer then usually. There's alot to write about, so please keep on reading!

But lets start with this video.

1. Channel ideas

I'm thinking of redesigning the channel. At this time the channel has over 3200 videos. Most are from a security conference but there are also a lot of hacking videos. I didn't add all of the uploaded videos to playlists, which makes it sometimes difficult to find them.

By redesigning the channel I mean a different layout. The main goal is to make it more accesible to everyone by making the channel more structured. (ideas are appreciated)

I want to add labels to the videos, so that there's somekind of structure and videos about certain topics can easily be found. Since hacking, security and forensics is a very broad area, maybe there's some kind of breakdown in categories available? (let me know what you think)

In the past weeks I've been searching for youtubers that uploaded videos that I can add to the channel and contacted them with success. I want to widen this search and add more videos from other youtubers, so if you want to be added let me know. As you may have seen credits will be mentioned.

For the channel I've created a facebook group called Hacking Forensic Security. The idea is to share videos posted on the channel and discuss them, it can be about a hack or a talk from a conference. To join click here.

Also want to do more polls on youtube, so that you the viewer/subscriber can let me know what you think. A youtube account is required to vote.

And last but not least try to upload on certain days, so that the viewer/subscriber knows when new videos will be available. This also applies to blog postings.

I have some other ideas that I'm working on but that's for later postings!

2. Channel updates

2.1 Video uploads

Hacking videos:

There are new videos from blackbox246 and mrbrunohacked, ronnieflip available:

- A good example of SQL Injection

- Metasploit backdooring

Description:

In this video you can see how to use metersploit payloads to build a backdoor using a binary executable file which gives you access to the victim machine.

- Embed trojan into a JPG format

Description:

How to hide a Trojan into a JPG File

News videos:

- Russian Today: CrossTalk on Cyber Wars 1/3

Description:

On this edition of Peter Lavelle's CrossTalk he asks his guests about spying in the 21st century - What is more dangerous: spies or terrorists on the Internet? And how to deal with both?

- Democracy Now: Washington Post Investigation Reveals Massive US Intelligence System 1/3

Description:

An explosive investigative series published in the Washington Post today begins, "The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies do the same work."

Awareness

NICC: The Dutch Approach

Description:

About NICC: The National Infrastructure against Cybercrime (NICC) is the Dutch approach to combat cybercrime. The NICC program is a public-private partnership.

The NICC is not involved in the actual fight against cybercrime -- this is the responsibility of all the public and private stakeholders involved.

So what is the purpose of the NICC? The program supports, facilitates and finances initiatives by other public and private organisations that contribute to safer computer-supported work processes.

The NICC brings these organisations together so that they can continue to build the National Infrastructure. They bring their own knowledge and experience to the table.

The NICC's role is to monitor the entire process, to gather and disseminate information and to encourage public and private organisations to share their knowledge.

For more information about NICC look at: http://www.samentegencybercrime.nl/

The English brochure can be found here: http://www.samentegencybercrime.nl/UserFiles/File/NICC%20brochure_uk.pdf

Security Conference:

Black Hat USA 2010: Jackpotting Automated Teller Machines Redux 1/5

Description:

The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.

2.2 Created a facebook group called hacking forensic security

As you maybe read earlier in this post I've set up a group for the channel on facebook. The main goal is more interaction with the uploaded videos from the youtube channel. At this point the group has a few active members.

If the group has more active members I think more videos will be discussed, which can be a good learning experience. If you have suggestions about how to make the group more interactive let me know. Click here to join the facebook group.

2.3 Poll on youtube channel

I've put a poll called 'What do you want to see changed?' on the channel, I want the channel to be more interactive with the viewers and subscribers. Therefore if you vote and let me know what you think should change, I can consider it when redesigning the channel. It's also possible to add suggestions. Click here to vote now (youtube account required).

2.4 Added a twitterfeed

Added a twitterfeed to the twitter account of the channel. The feed is a RSS of latest uploads and all playlist. By adding all the playlists the feed will tweet a video multiple times if it consists of multiple parts. Does anyone know how to create a good RSS for youtube that filters videos that consists of multiple parts? The twitter account is christiaan008.

3. Channel statistics

- all videos combined almost 450.000 video hits
- average hits a day between 1400-1800 hits
- in total 22216 page views
- 705 subscribers, when will the channel reach 1000 subscribers, this year? ;-)

Let me know what you think about the channel. If you got any suggestions you can leave a comment, sent me a message on youtube or sent a e-mail .

Till the next posting!

Christiaan

Cloud Delivered Security – Solutions for Your Business

Sun, 15 Aug 2010 14:08:00 -0400

The rapid growth of cloud computing has encouraged security companies to develop security solutions that can be delivered in the cloud, but some aspects of security have to be delivered on-site in order for businesses to remain fully protected from internet threats.

Our latest guide, examines what areas of network security are suitable for delivery via the cloud, and which should remain on-site.

Cloud delivered security is perfect for securing, encrypting and archiving email. In fact, we’ve just launched a cloud-based email archiving service, based on Webroot’s technology.

The cloud can also be great for filtering internet access in the cloud to prevent employees visiting non-work related sites or downloading unapproved content which would otherwise take up huge amounts of bandwidth and expose corporate networks to increased risks of malware.

Too often, we think of IT security as being email and web filtering. These are important, of course, but there are other – critical – elements of business security that cannot be managed completely in the cloud, such as a properly configured firewall and IDP system.

Remote working is more common place (helped in part by cloud technology and business services), but companies that use remote access often leave themselves wide open to potential security breaches by not using a virtual private network, and using an easy to set up, but far less secure remote desktop service.

Setting up a VPN can be difficult, but it’s better to invest in getting one professionally set up, than risk costly damages to your firm as a result of using an insecure service.

The most important thing to remember is that no security system, whether cloud based, or on-site, can fully replace stringent security procedures.

Human error is still the number one factor in breaches of IT security, and whilst it will never be completely vanquished, companies can improve their chances by ensuring that strong security policies incorporating good change control and monitoring are in place in addition to cloud and on-site security.

Routing and hardware/software updates are also areas where businesses can come unstuck. Poorly configured routing can leave the network vulnerable to attack and un-patched systems can expose the network to malware threats.

As ever, what is needed when thinking about cloud delivered security versus on-site security, is experience and knowledge. Choosing the right combination can depend on a number of factors but to create a comprehensive security system it must be backed up by strong procedures.

To read the cloud security guide in full, download it for free from the Network Box website.

Cross-posted from NetworkBox

Conducting After Hours Security Reviews

Sun, 15 Aug 2010 12:08:00 -0400

At night things seem very different. I enjoy going outside after the sun has completely set dark. You hear sounds you never hear in the daytime. You see things you never see or notice during daylight. It’s not much different within the workplace.

In 1990 when I was an internal auditor I was tasked with determining the overall information security posture of the company. One of the things that I decided would be a good thing to do was to go to the offices Saturday and Sunday evening when there would be the fewest personnel around.

I wanted to look at their work areas to see what type of information security risks I could find that were a result of the work habits of the personnel. A computer security investigation for the human realm.

Oh, boy; it was an eye opening experience! I found so many vulnerabilities it filled pages. It became a significant basis for what would become the organization’s first set of information security policies. Over the years I have refined the process quite a bit.

Doing after-hours walkthroughs are a great way for all organizations to get out where their personnel work and see what kinds of risks exist to information when no one is around. They can usually be done during the work-week within specific business areas in around two to four hours.

Partnering with the physical security department and having them come along increases the time investment value and security value greatly by not only having physical security risks identified at the same time, but also giving the information security folks a chance to raise information security awareness for the physical security folks and vice versa.

Some people have said to me over the years, “But the risks are so little at night! No one is around, with the exception of the security guards, cleaning staff, maintenance workers and employees who may be working late.” Yes, these folks very well COULD be in the area.

I have seen many instances of security guards doing bad things with the information they have found, along with the cleaning staff, maintenance workers and employees. When you think about it this is a very large number of people, isn’t it?

What are the information security and privacy vulnerabilities you are likely to see? The possibilities are endless! Here are eighteen common vulnerabilities, in no particular order, to get you started in thinking about the possibilities. Add to this list and create a walkthrough checklist based upon it to log what you find.

1. Computers logged into the network and unlocked

There inevitably are computers found that are still logged into the network and that have not been secured. Don’t let the presence of a screensaver fool you. Move the mouse or touch the mousepad and see if the computer is still logged into the network.

Just think about all the things a malicious person could do through the authorized access of your IT administrators, your HR workers, your accounting department personnel, your information security staff (yes, numerous times information security personnel themselves leave huge vulnerabilities in their work areas), and other folks with access to sensitive information.

2. Passwords written and easily discovered

It seems passwords have been written on sticky notes since the introduction of Post-its in 1968. You will often find computer passwords on notes stuck to the computer monitor, under the keyboard, on the desk calendar, on the overhead bin, and under tissue boxes. You will find voice mail passwords on notes stuck under the phone, etched into the phone handset, and also nicely labeled under the keyboard. I’ve found many password tokens with the PIN number written on, and even scratched into, the token itself.

3. Negotiable checks out in open

If you work in an organization that receives payments from your customers, look in the accounts receivable and accounting areas for checks lying out in the open for anyone to pick up and walk away with.

There is an amazingly large amount of information on checks that can be used to commit identity theft and other types of fraud. Probably one of the most egregious cases I found was when in an otherwise amazingly clean and tidy desk area that processed real estate payments.

There was a very tidy stack of negotiable checks stacked neatly on the keyboard propped against the monitor. The checks, around 30 of them, were all for tens of thousands, and a few for hundreds of thousands, of dollars each.

The employee explained she did this every night before she left so that she could get a “quick start” on processing the checks first thing in the morning.

4. Papers with sensitive information on desktops

It is amazing the amount of sensitive printed information that is left out in the open on top of desks. Much contains customer personally identifiable information (PII) as well as employee PII.

One of the worst cases I found was within a director’s office. He had, in very neat stacks on his long desktop, all his direct reports’ personnel files laying in front of their corresponding “Confidential” envelopes.

The employees’ entire payment history, managers’ notes, beneficiary information, social security numbers, and all other information, available for anyone to see who would walk into the office, which had the door wide open.

5. Unapproved network connections

At one of my clients, one of the server administrators in a business unit with many different business partners did not like to be slowed down by rules and was always agitated when told to follow the procedures.

He always wanted to set up connections to his networked server from the other companies himself. "I could easily set the connections up myself," he would say. Turns out, this admin knew that network cables ran in the ceilings above the dropped ceiling panels.

Apparently, sometime when no one was around, he had removed the panels above his cubicle and examined the wiring long enough to identify where to patch in a cable, from a modem that was on his desk, to his server. The cable ran up the wall, and was hidden by a tall voluminous fern, which we discovered during one of our after hours reviews.

Look for suspicious connections to computer equipment and wiring.

6. Unapproved software

There have been numerous times when I have found software boxes, CDs and diskettes in personnel work areas that have brought in and installed on employee computers, and even on the network, without approval.

Some of the more clever folks install the software for the time period they want to use the application, and then uninstall the software in an attempt to thwart the corporate software inventory tool. If they are using the software to create business materials or products this could put your organization into jeopardy of licensing noncompliance.

And then there are the malicious code risks. Look for boxed software packages in addition to CDs and diskettes out in the area. Oftentimes you will find the CDs and diskettes clearly labeled with the application name.

7. Unapproved access points

Believe it or not, modems are still being used to circumvent access into and out of the network. I’ve found several instances of employees who used splitters, widely available in electronics stores, to allow their phone lines to also be used on their computers.

Note any external modems in the areas, or if you see phone cables hooked into the computers. Look for signs of wireless installations as well.

8. Sensitive information in trashcans

Look in your personnel’s trashcans and in the big trashcans for the department. What type of papers and other items are there? Just as throwing food into trashcans attracts roaches and rats, throwing away sensitive information attracts dumpster divers and criminals.

It also attracts people who want to retrieve the papers to use for scratch paper within their schools, churches and clubs, which has resulted in privacy breaches many times.

9. Sensitive information in mail slots

Don’t forget to look in the mail slots for each area to see if there are blatantly sensitive information available for the taking. It is very easy for someone to take information from the mail slots and make a copy of it at the usually near by copy machine, and then put the information back into the mail slots.

The intended recipient will never know that copies were made and could now be in the wrong hands.

10. Sensitive information in printers, copiers and fax machines

People often forget to take their originals from the copy machines, or leave some copies in the tray. Even more often, people print email messages or reports with sensitive information, get sidetracked, and then forget to go get the printouts.

People often send sensitive information within faxes to others without notifying them, leaving the physical fax machines holding confidential information for anyone passing by to pick up.

11. Keys in desks and filing cabinets

It is very common to find keys sticking out of the key locks in desk drawers and filing cabinets. When they turn up missing people usually don’t give it a second thought, thinking they have misplaced the keys, and end up getting copies made. Meanwhile others may have those keys to use when others are not around.

12. Open doors

I have found many doors to stairwells propped open with trashcans and boxes. While I was in a location in the information security area on the 16th floor of the downtown building there came a woman through the stairway door with her three small children in tow.

She saw me and the others in the nearby office talking, came over and asked us how to get to the downtown Walgreens. Unauthorized people who easily got into a restricted area. I have found doors to computer operations rooms held open with broomsticks and umbrellas.

Usually people have propped them open with every intent of closing the door after they have carried something through, but it is very easy to get sidetracked once crossing through the doorway, leaving the door open for anyone in the area to walk through.

13. Mobile computers unsecured

It’s funny how mobile computers have a tendency to walk away “on their own” if they are left unattended and unsecured. Mobile computers of all types are attractive targets for thieves who want the data on them or the hardware itself. Mobile computers are reported stolen or lost every day, and those reports represent just a small fraction of the actual losses.

14. Mobile storage unsecured

There are so many types of data storage devices out there. It is easy to copy many megabytes of sensitive data onto any number of them and then carelessly leave them out in the open. Most of the data on these devices is not encrypted. Look for USB storage devices, in all shapes and sizes, along with DVDs, CDs, diskettes and even MP3 players and smartcards.

15. Confidential information in meeting rooms

White boards and flip charts are commonly used within meeting rooms to discuss plans and make decisions. When the meeting is over and another group is waiting to get into the room for the next meeting, everyone often jumps up and leaves without erasing the white boards or tearing off the flip chart pages.

I have found information such as disaster recovery team member contact information, data flows and corporate plans that would be very valuable to competitors.

16. Outdoor trash bins with confidential information

You would think after years of talking about the prevalence of dumpster diving that people would not be throwing sensitive information into outdoor trash bins anymore. However, it seems to happen daily.

Just this afternoon (8/10/2007) it was reported that documents including 2006-2007 sophomore students’ TAKS score sheets, a listing of the senior class rankings by grade point average and several folders with student PII were found in a dumpster behind the Waxahachie High School in Texas.

17. Unlocked storage rooms

Almost every time I do an after hours walkthrough I find unlocked storage rooms with printer-paper sized boxes, usually very clearly labeled with the type of information within them, on shelves.

Often they are customer account information or employee information archived into the boxes and into the unsecured room. Tons of PII, all in one easy-to-carry box for someone who would like to use the information for criminal purposes, or sell it to lots of other criminals for a nice profit.

18. Unsecured mailrooms

Medium to large sized organizations often have their own mail areas with staff dedicated to processing the mail. Think about the huge amount of confidential information that is sent through postal letters, packages, UPS, FedEx, DHL and other delivery services.

Unsecured mailrooms allow for confidential and sensitive information to be taken, often without the recipients even knowing they were sent. Unaccounted for stolen mail can easily end up being the root of untraceable and unsolvable crimes and frauds.

There are many more types of information security risks that personnel can create within their work areas, but this should give you a good idea of where to start with doing your own after hours security walkthroughs. Just go visit your HR, customer service, call center, IT, Marketing and executive offices.

Stand and look around the work areas for a while. Pretend you are playing Where’s Waldo, except you’re searching for security and privacy vulnerabilities. I am confident you will be able to add to this list of eighteen.

Reasons to do walkthroughs

•   To discover vulnerabilities. This is the most apparent reason. You need to know the vulnerabilities to fix them.
•   To raise awareness. You need to know what people are doing to put information at risk so you can address it with appropriate awareness and training. The reports you create from doing the walkthroughs are great eye-openers and significantly raise awareness.
•   To establish and maintain ongoing metrics. Keeping track of the vulnerabilities found on an ongoing basis is very valuable. You can use the numbers to show risk trends and validate security program efforts.
•   To demonstrate due diligence. Documenting the vulnerabilities, along with your reports about the results of walkthroughs and documenting the actions the areas will take to reduce the risks, provides powerful evidence that you are following a standard of due care in your data protection efforts.
•   To improve your information security and privacy program. Not only do walkthroughs allow you to identify topics that you need to provide more training and awareness about, and the impact of your training and awareness, they also show departments and areas that are creating the most risk to your business

Remember to…

It is important to have executive leadership support for these walkthroughs. Do not try to perform them without speaking to your CEO; you could end up with some very angry middle management complaining to the CEO that they were blindsided.

It is best to ask your CEO to issue a memo to all managers talking about the walkthroughs at a high level, and how they are being done to help improve information security and privacy practices. The memo should state that the walkthroughs will be done periodically within the business units, but it is usually best to not specify the exact dates.

This way you will be able to see how the areas really look on an ongoing basis.

Following each walkthrough write a report summarizing the results, along with what needs to be done to reduce the identified vulnerabilities. Include your metrics to show how each specific area has improved, or worsened, since the previous walkthroughs.

Include copies of all the detailed log charts your created during the walkthrough with the report for the area’s manager so her or she can address specific vulnerabilities with specified individuals. These results can also be incorporated into the annual performance appraisal.

Also consider publishing a yearly summary of the results of the walkthroughs to your board of directors and all your staff. This will demonstrate just one of the proactive ways that you are trying to protect the organization’s information assets.

Performing walkthroughs was a good thing to do in 1990, and it’s still a very good thing to do!