It’s been a busy year so far. We’ve attended the RSA Conference 2007 in San Francisco and met with some very interesting from the security industry. A roundup of product and service releases is presented in this issue.

As you’ve been requesting, this issue delivers more interviews. There are articles for all levels of knowledge and with Vista being out, we cover its security improvements.

We’re attending the Black Hat Briefings & Training in Amsterdam in March. If you’re attending, be sure to drop me an e- and we’ll grab a drink.

Mirko Zorz Chief Editor

Visit the magazine website at www.insecuremag.com

(IN)SECURE Magazine contacts

Feedback and contributions: Mirko Zorz, Chief Editor - [email protected]

Marketing: Berislav Kucan, Director of Marketing - [email protected]

Distribution

(IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit permission from the editor. For reprinting information please send an email to [email protected] or send a fax to 1-866-420-2598.

Copyright HNS Consulting Ltd. 2007. www.insecuremag.com F-Secure Messaging Security Gateway goes virtual to tackle spam

F-Secure announced the availability of its next-generation messaging security solutions, F-Secure Messaging Security Gateway appliance which blocks spam and viruses already at the gateway level. Version 4 comes with improved us- ability, mail queue management and support for more complex email infrastruc- tures. While the Messaging Security Gateway is available in three different physical hardware configurations, it’s now also available utilizing VMware’s vir- tualization platform. All four versions feature the same anti-spam, anti-virus and anti- features as well as an optional zero-hour protection against fast- spreading email viruses. (www.f-secure.com)

Anti-data-leakage protection with Content Inspection Appliance 1500

Code Green Networks announced the release of its Content Inspection Appliance 1500 (CI-1500) for small and mid-sized organizations in business and govern- ment. The affordable, appliance-based solution enables IT and security managers to easily monitor content flows, discover data leaks, and implement automated policies to prevent them. Using patent- pending technology and residing at a com- pany’s gateway, the Content Inspection Appliance 1500 monitors content flows on the corporate network and automatically enforces content protection policies. If it detects the unau- thorized transmission of sensitive information, it invokes a management- defined policy to log, alert, block, or re-route the transmission. (www.codegreennetworks.com)

www.insecuremag.com 4 Bluefire Enterprise Edition released

Bluefire announced the release of the Bluefire Mobile Security Enterprise Edition version 4.0. The product was designed with full support for ’s Windows Mobile 5.0 Smartphone OS devices. Version 4.0 allows IT adminis- trators the flexibility to customize the software to fit their specific needs. The product is now even more customized to meet the needs of large organiza- tions with the addition of two new features – Secure key recovery for data residing on SD cards and the support for remote SQL instances assists large organizations in leveraging their existing data centers. (www.bluefiresecurity.com)

Core Security Technologies releases CORE IMPACT 6.2

Core Security Technologies announced CORE IMPACT 6.2, which includes enhancements that enable organizations to more effec- tively test their security defenses against increasingly prevalent -side attacks that rely on social engineering, such as spear phishing and e-mails with malicious content. The new version also features enhanced encryption and authentication capabilities to help testers more easily meet secure communication requirements during penetration tests, as well as expanded target platform sup- port for testing networks with AIX systems. (www.coresecurity.com)

New format of 3M Confirm products with Floating Image Technology

3M announced the launch of a new format of the 3M Confirm authentica- tion products with floating image technology that helps to protect against counterfeiting and tampering. This new format offers multi-layered overt and covert security features, and allows for the incorporation of additional security and tracking features into the same label. Confirm authentication products with floating image technology from 3M feature an optically vari- able device (OVD) – a unique, overt security feature. The OVD image appears to “float” above or “sink” below the surface of the label and then disappear as the viewing angle changes, which en- hances the brand with a visually attractive “wow” factor. Dramatic movement of the image is easy to detect and recognize using only the human eye, enabling quick and easy authentication that helps to prove the label and product are genuine. (www.3m.com)

The first managed authentication service for Mac OS X

CRYPTOCard announced the launch of CRYPTO-MAS, the first Man- aged Authentication Service to fully support Apple’s Mac OS X. Devel- oped for small- and medium-sized businesses that either do not want the headache of managing their own authentication solution, or do not have the resources to install and administer two-factor authentication, CRYPTO-MAS makes it simple to eliminate unauthorized network access by protecting employees against shoulder surfing, social engineering, and other forms of password theft. (www.cryptocard.com)

www.insecuremag.com 5 Tenable releases passive Vulnerability Scanner 3.0

Tenable Network Security released version 3 of its Passive Vulnerability Scanner. Major enhancements include near real-time access to network vulnerability data and alerts as well as the availability of Tenable Policy Libraries which can monitor data streams and identify systems accessing pornographic or social networking sites, and inspect plain text email or IM traffic for credit card or social security information. In addition to the new capabilities available in the 3.0 release, Tenable’s Passive Vulnerability Scanner continues to provide network discovery and intelligence by identify- ing and observing systems that are active on the network. (www.tenablesecurity.com)

Certicom launches Suite B Web security power bundle

Certicom released the Suite B Web Security Power Bundle to make it easy for IT managers to attain Suite B and FIPS compliance with security modules for web browsers, servers, and key communication protocols. As part of the U.S. government’s crypto modernization program, the National Security Agency recommended that communication devices and services use a specific set of cryptographic algorithms, known as Suite B, to protect classified and unclas- sified communications. The private sector is also beginning to implement the Suite B algorithms in products and services as Suite B has redefined what is considered industry best practice for cryp- tographic implementations. Certicom’s family of Suite B products and services is the industry’s most comprehensive set of cryptographic modules, including proven and optimized implementa- tions for all of the Suite B requirements. (www.certicom.com)

Sophos releases WS1000 web control platform

Sophos launched the WS1000, the industry’s first web control platform designed to provide trusted content security, application control and URL filtering in a single appliance. The WS1000 appliance ensures a secure web browsing experience as it protects against all forms of and productivity threats, all with no negative effect on user experience. It is designed for organizations which require a complete platform-based solution from a trusted vendor that ad- dresses all security needs including web-specific content security, application control and URL filtering. Sophos’s WS1000 protection is powered by intelligence gathered from scanning billions of web pages, identifying more than 5,000 new malware-hosting URLs daily. (www.sophos.com)

Pointsec releases Pointsec Device Protector

Pointsec Mobile Technologies released the Pointsec Device Protector solution which extends its enterprise data protection to include com- plete port and storage device management, effectively preventing sensitive information from falling into the wrong hands. Pointsec De- vice Protector effectively prevents or limits data transfers to these de- vices through a configurable security policy and content filtering to ensure that corporate IT infra- structure cannot be used for illegal distribution of copyrighted content or installation of malicious software. (www.pointsec.com)

www.insecuremag.com 6 Microsoft said the number one point of interest with the development of Win- dows Vista happened to be security. offers remarkable new and rich features in comparison with Windows XP. However, we all have to deal with the new security features Windows Vista introduced. It leaves no doubt: Windows Vista will have a tremendous impact on business. So is it really true? Are the new security features and the road ahead of us really that impressive as Microsoft claims to be? Let's take a look.

It took a lot of time for Vista to see daylight. release concentrates most on items related to The first announcements almost came at the security. It is major release of Windows, one same time as Microsoft released Windows XP that would have impact on future releases and back in 2001. Microsoft revealed its plans for functionality of OS’s such as Windows Vista. a new OS that would be far more revolution- ary than ever before. The codename was Longhorn contained at first many important “Longhorn” and it would be released some- new developments like the Aero (Authentic, where in 2003. At least that was the overall Energetic, Reflective and Open) interface plan. In the end of that year there happened changes, the WinFS storage framework, Ava- to be a major vulnerability in Windows XP that lon, Indigo (that concentrates on communica- made way for the "Trustworthy Computing ini- tion and collaboration), and most important: tiative". One of the results of that step is the Palladium, a framework for security. introduction of Windows XP Service Pack 2 (SP2) which is a step towards a more strict Along the way it turned out to be a hard job structure and measures taken by Microsoft to for Microsoft and several of too rigorous make the OS more secure by nature. changes ended up in the trash like WinFS. After several delays finally Microsoft came up In the end of 2003 Microsoft finally came up with the long expected follow up of Windows with the first beta of Windows XP SP2. This XP. www.insecuremag.com 7 And then there is…. Windows Vista as an outcome. The result of this all is a desk- top that is much harder to manage (tighten up In the summer of 2005 the name finally the workstation to implement the security pol- changes from codename “Longhorn” to Win- icy of your organization) and likely more sup- dows Vista. Windows Vista comes in different port costs for your organization. flavours. There are currently five versions: Vista Home Basic, Home Premium, Business, (UAC) is introduced Enterprise Edition and Ultimate. For a com- with Windows Vista and offers increased se- parison of features I recommend the reader to curity over previous versions of Windows be- visit the Microsoft website. cause it is intended to prevent unauthorized changes made by the end-user on the com- After several delays and a complete strategy puter so that the system (system files) cannot change the question states: what is left of the be altered. UAC is based upon the concept of initial plans of Microsoft with the release of the so called “least-privilege”. In this principle, Windows Vista? Well, let’s have a more in that sounds very familiar to security profes- depth look at the security part of this all and sionals, an account is set up that has only the see what this means for your business. minimum amount of privileges needed for that end-user to perform the appropriate tasks. Security at the beginning: startup This standard user within Windows Vista is Windows Vista this least-privileged user. The fact is that UAC relies upon two types of accounts: an admin- Vista has Secure Startup which means that istrator account and a standard user account. the entire hard drive can be encrypted prior to To be more exact in the definition of adminis- boot, and the encryption key will be securely trator accounts: there are two different types stored inside a of administrator accounts that are defined for (TPM) chip on the motherboard. Many of the Windows Vista. methods used to circumvent permissions in the past by, for instance, using NTFS for DOS First the powerful Administrator account, and or just install a fresh copy besides the already second all the accounts that are part of the installed OS will no longer work in simply Administrators group. The powerful adminis- reading data from the NTFS partition. I’ll dis- trator account can perform all tasks on the cuss this topic in the BitLocker part later on in system and it will not be prompted or con- this article. fronted with dialog boxes. Surprisingly enough the second type of administrator accounts And there is Address Space Layout Random- (those members of the Administrators group) izer or ASLR. ASLR makes it possible that the are running almost as standard users. Almost, system files load at random memory offsets, because these users have the possibility to every time the system boots up. This will elevate their privileges by simply click a but- make it far more difficult to attack a system ton in a dialog box when prompted. The types because attackers can't rely on files being in of authentication dialogs you'll see, however, the same location every time. In earlier Win- will differ depending on which type of user ac- dows versions system files always loaded to count is currently being used. A standard user the same offset memory location account that is not part of an Administrators group will not simply elevate privileges, the Vista’s User Account Control user then must provide the appropriate cre- dentials. Under UAC, the defined standard Don’t we all like to have the administrator user can perfectly perform most daily tasks, rights on our workstation? It’s simple and such as using business applications, browsing gives us the biggest freedom. Windows users internet and type a letter in a word-processor. are used to work with administrative privileges However, when there is the need to change in both the enterprise organization and at that require administrator privileges, home. This freedom does have a big down- like installing new software or change a sensi- side: more helpdesk calls being made be- tive setting, this user will be confronted with a cause of accidentally or deliberately made dialog box, asking this person to give the ap- modifications of the OS with a variety of errors propriate credentials (in other words: type in www.insecuremag.com 8 Different UAC policies

the account and password with sufficient the required credentials. Behaviour can be set rights). In most instances, it will be perfectly by a policy “UAC: behaviour of the elevation clear that a prompt will appear, because the prompt”. setting will have an icon in the form of a shield next to it. This indicates higher privileges are Running applications with UAC: virtualiza- necessary. tion

Low profile administrators Although it will be certain that there are ex- ceptions, most applications will run under As already known by many of us: a common UAC using the administrator account or a practice is to work with normal credentials on standard user account. Many applications will the Windows platform. Even as an administra- not run on Windows XP without administrative tor. When there is a need for more privileges privileges today because they attempt to an administrator can use "run as…" and ele- make changes to locations that the user can- vate the standard user privileges to true ad- not or may not access, such as C:\Program ministrator rights. Files, C:\Windows, or HKEY_LOCAL_MA- CHINE. In Windows Vista you should run as a stan- dard user rather than as an administrator, be- Windows Vista works with registry and file vir- cause unauthorized changes can be more tualization to redirect attempts to write in one easily made when you run as an administra- of the “forbidden” locations and in this way tor. The great thing is: when an administrator converting per-machine file and registry en- needs to use their administrator privileges, tries to per-user locations if the user lacks the they don't have to use Run As because Win- administrative privileges. dows Vista can automatically prompt them for www.insecuremag.com 9 The shield indicating to elevate privileges.

This enables standard accounts to run appli- and as professionals we have to deal with this cations that still need to write to areas of the phenomenon in the right way. For exceptions registry or file system that only administrators an administrator can allow a standard user to can access. The disadvantage is that this set- run certain applications without being con- ting are not available to other users on that fronted with a dialog box asking them to give machine, it’s stored in the users profile (not the appropriate credentials. part of the roaming profile!). This way the administrator can "elevate" the Keep in mind that Microsoft gives us the life- privileges of the specific application and have cycle time of Vista to work on our bad applica- it always run with those privileges. An admin- tion behavior and that in the next OS this istrator can accomplish this by right-clicks the downward compatibility feature would be dis- application, selects the Compatibility tab, and appeared! So it is really important to think then select under Privilege Level: "Run this about this fact and do something about mis- program as an administrator." behaving or not so well written applications. Roll out desktops with the standard user per- Consequences of UAC and cost savings missions can result in cost savings because a non-administrative user no longer has the As mentioned before: running without admin- ability to accidentally or deliberately install an istrative privileges can be really challenging application or otherwise affect system stability. today since many applications expecting this This can decrease the helpdesk call being in order to run correctly. In any way I recom- made. mend not to disable UAC. UAC is here to stay www.insecuremag.com 10 Run as... possibility

BitLocker BitLocker Drive Encryption provides full vol- ume encryption of the system volume, includ- Theft or loss of corporate intellectual property ing Windows system files and the hibernation is an increasing problem and concern for or- file, which helps protect data from being com- ganizations as I wrote in my article of Decem- promised on a lost or stolen machine. ber 2006 of this magazine. BitLocker provides three modes of operation: Protection is particularly valuable with mobile computers, which are more vulnerable to theft • Transparent operation mode or loss. To provide a solution that is enterprise ready, the Trusted Platform Module (TPM) 1.2 chip is Windows Vista has improved support for data used and required to store the keys that en- protection. You can find this support on the crypt and decrypt sectors on the hard drive. document level by implementing Rights Man- This chip is present already on new mother- agement client which allows organizations to boards today. The key used for the disk en- enforce policies around document usage. At cryption is sealed (encrypted) by the TPM the file-level by using Encrypting chip and will only be released to the OS (EFS), this provides user-based file and direc- loader code if the boot files appear to be un- tory encryption. EFS have the possibility to modified. TPM is in this case an implementa- allow storage of encryption keys on smart tion of a so called Root-of-Trust. The pre-OS cards, providing better protection of encryp- components of BitLocker achieve this by im- tion keys. plementing a Static Root of Trust Measure- ment. This is a methodology specified by the And last but not least at the machine level by Trusted Computing Group (see also: using the BitLocker Drive Encryption feature. www.trustedcomputinggroup.org). On a computer with the appropriate hardware, www.insecuremag.com 11 Running a program with admin credentials

• User authentication mode BitLocker and encryption keys This mode requires that the user provide some authentication to the pre-boot environ- BitLocker full volume encryption seals the ment in order to be able to load the OS. Two symmetric encryption key in a Trusted Plat- authentication modes are supported: a pre- form Module (TPM) 1.2 chip. This is the so boot PIN entered by the user or a USB device called Storage Root Key or SRK. It all works inserted that contains the required startup key. with a chain of keys. The SRK encrypts the FVEK or Full Volume Encryption Key. The • USB-Key FVEK is then stored on the hard drive in the The last possible mode is where the user OS volume. must insert a USB device that contains a startup key into the computer to be able to BitLocker stores blueprints of core operating boot the protected OS. system files in the TPM chip. Every time the computer is started, Windows Vista verifies In this mode it is required that the BIOS on that the files have not been the protected computer support the reading of modified in an offline attack or that the hard USB devices in the pre-OS phase. drive is tampered with.

www.insecuremag.com 12 The TPM chip

A scenario could be where an attacker boots tion is logical volume encryption. And as you an alternative operating system in order to will know: volumes can be equal to an entire gain control of the system. In case the files drive (or less than that) but also be spread out have been modified, Windows Vista alerts the over more physical drives. user and as a result TPM refuses to release the key required to proceed with the boot- Manage BitLocker in the enterprise: process and to decrypt the volume. What recovery mode happens next is that Vista goes into recovery mode thereby prompting the user to provide There can be situations where you do have to an appropriate recovery key to allow access move a hard drive from one machine to an- to the boot volume other. For example: the laptop display is dam- aged and the support organization wants to To get this all working you will need two NTFS hand out a spare machine to that affected volumes: a “system volume” that is at least user. 1.5GB in size and a “boot volume” which con- tains actually Vista itself. The system volume This can be a problem because TPM and the is used to install BitLocker and is not en- hard drive are logically connected to each crypted. If you meet the requirements, you let other on that specific machine. Fact is: the BitLocker do its work, which can take quite a encryption keys to decrypt the volume are while on larger hard drives. Once this process stored in the TPM of that particular machine. is finished the end user won’t be aware of it. How can this problem be solved? Data is encrypted on-the-fly. The official Mi- crosoft statement is that BitLocker in combi- In that case recovery mode can be used and nation with Windows Vista can only encrypt requires a recovery key that is generated the operating system volume. Using built-in when BitLocker is enabled. However: that key command-line tools, BitLocker can be used to is specific to that one machine. So for every encrypt more than just the boot volume, but single machine there will be a specific key. Oh additional volumes cannot be encrypted using no, I hear you say: how to manage that? For the GUI. However, I’ve seen an article about enterprise organizations you will need infra- the command line interface of BitLocker structure to manage and store all the specific where it is possible to affect other volumes. recovery keys - that store will be the Active You can find this article by following this link- Directory. bink.nu/Article9133.bink If you do not manage this properly there is a Microsoft announced that in Longhorn it will real potential for losing data if a computer fails be possible to encrypt multiple volumes. Take and its drive is moved to another computer notice about the fact that we are talking every and the recovery key at that time is unavail- time about volumes. BitLocker Drive Encryp- able. www.insecuremag.com 13 Accidents Windows Vista does have built-in authentica- tion support for passwords but also the use of In case a hard drive crashes it would be pos- smart cards. In fact the whole GINA of Win- sible in theory that the FVEK or Full Volume dows is reviewed and developed from scratch Encryption Key could be unavailable and at by Microsoft. Windows Vista makes it possi- that time the volume can’t be decrypted. For ble for developers to more easily add their this there is also a solution. When BitLocker own custom authentication methods to Win- seals or encrypts a key it is stored on the disk dows, such as biometrics and tokens. It also as a binary large object or “blob”. The “blob” is provides enhancements to the Kerberos the cryptographic keyhole where the decryp- authentication protocol and smart card lo- tion key will “fit in”. So it takes both the blob gons. By making it easier for developers of and the key to start decryption. There are mul- such solutions, the security professional will tiple “blobs” on the disk so if one is not avail- have more choices for biometric, smart cards, able or damaged another one will be tracked and other possibilities of strong authentication and used. Pretty nifty I think! to implement.

BitLocker and backdoors Services hardening within Vista

So a great mechanism but safe by any Hardening is a feature that means? And by any means, we really mean restricts critical Windows services from doing “by ANY means”. This is a topic that is heavily abnormal activities in the file system, registry, discussed. According to Microsoft, BitLocker network, or other resources that could be does not have a built in. So in other used to allow malware to install itself or attack words: there is no way (even for law enforce- other computers. ment or secret service) to get around the pro- tection mechanism in a predefined way so the In the past Windows services are causing a protected data is unveiled. large amount of attacks on the Windows plat- See also tinyurl.com/synxs form. This is rather easy to explain - an attacker can rely on Windows services be- So BitLocker according to my opinion is a cause it is almost always present and it is great mechanism, Microsoft did a great job predictable code and the privilege level of that and thought about it in an enterprise way. code is know by many. However, be wise and really thoroughly think about the process of implementation. Man- Windows Vista limits the number of services agement is the key word and it is really impor- that are running and operational by default. tant to consider this matter several times prior Today, many system and third-party services to roll out this solution. run in the Local System context, where any breach could wreck the machine. This in- Smartcard support or two-factor- cludes things like disk formatting, unauthor- authentication ized access to data and unintended installa- tion of software. Windows Service Hardening We all know: working with passwords is a reduces this damage potential of a compro- weak protection method in comparison with mised service by introducing new concepts. I other alternatives. Brute force attacks, dic- will briefly discuss some highlights. tionary attacks and so on, all weaknesses in working with passwords. For many organiza- On a per-service basis security identifier tions, single-factor authentication (the good (SID). This makes it possible to identify spe- old user-id and password) is not sufficient cific services and implement access control anymore. Multi-factor authentication is the by working with ACLs. Services can be tight- way to go. Something you know (a pin code), ened up by applying explicit ACLs to re- you are (fingerprint / biometrics) or carry sources which are private to the service, something with you that you own like a token which prevents other services as well and the or smart-card. It all refers to multi-factor user from accessing that specific resource. authentication. Furthermore applying a write-restricted ac- cess token to the service process. www.insecuremag.com 14 This can be used in cases Services are assigned to a network firewall where the set of objects written to by the serv- policy, which will prevent unwanted or unpre- ice is bounded. Write attempts to resources dicted network access outside the normal that then do not explicitly grant the Service bounds of the service. The firewall policy is SID access will fail. linked directly to per-service SID. It this case an attack platform from the local machine to Microsoft moved services from Local System the network is more difficult to accomplish or Context to a less privileged account such as even prevented. These restrictions are under Local Service or Network Service. This re- the firewall settings and they can be found in duces the overall privilege level of the service, the registry: which can be compared to the already dis- HKEY_LOCAL_MACHINE\SYSTEM\ControlS cussed User Account Control (UAC). And then et001\Services\SharedAccess\Parameters\Fir the removal of un-necessary Windows privi- ewallPolicy\RestrictedServices\Static\System. leges on a per-service basis. The firewall is discussed in the next section.

BESIDES THE THAT HAS CHANGED, IN WINDOWS VISTA THE WHOLE TCP/IP STACK HAS BEEN RE-WRITTEN / RE-DESIGNED.

Layered approach there are even API’s available. The new TCP/ IP-stack supports IPv6 and a dual IP layer- Security is in most cases a layered approach architecture. I advise those of you who are and Service Hardening provides a part of this interested in more to visit tinyurl.com/dkklc. concept and is just an additional layer of pro- tection for services based on the security The firewall in Vista supports rules for incom- principle of defense-in-depth. However it can- ing traffic, simply dropping all unsolicited in- not guarantee services from being compro- coming traffic that does not correspond to mised. traffic sent in response to a request of the computer (solicited traffic) or traffic that has The defense-in-depth strategy will certainly been specified as allowed (excepted traffic in make it much harder to get an easy attack a pre-defined firewall-rule). It seems a dull platform, Windows firewall, UAC, patch man- topic but is really crucial as it helps prevent agement practices and Integrity Levels will fill the infection of computers by network-level in other important layers. viruses and worms that spread most of the times through incoming traffic. So far so good Windows Vista Firewall and nothing really new.

At first, the Windows Vista firewall looks very What really is new, is the fact (in comparison similar like that of Windows XP. In fact, the with windows XP) that Vista Firewall supports user interface in Windows Vista is nearly iden- filtering for outgoing traffic or application- tical to that of Windows XP. But the real secret aware outbound filtering which gives full bi- lies underneath the surface. Most advanced directional control over traffic. setting can’t be reached via the standard GUI which is more targeted towards home-end- Since a whole bunch of business applications users by all respect. You can really ultimately may use different ports, Microsoft decided to tune the firewall settings by using Group Pol- not enable outgoing filtering by default. The icy or the firewall MMC snap-in. I’ll return on default behavior of the new that later. will then be:

Besides the firewall that has changed, in Win- • Block all incoming traffic unless it is solicited dows Vista the whole TCP/IP stack has been or it matches a configured rule. re-written / re-designed. The new architecture • Allow all outgoing traffic unless it matches a Windows Filtering Platform (WFP) did in- configured rule. crease the performance significantly and www.insecuremag.com 15 Another possibility is that the Firewall in Win- to simplify management in enterprise organi- dows Vista will allow administrators to block zations. For better configuring there is an in- applications from contacting or responding to tegration between both IPSec and the firewall. other computers in the network, like peer- It will be much easier to use, requiring less networking. The Windows Vista firewall set- effort to configure. tings are configurable by objects

Standard Firewall interface for end-users

Manage the Firewall settings dows Firewall can also be configured with an MMC snap-in named Windows Firewall with Like in Windows XP there is a GUI for con- Advanced Security. figuration of the Windows Firewall item in . This mainly is simplistic and for With the new Windows Firewall with Ad- enterprise organizations not very useful. You vanced Security snap-in, administrators can can configure basic settings for the new Win- configure settings for the new Windows Fire- dows Firewall, but you cannot configure en- wall on remote computers, which is not possi- hanced features. ble for the current Windows Firewall without a remote desktop connection. In enterprise or- For more in-depth features and setting there ganizations it is more likely that you will be are at first a whole lot of Group Policy settings using the Group Policies to manage setting in which can be reached by firing up the Group a more central way. Policy editor snap-in. Second the new Win- www.insecuremag.com 16 For command-line configuration of advanced the fact not to change these settings manu- settings of the new Windows Firewall, you can ally): use commands within the advfirewall. Firewall setting are stored in the registry on HKEY_LOCAL_MACHINE\SYSTEM\ControlS the local machine and the settings can be et001\Services\SharedAccess\Defaults\Firew found under the following key (I have to stress allPolicy\FirewallRules

Registry-based settings of the firewall

Firewall profiles tor in other to set this up and to connect the computer. The firewall of Windows Vista works with pro- files: the Private Profile for working on a home Firewall and IPSec network, the Public Profile for connecting to public networks and, last, the Domain Profile As you will know: IPsec is a protocol standard for computers that join a domain. The Network to provide cryptographic protection for IP traf- Location Awareness Service (NLA) detects fic. In Windows XP and Windows network changes and notifies the Firewall. 2003, Windows Firewall and IPsec are con- The firewall then can change a profile within figured separately. However, both the Win- 200 ms. If a user is not present in a domain, dows firewall and IPsec in Windows can block the user will be asked for the appropriate pro- or allow incoming traffic. In this case it would file: public or private. be possible to create overlapping or conflict- ing firewall rules and IPsec rules. Unfortunately Vista has at this time no way of differentiating between a public and private All these setting are now combined in the new network, so it will actually ask users whether Windows Firewall and can be configured us- they are attaching to a public or private net- ing the same GUI and command line com- work at the time that the connection is estab- mands. Another benefit is the configuration of lished. In future versions it will be possible to IPsec settings are highly simplified. Further- define a profile or there will be other available more there is a less complicated way of policy profiles. In the case you want to define a pri- configuration, improved support for load bal- vate network you must be a local administra- ancing and clustering and the possibility to use more cryptographic suites. www.insecuremag.com 17 Different profiles Vista Firewall

Network Access Protection ing the latest security updates, has old virus signatures, or otherwise fails to meet your Users who travel with their computers or have computer policy. This can be used to protect specific roles in organizations are sometimes your network from remote access clients as unable to connect to the corporate network for well as LAN clients. days or even weeks. And then after a while when they do connect, their connections I personally think that there is a lot of work to might be so short that their computers do not do to make this a more mature service. Mi- have the ability to fully download the latest crosoft’s current implementation of NAP is updates, get security configuration settings, overall not that user-friendly or very useful in and virus signatures the organization wants most larger environments. Besides that, not them to receive. all network equipment can’t be used, big ven- dors like Cisco do work in cooperation with The Network Access Protection mechanism Microsoft. improves the security around this type of us- ers and their computer by ensuring that when Vista’s Integrity Level mechanism they do connect longer or are back at the of- fice after some time, the computer is first Before going more in detail on Windows checked against a certain baseline. When the 7, I’ll have to discuss Integ- computer doesn’t meet the criteria at first the rity control. Sounds this familiar? Right. Vista latest updates are installed and then, after the includes a new feature "Windows Integrity criteria are met, users can connect to the cor- Control." This means every object that is hav- porate network. This concept is also known as ing some kind of permission can also have an network quarantining. extra label that identifies its integrity level.

Windows Vista includes an agent that can A user (subject) will be working with files and prevent a Windows Vista-based client from folders (objects) which can have integrity lev- connecting to your private network if it is miss- els.

www.insecuremag.com 18 Integrity levels are assigned within Vista to • Low S-1-16-4096 (0x1000) processes (subjects) and objects and an in- • Medium S-1-16-8192 (0x2000) tegrity policy restricts access granted by the • High S-1-16-12288 (0x3000) Discretionary Access Control (DAC) security • System S-1-16-16384 (0x4000) model. We start to work with integrity levels within windows! IE7 and integrity levels

In reality this can have the consequence that And here comes the trick: Internet Explorer 7 software with a low(er) integrity level can’t standard works in a low integrity level context. make changes to software of processes with a higher integrity level. The user however is working in a medium in- tegrity level context. If you would download a So how does this work? Integrity levels are piece of code or software from the internet defined by Security IDs (common known as there is a rule that is saying: no-write-up. The SIDs). The RID defines the actual integrity lower integrity level can’t access or misuse level. The integrity levels themselves are the process running in a higher integrity level sometimes called "Windows Integrity Levels" context (for example a process running in the or "Mandatory Integrity Levels." Right now the context of the user). following primary integrity levels exists:

Integrity level policies are associated with ge- As stated before: the default policy is “no- neric access rights and default the following write-up”. Security tokens in every process rules exists: can be assigned an integrity level and admin- istrators can change those levels between • No-Write-Up which means that a lower In- “untrusted” and “high”. Administrators can't set tegrity Level process cannot modify a higher integrity levels higher than "high" because Integrity Level object administrators itself run in the integrity context • No-Read-Up which means that a lower In- of "high" and no one can ever elevate (even tegrity Level process having generic read administrators can’t) an object's integrity level possibilities higher than their own level. You can see a • No-Execute-Up which means that a lower process’ integrity level by typing the com- Integrity Level process generic execute ac- mand: Whoami /all. There are also tools in the cess market like that of Mark Russinovich (Micro- soft Sysinternals). For more information visit tinyurl.com/y8jsyn. www.insecuremag.com 19 Conclusion In this article I didn’t discuss all security I believe Windows Vista is a huge improve- changes. Things like code integrity and driver ment over the Windows XP version concern- signing, Windows Defender (Forefront Secu- ing security (and other rich features). The de- rity) and the more that 3000 Group Policy velopment really made a good step forward items that currently provided to you for Win- from a security perspective. Windows Vista dows Vista. Some things need improvement certainly will have a major impact on your like the quarantine function and USB blocking business and more than ever needs a solid feature. Microsoft supports USB blocking on plan and think over before starting to migrate. the Vista client by group policies. In my opin- Many features presented and there is so ion not the way an enterprise organization can much that you will at first be overwhelmed by deal with this problem. all the changes made in this new OS. Reading this article will give you a glimpse of There are some topics that will need special all the radically changes and strategic plans attention like legacy applications that probably and ideas of Microsoft for the future. I hope I won’t work “out of the box” on Vista. Most of made clear that it is not a reasonable as- the times these application present “show- sumption that Microsoft didn’t do anything in cases”. If there anything goes wrong with this the past years to make Vista more reliable, or doesn’t work anymore, you like the idea of secure and stable then earlier versions of a holiday. This can really be a big issue for Windows. you and the business you’re supporting.

Rob P. Faber, CISSP, MCSE, is an infrastructure architect and senior engineer. He is currently working for an insurance company in The Netherlands with 22.000 clients. His main working area is (Windows Platform) Security, and Identity Management. You can reach him at [email protected]

www.insecuremag.com 20 In the past couple of years, we definitely saw an up trend of portable devices usage. From handhelds, to music players, these devices offer a number of top notch options, one of them being an effective device for storing data. With all the good characteristics this way of backing up or transferring data offers, we can also identify a security threat that can be derived from this process.

This is something similar to the trend of organizations banning mobile phones from some portions of their facilities. Almost every new mobile phone has a quality built-in camera, so confidential data can be easily snatched and digitalized.

With other portable devices there is a very GFI EndpointSecurity is installed and man- similar problem - technology is evolving and aged from a central location. It is actually every new device is smaller and more power- constructed out of two parts. The first one is ful. It has become very easy to bypass some GFI EndPointSecurity user console that of- default system barriers and easily move po- fers the administrator means of configuring tentially insecure pieces of software from the various policies and installing remote client device to a specific computer, or vice versa, software on to the network computers. The taking home some protected company data. client software, regarded as GFI EndPoint- Security agent, is a client side service that is Security products such as GFI's Endpoint acting upon the protection policies from the Security help in this line of work and add an main computer. Depending on the configura- extra layer of security to your organization tion it will either allow or deny the user network environment. access to the specific resource.

www.insecuremag.com 21 List of controlled devices.

The software in question provides a list con- agents and they are now ready to enforce it. taining a number of portable device types For instance: if you denied access to digital and places them in the appropriate groups. cameras, as soon as the user tries to con- nect it to her computer, the software will deny Besides the general selection of media like the request and properly log all the possible floppies, CD and DVD ROM discs, GFI End- information about the event. point has the following categories: Storage Devices (flash and memory cards, readers The whole process works upon a set of user and set of multimedia players), PDA devices, groups that GFI EndPointSecurity installs by Network adapters (Bluetooth, WLAN and in- default (there is also an advanced option of frared), Modems (mobile phones and smart- setting custom groups): phones), Digital cameras and a selection of other devices ranging from ZIP to tape • GFI_ESEC_Device_ReadOnly and drives. • GFI_ESEC_Device_FullAccess.

GFI EndPointSecurity's line of work is pretty These groups hold information on how the straightforward. I will go into more details users' computers will react to configured about all the parts of the whole process later, devices. but the process is pretty simple - you define a unique protection policy for a group of com- Bottom line, when the remote user plugs in a puters. device, in our case a digital camera, the agent identifies if the device is being moni- During the configuration steps you specify tored and than checks the Active Directory or the resources users of some groups or Local Users and Groups to verify if the user domains can or cannot access. With a click is a member of the privileged group. The of a button, that policy is updated to the client actions are directly connected with groups.

www.insecuremag.com 22 Listing of computers added to the Workgroups protection policy.

Users can be added to the group via the group users by computer types (i.e. note- product's user console or Active Directory/ books and desktops), or it will be better to Local Users management console. The struc- control them when they are described by ture of the user console is quite spartan so it departments (marketing, tech support etc). is a piece of cake to customize specific devices for controlling purposes, as well as Besides being a mechanism of control, GFI's adding users to the precise groups. product offers some versatile logging possi- bilities. When an action is triggered, the The most important part of the configuration agent logs to a local event log, as well as to process is setting up the protection policies. the SQL Server if the administrator enabled By default, GFI EndPointSecurity offers three this option. The SQL logs can be read and policies: Servers, Workgroups and Laptops. exported in a number of ways, and the event These are, of course, just samples and it is logs can be inspected with different tools, the simple to rename them or create your own. easiest of course being the .

I would recommend customizing this listing to The logging is working just fine, even in the the maximum, because when you start occasion when a client computer is a note- grouping your computers in these policies book and it periodically gets disconnected you will need to think about optimization. As from the network. All the device access pro- every designated policy has its own set of tection procedures will still be active and all rules, you need to plan on wether you will the events will be saved into a buffer.

www.insecuremag.com 23 Protection policy properties with default users.

As soon as the computer connects to its graphical IT-level, technical and management "mother" network, the event data will be reports based on the portable devices usage collected and stored. This is a nice touch, as events recorded by GFI EndPointSecurity. It it makes the integrity of a centralized logging also enables administrators to pull together place intact. “Top 20” reports that cover the 20 users, machines, devices and applications which I'll mention one more thing - in mid 2006, GFI peaked connection activity. This addition is released a ReportPack add-on, a full-fledged free for all registered users of GFI EndPoint- reporting companion to GFI EndPointSecu- Security. rity. It allows administrators to generate

Default protection policies. www.insecuremag.com 24 More than two years ago, GFI had seen a worked like a charm. As you can see from need for security solution that would take this article, the software concept is pretty care of portable devices. Released under straight forward and every decent Windows their LanGuard product line, Portable Stor- administrator shouldn't have any problems in age Control started with blocking unwanted deploying the solution. USB connections. In the mean time, the software was totally re-done and re-branded Bottom line is that the software proved to be as GFI EndPointSecurity. fast, stable and quite efficient. If you need to manage user access to the external devices I tested this software in a couple of scenarios from the computers in your network, you (mainly networks with XP should definitely check GFI Endpoint. Professional SP1 and SP2 computers) and it

Tim Wilson is a long time system and network administrator and currently is employed by a Information Secu- rity consultancy based in California. Besides enjoying his computer hours, Tim enjoys travelling with his family and playing clarinet for a local jazz band.

www.insecuremag.com 25 Linux Administration Handbook, 2nd Edition by Evi Nemeth, Garth Snyder, Trent . Hein Prentice Hall, ISBN: 0131480049

The first edition of the this , released about five years ago was one of the definitive resources for every Linux system. Now, the authors have systematically updated this classic guide to address today’s most important Linux distributions and most powerful new administrative tools. Here you can find best practices for storage management, network design and administration, web hosting, software configuration management, performance analysis and much more. System administrators should especially appreciate the up-to-date discussions of such difficult topics such as DNS, LDAP, security, and the management of IT service organizations.

Design for Trustworthy Software: Tools, Techniques, and Methodology of Developing Robust Software by Bijay K. Jayaswal, Peter C. Patton. Prentice Hall, ISBN: 0131872508

This book presents an integrated technology, Design for Trustworthy Software (DFTS), to address software quality issues upstream such that the goal of software quality becomes that of preventing bugs in implementation rather than finding and eliminating them during and after implementation.

“Design for Trustworthy Software” can be used to impart organization-wide learning including training for DFTS Black Belts and Master Black Belts. It helps you gain rapid mastery, so you can deploy DFTS Technology quickly and successfully. www.insecuremag.com 26 Step into Xcode: Mac OS X Development by Fritz Anderson Addison Wesley Professional, ISBN: 0321334221

Xcode is a powerful development suite that Apple uses to build applications ranging from Safari to iTunes. But because Xcode is complex and subtle, even experienced Mac programmers rarely take full advantage of it. Mac developer Fritz Anderson has written the definitive introduction and guide to using Xcode to build applications with any Macintosh technology or language.

The book should help you master Xcode’s powerful text editor, industry- standard gcc compiler, graphical interactive debugger, mature UI layout and object linkage editor, and exceptional optimization tools. One step at a time, you’ll develop a command-line utility, then use Xcode tools to evolve it into a full-fledged Cocoa application.

Ubuntu Unleashed by Andrew Hudson, Paul Hudson Sams, ISBN: 0672329093

The book aims to provide the best and latest information that intermediate to advanced Linux users need to know about installation, configuration, system administration, server operations, and of course security. Written by renowned open source authors, it includes detailed information on hot topics such as wireless networks, and programming in PHP, Perl and others. It thoroughly covers all of Ubuntu’s software packages, including up- to-date material on new applications, Web development, peripherals, and programming languages.

It also includes updated discussion of the architecture of the Linux kernel 2.6, USB, KDE, GNOME, Broadband access issues, routing, gateways, firewalls, disk tuning, security, and more.

Cisco Network Admission Control, Volume I: NAC Framework Architecture and Design by Denise Helfrich, Lou Ronnau, Jason Frazier, Paul Forbes Cisco Press, ISBN: 158705-2415

Cisco Network Admission Control, Volume I, describes the NAC architecture and provides an in-depth technical description for each of the solution components. This book also provides design guidelines for enforcing network admission policies and describes how to handle NAC agentless hosts. As a technical primer, this book introduces you to the NAC Framework solution components and addresses the architecture behind NAC and the protocols that it follows so you can gain a complete understanding of its operation. Sample worksheets help you gather and organize requirements for designing a NAC solution.

www.insecuremag.com 27 Mr. Gibson is the Chief Security Advisor for Microsoft in the UK. This role comes on the heels of his retirement from a 20-year career as a Supervisory Special Agent with the Federal Bureau of Investigation. During this period, Gibson was a recognized expert in investigating complex, international money laundering schemes, asset identification and confiscation, and intellectual property theft. From early 2000 - mid 2005, Mr. Gibson was as- signed to the FBI’s Legal Attache office, US Embassy London, as an Assis- tant Legal Attaché. There, he was responsible for all FBI cyber, hi-tech, cyber- terrorism, and infrastructure investigations in the UK. His leadership resulted in the creation of a model cyber program adopted by all Legal Attache offices around the world.

What has been your biggest challenge in live in the bricks and mortar world are some- the role of Chief Security Advisor for Mi- times largely ineffective in the cyber world. crosoft? Has your background expertise The Internet is global, and criminals are not helped shape your role in the company? bound by jurisdiction, political relations, or other restrictions due to anonymity and ability Most people only know of ‘criminality’ on the to hide in plain sight. Internet through anecdotal reports. Until someone is personally affected by identify Yes, my background has been a key driver in theft, social engineering, auction fraud, or shaping my role in the company. I know other type fraudulent e-commerce activity, it criminals, how they behave and the tools they is something for someone else to deal with. use, particularly in internationally complex This should not be a surprise, as this is gen- cyber criminality. As the single point of con- erally how people behave in the bricks and tact for all UK law enforcement and security mortar world. However, the rules by which we services at the US Embassy London in www.insecuremag.com 28 relation to cyber investigations and laws re- industry, manufacturing, finance, and gov- lated thereto, I had many opportunities to ernment to name a few. Knowing what I do work with a variety of agencies in a number about the kinds of attacks against its applica- of countries. And each success was due to tions, operating systems, and processes, by an understanding of the different cultures, ruthless organized crime groups and people laws, and priorities. This understanding was using every conceivable method to steal, bolstered by having been a lawyer in the US compromise, extort, blackmail, or otherwise prior to my appointment as a Special Agent, make life miserable for their own personal FBI, and qualification as a Solicitor in Eng- gain, we all can be mighty proud of the ex- land / Wales, and the truly exceptional law traordinary efforts Microsoft has and contin- enforcement and government representa- ues to put into making all computer users tives, without whom success would have more safe on the Internet. But remember, been hard fought. With this background, I am criminal attacks against systems is an better able and proud to represent Microsoft Industry-wide problem, which is why Micro- UK in my role as Chief Security Advisor. soft is working with industry partners, gov- ernment, and educational institutions to help Windows Vista has just been released and ensure understanding of the problems and Microsoft has already announced the develop better solutions. Vista Service Pack 1. Some see this as a sign that Microsoft knowingly released the It's important to remember that no software is OS with security problems while others 100% secure. We’re working to keep the believe it to be a step forward in security number of security vulnerabilities that ship in awareness and applaud Microsoft for our products to a minimum. Trustworthy starting work on a collection of patches Computing is a long-term initiative and those this early. What's your take on this situa- changes do not happen overnight. We’ve tion? made progress and our efforts are resulting in significant improvements in the security of Microsoft’s operating systems / platforms, our software. We have every confidence that applications, and processes are used by mil- - together with our industry partners - we'll lions of people in nearly every country on this continue to meet the constantly evolving chal- planet. It’s software products are used in lenge of security to help our customers and mission critical devices and processes (in the the industry become more secure. UK, the NHS is a prime example), defence

IT'S IMPORTANT TO REMEMBER THAT NO SOFTWARE IS 100% SECURE.

Did Microsoft use a different approach to attack surface area, which in turn improves testing security while developing Win- system and application integrity and helps dows Vista? organizations more securely manage and iso- late their networks. The release of Windows Vista is the first Mi- crosoft operating system to use the Security Too often software is developed by bolting Development Lifecycle (SDL) from start to security technology onto an application and finish and was tested more prior to shipping declaring it secure. The SDL was developed than any previous version of Windows. to provide a step-by-step process integrating secure development into the entire software Building on the significant security advances lifecycle from start to finish. We have already in Windows XP Service Pack 2, Windows seen the benefits of this process as it was Vista includes fundamental architectural first used for Windows Server 2003 and re- changes that will help make customers more sulted in a 56% decrease in the number of secure from evolving threats, including security bulletins, compared to Windows worms, viruses, and malware. These im- Server 2000. provements minimize the operating system’s www.insecuremag.com 29 By having the most deployed OS in the ahead of the cyber criminal. So for example, world, Microsoft is always under the mi- as I’ve already mentioned, our Security De- croscope and has to tackle a myriad of velopment Lifecycle is used to ensure rigor- security challenges. What are the ones ous testing of software code in products such that you expect to cause problems in the as Windows Vista. In addition, our MSN Hot- near future and what strategies does Mi- mail service blocks 3.4 billion spam mes- crosoft use to fight them? sages per day.

As I always say, it’s about people, process Finally, at Microsoft, we’re committed to pro- and technology and at Microsoft our security viding guidance to help businesses and con- strategy is very much aligned to these three sumers act and secure their digital lives. In areas. The threat landscape is continually the UK alone, according to recent figures evolving and challenges appear in the form of from APACS (the UK payments association), malware, inappropriate security policies and online banking fraud alone cost £22.5m in the regulatory environment. Our security ef- 2006. Therefore we are deeply engaged in forts are therefore focussed on the area of customer education programs such as our partnerships, innovation and prescriptive partnership with GSOL. In fact, a big part of guidance. Microsoft is working in partnership my role is to liaise between customers and with Government and industry groups to our internal development teams, finding out thwart security threats. So for example, in the what the problems are and seeing how they UK, we are an active member of the Gov- can be resolved. My number one message is ernment backed Get Safe Online program, that prevention is the best defense! You don’t which aims to educate consumers and busi- need to wait to protect yourself today. There nesses on the importance of security. are numerous resources available (both from Microsoft and across the industry) to help We are continually developing our products protect against the growing severity of infor- to protect computer users and stay one step mation security threats.

WE ARE CONFIDENT THAT VISTA IS THE MOST SECURE AND THOROUGHLY TESTED VERSION OF WINDOWS WE HAVE EVER PRODUCED.

When discussing Windows Vista, Micro- scape. Microsoft cannot do this alone, and soft is emphasizing that it is the most se- we will continue to partner and collaborate cure Windows ever. Do you believe you'll with industry, government and academia to be able to stand behind that in a year or better protect customers and adapt to evolv- two? What makes you so certain of Vista's ing security threats. security features? After all, we live in a world of constant evolving threats. Does In the past, Microsoft's security head- 'more secure' = 'secure'? aches were coming from full disclosure lists where researchers publicly disclosed As mentioned previously, whilst no software vulnerabilities in Microsoft products with- is 100% secure, we are confident that Vista is out reporting them to the company. Today, the most secure and thoroughly tested ver- the threat landscape is changing with 0- sion of Windows we have ever produced. Our day vulnerabilities in Windows Vista being customers expect and deserve a computing sold to the highest bidder and not re- experience that is safe, private and reliable. ported at all. How does Microsoft deal Trustworthy Computing has fundamentally with this problem? changed the way we develop and help our customers manage Microsoft software and Due in part to recent reports of security vul- services. Threats to security and privacy con- nerabilities in a wide range of software, secu- stantly evolve and the holistic nature of rity is a growing concern for more and more Trustworthy Computing highlights Microsoft’s computer users every day. commitment to facing this changing land- www.insecuremag.com 30 The industry is responding in part by seeking There are many factors that impact the length new opportunities to improve the way that of time between the discovery of a vulnerabil- security information is gathered and shared ity and the release of a security update. to protect customers while not aiding attack- ers. Every vulnerability presents its own unique challenges. We’ve been clear that bulletins Microsoft is aware of iDefense offering com- can be released out-of-cycle, if necessary, to pensation for information regarding security help protect customers if a level of aware- vulnerabilities. Microsoft does not offer com- ness and malicious activity puts customers at pensation for information regarding security risk in any way. In this case, the level of vulnerabilities and does not encourage that awareness and malicious activity around a practice. Our policy is to credit security re- vulnerability may prompt Microsoft to move to searchers who report vulnerabilities to us in a a release schedule that would deliver a fix as responsible manner. soon as one could be built and thoroughly tested. Since its inception, Microsoft Patch Tues- days have been successful. Yet, many Creating security updates that effectively fix critical vulnerabilities are announced vulnerabilities is an extensive process involv- shortly after the batch of monthly patches. ing a series of sequential steps. When a po- Shouldn't there be more frequent patch tential vulnerability is reported, designated releases? product specific security experts investigate the scope and impact of a threat on the af- We investigate each security vulnerability re- fected product. Once they know the extent port thoroughly to determine its impact to our and the severity of the vulnerability, they work customers. In combination with that investiga- to develop an update for every supported tion we also take a look at our engineering version affected. Once the update is built, it processes to help determine how we can must be tested with the different operating best deliver a quality update to our customers systems and applications it affects, then lo- within the consistent time frame that our cus- calized for many markets and languages tomers have requested, which is currently on across the globe. In some instances, multiple a monthly cycle. vendors are affected by the same or similar issue, which requires a coordinated release.

CREATING SECURITY UPDATES THAT EFFECTIVELY FIX VULNERABILITIES IS AN EXTEN- SIVE PROCESS INVOLVING A SERIES OF SEQUENTIAL STEPS.

Internet Explorer has been hit by a variety viruses) and that isolate the potential impact of vulnerabilities in the past and many of contamination. patches have been released. Now that IE 7 In the interest of helping to better protect our out, does Microsoft plan a better security customers, we delivered Windows XP SP2 in strategy for the most used browser? 2004, which included a major security up- grade to Internet Explorer. Building on that Security is an industry wide issue and al- release, Internet Explorer 7 has been redes- though there is no one solution, our approach igned and includes new security features to to security spans across both technological help protect end users against and and social aspects. phishing attacks. A variety of new security enhancements have been added to provide In technology, we’re focused on designing end users with a host of new capabilities to software that is resilient in the presence of make everyday tasks even easier, including malicious code threats (such as worms and dynamic security protection to help keep them safe online.

www.insecuremag.com 31 This is the PandaLabs list of the spyware most frequently detected by Panda ActiveScan in 2006.

The top ranking spyware is Gator. This ad- In sixth place in the table is Lop, a type of ware offers free use of an application if users with many variants. In most cases, agree to view a series of pop-up messages this malicious code installs a toolbar with downloaded by Gator. Some versions of this search features in Internet Explorer. It also spyware replace banners on web pages vis- displays numerous advertising pop-ups. Wi- ited with those created by the malicious code nantivirus, in seventh place, is categorized as itself. a PUP, (Potentially Unwanted Program). It is downloaded onto computers by other mali- Second and third place in the Top Ten are cious code, such as, Downloader.LHW and occupied by Wupd and Ncase respectively. exploits application vulnerabilities in order to Both offer free use of an application in ex- spread. Winantivirus is also capable of dam- change for displaying advertising messages. aging users’ systems. They also monitor users’ Internet movements and gather data about habits and prefer- CWS.Searchpmeup is in eighth place in the ences. This information is then used to per- list. This malicious program changes the sonalize the advertising displayed. Addition- Internet Explorer home page and the default ally, Ncase changes the Internet Explorer search options. The web page that it sets as home page, as well as the default search op- the home page uses several exploits to tions. download malware onto computers. Next in the ranking is Winfixer2005, a PUP that The adware CWS is in fourth place. This can searches the computer for supposed ‘errors’ be installed without users’ consent or without and then demands that users buy the pro- them being fully aware of the functionality of gram in order to repair them. Finally, in tenth the tool. Emediacodec, in fifth place in the place comes New.net, a spy program that Top Ten, has similar characteristics. It uses a adds a toolbar to Internet Explorer and col- series of techniques in order to prevent it be- lects information about the user, including ing detected by antivirus companies. It can Internet pages visited, etc. even its own execution if it detects that it is being executed in a virtual machine The information gathered by PandaLabs environment, such as VMWare. about spyware in 2006 highlights the preva- lence -seven of the Top Ten- of adware.

www.insecuremag.com 32 Position Spyware

1 Adware/Gator

2 Adware/WUpd

3 Adware/nCase

4 Adware/CWS

5 Adware/emediacodec

6 Adware/Lop

7 Application/Winantivirus2006

8 Adware/CWS.Searchmeup

9 Application/Winfixer2005

10 Spyware/New.net

This type of malware has grown continuously the ranking, not only detect real errors or at- throughout the year and is expected to con- tacks but also claim to have detected mal- tinue doing so in 2007. Similarly, in 2006 ware which actually does not exist. Winfix- there has been an increase in and er2005, in ninth place, is another example of other malware that use similar techniques. A malicious code that promises to repair non- is a tool used to hide the processes of existent errors. malicious codes, making them harder to de- tect. False codecs are variants of this type of malware. EmediaCodec, in fifth place in the Another significant aspect of the last year Top Ten, is a good example of this type of has been the appearance of a new category malicious code. The way this malware oper- of malware. Rogue antispyware claims to de- ates is quite simple. While the user is viewing tect spyware or to repair errors. This increas- the Internet, they are offered certain videos, ingly prevalent malware detects flaws or ma- normally pornographic. In order to see them, licious code on computers but then demands they have to install a false codec which that users pay for a registered version of the downloads adware. Normally these are not program if they want to delete these threats. real codecs, but passwords that register in WinAntivirus2006, in seventh place in the Top the system and have to be installed in order Ten, is a good example of this new category. to see the videos. Some of them, such as SpySheriff, 23rd in

www.insecuremag.com 33 Let us face it, modern e-mail communication relying on SMTP is fundamen- tally broken - there is no sender authentication. There are lot of countermea- sures in form of filtering and add-on authentication, but neither of them are proved to be 100% successful (that is 100% hit ratio with 0% of false posi- tives). Spammers always find new ways of confusing filters with random noise, bad grammar, hidden HTML code, padding, bitmap-rendered mes- sages etc. World is becoming an overloaded and unusable mailbox of spam. I will nevertheless try to cover some of the spam problems and possible solu- tions, but bare in mind that all of these are just no more than a temporary fix.

Product spam, financial spam, frauds, scams, world's total spam is around 85 billion mes- phishing, health spam, Internet spam, adult sages per day (obviously this number is rather spam, political spam, you-name-it spam. De- approximate) - and it is exponentially increas- spite Bill Gates' brave promise in 2004 (“Two ing. We all know how much it is going to cost years from now, spam will be solved”) e-mail (quick spam calculator: tinyurl.com/y84je6). spam has significantly increased worldwide in the last two years in both volume and size, Spammers have undoubtedly adapted and making over 70% of total e-mail traffic. Ac- evolved: up to now they used a single IP cording to the First MAAWG Global Spam setup for delivering their unwanted e-mail, Report (tinyurl.com/y8o9y9) from Q1 2006, usually hopping from one dialup to another. around 80% of incoming e-mail was detected They have used open proxies, open mail re- as abusive. A bit later in Q3 2006 various lays and other similar easy-to-track sources. Internet service providers in the world have Unfortunately, it has changed - current spam- reported an alarming increase of unsolicited ming methods now include huge networks e-mail in a very short period due to the range (called ) of -computers used for of new techniques involved. At the distributed spam delivery and Denial of Serv- end of 2006 an estimated number of the ice attacks. www.insecuremag.com 34 Various new viruses and worms are targeting paign as open war declaration and wiped user computers, making them eventually into them off from the face of the Internet within a huge spam clusters. Not only Microsoft Win- single day. Lessons have been learned: the dows PCs are hacked, more and more Unix spammers are to be taken seriously and it and Linux servers are affected too. And it is seems they cannot be dealt by a single uni- not for the fame and the glory, but to enable form blow nor with a single anti-spam pro- crackers to install and run scripts for the re- vider. mote controlled spamming. In the meantime, nobody knows how many spambots are cur- What can we do about spam? There are nu- rently harvesting the Web in search of new e- merous commercial solutions against unsolic- mail addresses, their new victims. There is ited e-mail (SurfControl, Websense, Bright- nothing sophisticated in their attacks, only mail, IronPort, etc.) and some of them are brute force and numbers. Spammers earn a rather expensive. Depending on the available living by making and delivering spam and they budget, requirements and resources at hand, do it darn well. an Open Source solution could be substan- tially cheaper and possibly equally effective as Reality check, 123 the commercial counterpart. There is a whole range of readily available Open Source solu- Due to the troublesome nature of the Internet tions for each of the popular anti-spam tech- today, the spammers and the script kiddies niques for e-mail receivers. Some of them are can easily put an anti-spam provider out of a in the core of the even most advanced com- job by simply DDoSing them to death (and mercial solutions. As most of the readers doing a lot of collateral damage) - and exactly probably know, anti-spam solutions are most it happened to Blue Security effective when different methods are com- (tinyurl.com/rl2d7) with their successful but bined together, forming several layers of quite controversial Blue Frog service. A per- analysis and filtering. Let us name a few of son known as PharmaMaster took their cam- the most popular...

VARIOUS NEW VIRUSES AND WORMS ARE TARGETING USER COMPUTERS, MAKING THEM EVENTUALLY INTO HUGE SPAM CLUSTERS.

Blacklisting recognized are Spamhaus and SpamCop, for instance. Almost all FLOSS (Free/Libre/Open- DNS blacklisting is a simple and cheap way of Source Software) SMTP daemons have full filtering the remote MTA (Mail Transfer Agent) RBL support and so does Postfix, Exim, peers. For every remote peer the SMTP serv- Sendmail, etc. For the SMTP services which ice will reverse its IP and check the forward do not support DNSBL out of the box it is pos- ("A") record in the BL domain of DNSBL sys- sible to use DNSBL tests in SpamAssassin, tem. The advantage of the method is in its low but that usually means no session-time processing overhead: checking is usually checking. Another variant which Spfilter uses done in the initial SMTP session and unsolic- is to store a several DNSBL exports in the ited e-mail never hits the incoming queue. form of local blacklists for faster processing. Due to the spam-zombie attacks coming from Of course, such a database needs to be syn- the hundreds of thousands of fresh IP address chronized manually from time to time, pref- every day, this method is today significantly erably on a daily basis. less effective today than it used to be and no more than 40% of total inbound spam can be Greylisting filtered using this method. There are a lot of free DNSBL services in world, but it is proba- The greylisting method (tinyurl.com/y8y4oe) is bly best to use well known and reliable pro- a recent but fairly popular method which viders (and there are even subscription-based slightly delays an e-mail delivery from any un- DNSBL services) which do not enlist half of known SMTP peer. A server with the greylist- the Internet overnight. Some of most widely ing enabled tracks the triplets of the

www.insecuremag.com 35 information for every e-mail received: the IP delivery since they interpret the temporary address of every MTA peer, the envelope SMTP failure as a permanent error. Secondly, sender address and the envelope recipient the impact of the initial greylisting of all new e- address. When a new e-mail has been re- mail is substantial for an any company that ceived, the triplet gets extracted and com- treats e-mail communication as the realtime- pared with a local greylisting database. For alike service, since all of the initial e-mail cor- every yet unseen triplet the MTA will reject the respondence will be delayed at least 300 sec- remote peer with a temporary SMTP failure onds or more, depending on the SMTP retry error and log it into a local database. Accord- configuration of the remote MTA peers. Fi- ing to the SMTP RFC, every legitimate SMTP nally, the greylisting does not do any good to peer should try to reconnect after a while and the big SMTP providers which have large try to redeliver the failed messages. This pools of mail exchangers (ie. more than /24). method usually requires minimum time to configure and has rather low resource re- The problems can be fixed by whitelisting quirements. As a side benefit it rate-limits the manually each and every of domains or net- incoming SMTP flow from the unknown work blocks affected. Regarding the software sources, lowering the cumulative load on the which does the greylisting almost every Open SMTP server. Source MTA has several greylisting imple- mentations available: Emserver, Postgrey, There are still some mis-configured SMTP Milter-greylist, etc. servers which actually do not retry the

Sender verify callout usually consists of several subtypes, so let us state a few. Static filtering is a type which trig- SMTP callback verification or the sender ver- gers e-mail rejection on special patterns ify callout is a simple way of checking whether ("bad" words and phrases, regular expres- the sender address found in the envelope is a sions, blacklisted URI, "evil" numbers and really deliverable address or not. Unfortu- similar) typically found in the e-mail headers nately, verification probes are usually blocked or a body of an e-mail itself. False positives by the remote ISP if they happen too often. are quite possible with this method, so this Further, a remote MTA does not have to reject type is best used in conjunction with policy- the unknown destinations (ie. Qmail MTA based systems (often named as heuristic fil- usually responds with "252 send some mail, ters) such as SpamAssassin and Policyd- i’ll try my best"). To conclude: it is best to do weight. Such filters use the weighted results verification per known spammer source do- of several tests, typically hundreds of, to cal- mains which can be easily extracted from re- culate a total score and decide if the e-mail is sults of the other methods (such as the con- a spam or a ham. In this way, a failure in a tent analysis). The sender verification is sup- single test does not necessarily decide the ported in most FLOSS MTA: Postfix, Exim, fate of an e-mail. At least several tests have to Sendmail (via milter plugin), etc. indicate a found spam content to accumulate the spam score enough for an e-mail to be Content analysis flagged as a spam, so this results in a more reliable system. Of course, weighted/scoring The content-based filtering is probably the type of a filter can contain all of the other filter core of most anti-spam filters available. It types for its scoring methods. www.insecuremag.com 36 The next type of the content analysis is the Checksum-based filtering statistical filtering which mostly uses the naive Bayesian classifer for the frequency analysis A small but significant amount of unsolicited of word occurrences in an e-mail. Such filter- e-mail is the same for every recipient. A ing, depending on an implementation, re- checksum-based filter strips all usual varying quires the initial training on an already pre- parts of an e-mail and calculates a checksum sorted content and some retraining (albeit in from the leftovers. Such a checksum is then much smaller scale) later on to obtain a compared to a collaborative or distributed da- maximum efficiency. The Bayesian filtering is tabase of the all known spam checksums. Un- surprisingly efficient and robust in all real life fortunately, spammers usually insert various examples. It is implemented in the very popu- poisoning content (already mentioned hash- lar SpamAssassin and DSPAM solutions, as busters) unique to an every e-mail. It causes well as Bogofilter, SpamBayes, POPFile and the checksums to change and an e-mail is not even in user e-mail clients such as Mozilla recognized as known spam any more. Two of Thunderbird. Some implementations such as the most popular services for this typeare Dis- SpamAssassin use an output of other spam tributed Checksum Clearinghouse and Vipul's filtering methods for a retraining which gradu- Razor which both have their own software ally improves the hit/miss ratio. Most of the and they are both supported in third-party implementations (DSPAM, SpamAssassin) spam-filtering software such as SpamAssas- have a Web interface which allows a per-user sin. view of the quarantined e-mail as well as the per e-mail retraining. It improves the quality of E-mail Authentication either the global dictionary (a database of learned tokens) or the individual per user dic- Finally, we are left with several methods of the tionaries. DSPAM, for an instance, supports a authentication that basically try to ensure the whole range of additional features such as: identity of a remote sender via some kind of combining of extracted tokens together to ob- an automated process. The identification tain a better accuracy, tunable classifiers, the makes it possible to reject all of the e-mail initial training sedation, the automatic white- from the known spam sources, to negatively listing, etc. score or even to deny an e-mail with the iden- tified sender forgeries and to whitelist an e- Another popular solution is CRM114 which is mail which is valid and comes from the known a superior classification system featuring 6 reputable domains. This method should mini- different classificators. It uses Sparse Binary mize the possibility of the false positives be- Polynomial Hashing with Bayesian Chain cause a valid e-mail should get higher positive Rule evaluation with full Bayesian matching scores (used for the policy filter) right from the and Markov weighting. CRM114 is both the start or even completely bypass the spam fil- classifier and a language. DSPAM and ters - which can be made more sensitive in CRM114 are currently the two most popular return. There are several similar autentication and most advanced solutions in this field, and mechanisms available: SPF (Sender Policy they are easily plugged into most SMTP serv- Framework), CSV (Certified Server Valida- ices. tion), SenderID and DomainKeys. They are mostly available as third-party plugins for Note that plain Bayesian filters can be fooled most popular OSS MTA, usually in the form of with quite common Bayesian White Noise at- Perl scripts available at CPAN. Unfortunately, tacks which usually look like random nonsen- neither of them is a solution recognized widely sical words (also known as a hashbuster) in a enough to be used in an every SMTP service form of a simple poem. Such words are ran- in the world. domly chosen by a spammer mailer software to reflect a personal e-mail correspondence DomainKeys and enhanced DKIM (Do- and therefore thwart the classifier. Most of the mainKeys Identified Mail) protocol use a digi- modern content analysis filters do detect such tal signature to authenticate the domain name attacks - and so does SpamAssassin and of sender as well as content of a message. By DSPAM. using a sender domain name and the re- ceived headers, a receiving MTA can obtain www.insecuremag.com 37 the public key of a such domain through sim- PASS) from a SPF policy. The problem is that ple DNS queries and validate the signature of SPF breaks e-mail forwarding to the other the received message. A success proves that valid e-mail accounts if the domain adminis- the e-mail has not been tampered with as well trator decides to use SPF FAIL policy (hard as that the sender domain has not been fail), although in the future SRS (Sender Re- forged. writing Scheme) could eventually help it.

SPF comes in form of the DNS TXT entries in SenderID is a crossover between SPF and each SPF-enabled Internet domain. These Caller ID with some serious standardization records can be used to authorize any e-mail issues and does not work well with mailing in transit from a such domain. SPF records lists (necessary Sender or Resent-Sender publish the policy of how to handle the e-mail headers). CSV is about verifying the SMTP forgeries or the successful validation as well HELO identity of the remote MTA by using as the list of possible e-mail originating ad- simple DNS queries to check if the domain in dresses. If none of those match the sender question is permitted to have a remote IP from address in received e-mail, the e-mail is the current SMTP session and if it has got a probably forged and the receiver can decide good reputation in a reputable Accreditation on the future of such e-mail depending on Service. SPF qualifiers (SOFTFAIL, FAIL, NEUTRAL,

Dinko Korunic is currently employed as a Senior Unix/Linux Security Specialist at InfoMAR (www.infomar.hr). He has previously worked with Croatian Academic and Research Network (CARNet) and University Comput- ing Centre (SRCE) as Unix forensics specialist and a technical advisor. For the last decade, he has written and held numerous lectures on advanced Linux and Unix topics. He has been a Unix (AIX, Irix, SunOS/Solaris, Linux, OSF1/Tru64, Ultrix, *BSD) system administrator and a Unix system programmer. In his spare time he writes Linux-related articles for local IT-specialist magazine Mrez@. Dinko can be reached at [email protected].

www.insecuremag.com 38 WINDOWS - Cain & Abel http://www.net-security.org/software.php?id=110

Cain & Abel is a password recovery tool for Microsoft operating systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using dictionary and brute-force attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

LINUX - Nagios http://www.net-security.org/software.php?id=279

Nagios is a host and service monitor designed to inform you of network problems before your cli- ents, end-users or managers do.

MAC OS X - Pastor http://www.net-security.org/software.php?id=617

Pastor is a tool to store all your passwords, website logins, program serial numbers, etc. RC4- encrypted and password-protected.

POCKET PC - SignWise Pro http://www.net-security.org/software.php?id=543

SignWise use personal hand-written signature to authenticate. Signatures are much more secure than passwords or PINs in that they cannot be lost, forgotten, or shoulder-surfed, and are difficult to forge.

If you want your software title included in the HNS Software Database e-mail us at [email protected] www.insecuremag.com 39 This article analyzes the main changes in Office 2007 that concern docu- ments and users’ private data protection.

New file format used for data storage. Apart from binary files, XML file format has a lot of auxiliary informa- The format change does strike the eye. For tion that is why all XML files are packed by instance, Word 2007 files have the extension ZIP archiver. “DOCX” instead of traditional “DOC”. The most files in the previous Office versions were Unfortunately, hyperlinks to XML-schemes are OLE-containers consisting of several streams not available yet. Let us hope that Microsoft with binary data. will fix it soon. In the example the file format is quite readable and understandable. At least At the end of 90s binary formats of Word and we can see here the language, the text itself, Excel were documented and available for and page parameters. In documentation you MSDN subscribers. However, Microsoft has can find descriptions of other tags. closed these formats after a new release of Office 2000 and up to Office 2003 they were Office 2007 is compatible with its previous unavailable even for Microsoft partners. It versions. If you try to open a new format file in prevented all developers from writing their Office 2003 you will be prompted to download own software applications compatible with Of- a converter from Microsoft web-site and hav- fice documents. ing in-stalled it on you computer you can eas- ily work with new format files. Additionally, you However, after Office 2007 had been released have an option to save files in a new format. the situation changed drastically. A new file format, Office Open XML, is completely open Office 2007 files protection: Word, Excel, and documented. Documentation format is PowerPoint available and everybody can download it from the Microsoft website. Microsoft followed the Whereas Office regular file format is simple path of a well-known project OpenOffice and clear, the format of protected files is not which file format is also open and XML is that easy. www.insecuremag.com 40 Here you can see a file “document.xml” which is “the body” of Word document:

Test Word file…

A file protected with a password is an OLE- quickly. Now this operation needs 50000 container which includes encryption informa- SHA-1 sequential iterations. You would never tion, encrypted stream itself and some auxil- notice it when opening a file because the iary information. The encryption information whole process requires less than a second. block is the same as in Office XP/2003. It in- However, when we start password search, the cludes the name of cryptoprovider, hash and speed drops significantly. Initially estimated encryption algorithms, key length, as well as the speed will be approximately 500 pass- data for password verification and document words per second even on such cutting-edge decryption. Though previous Office versions processors as Intel Core 2 Duo. Thus, using allowed change cryptoprovider and key one computer it is possible to find 4-5 letter length, Office 2007 has fixed encryption pa- passwords. There are considerable changes rameters, as follows: AES encryption with 128 in the verification algorithm of “read-only” bit key, SHA-1 hashing. The cryptoprovider password, document protection password, «Microsoft Enhanced RSA and AES Crypto- book and sheet password in Excel. Previously graphic Provider» supports encryption and the 16 bit hash was stored in the document. hashing functions. Thus, it was possible to reverse it into any suitable password. Now the hashing algorithm However, in comparison with Office 2003 the is determined by record in XML-file where the new version has a new algorithm of convert- number of hash iterations is defined as well. ing passwords into keys. In previous Office versions each password was hashed with an On the following page you can see that 50000 accidental byte set that was unique for every SHA-1 hash iterations and the password re- document (salt). This operation needed only covery process will take very long time. two SHA-1 iterations and was performed very www.insecuremag.com 41 An example of “read-only” password record in Word 2007:

However, we still can change or delete this in its new version. It took Microsoft 10 years password. We can either calculate the new (from the moment when Office 97 was re- password hash, or simply delete this tag from leased) to create a good data protection sys- XML-file. Document protection passwords are tem. “File open” passwords are really strong stored in the same way, as well as passwords and you will need a long time to retrieve them. for Excel books and sheets. Nevertheless, you still should have strong passwords. Unfortunately, the human factor Other Microsoft Office applications has always been and will be the weakest point in any security. Even strong security sys- Microsoft Access security system has under- tem in Office 2007 will hardly help you, if your gone some radical modifications. Earlier a “file password is “John”, “love” or “sex”. A pass- opening” password was stored in the file word like that will be instantly retrieved header and could be easily extracted. Now in through the dictionary attack. Access 2007 encryption goes in the same way as in Word/Excel. So it is quite problem- One computer is definitely not enough to atic to retrieve a password at once. Recover- recover strong passwords for Office 2007. ing password by “brute-force” attack will take However, there are applications that can unite long time. The user- and group-level protec- any number computers into a cluster in order tion has been removed from Access from to search passwords. 1000 computers are version 2007. PST-file security in Microsoft able to maintain the speed at 500,000 pass- Outlook remained the same. 32-bit password words per second. So, we can recover rela- hash (CRC32) is stored in the file and the tively strong passwords provided all corporate password can be easily recovered. computers are joined together into a cluster. But first and foremost one should carry out Office 2007 password security and pass- dictionary attack. A strong security policy is word recovery strategies meant only for “file opening” passwords. All other passwords are still easy to retrieve, First of all I would like to point out that Office change, or reset. documents security is considerably enhanced

Andrey Malyshev is the CTO of ElcomSoft (www.elcomsoft.com). ElcomSoft's award-winning password file protection retrieval software uses powerful algorithms, which are constantly under development.

www.insecuremag.com 42 We regularly conduct research into Wi-Fi networks and protocols in order to gain a picture of the current state of affairs and to highlight current security issues. We focus on Wi-Fi access points and mobile devices which support Bluetooth. This latest piece of research was conducted in Paris, partly in the city itself, and partly at InfoSecurity 2006, which was held in the French capital at the end of November 2006.

It was very interesting to compare the data La Defense, the business district of Paris, collected with similar data from InfoSecurity where InfoSecurity was being held, and other which was held in London in spring of this locations in Paris. We collected data on ap- year. It was also instructive to compare data proximately 1000 access points. We did not on the security of Wi-Fi networks in the busi- attempt to intercept or decrypt any data ness districts of these two world capitals. transmitted via wireless networks. We de- tected more than 400 Wi-Fi access points at As part of this research, we also planned to La Defense/ InfoSecurity, and more than 500 collect data about Bluetooth enabled mobile in other regions of Paris. This was the largest devices at InfoSecurity itself, in the Paris number of access points which we’ve ever Metro, and on the streets of the city. Until now, detected. London, where we conducted simi- we haven’t managed to catch a single worm lar research in April, comes in second place. for mobiles devices (Cabir or Comwar) in a However, we weren't able to collect separate major city, but we were hopeful about our data for InfoSecurity, as the trade fair was be- chances in France - after all, it was the birth- ing conducted within the Parisian business place of Cabir, the first mobile worm. district itself.

Wi-Fi networks Transmission speed

We conducted our research between the 22nd As the graphs show, the data which we col- and 25th of November 2006. We investigated lected in two different locations is practically www.insecuremag.com 43 identical. Networks which transmit data at a China, Germany, and London, where they speed of 54MB are the most common, with comprised up to 6% of the total). the figure varying between 77% (La Defense) to more than 85% (Paris), giving an average We can therefore conclude that Wi-Fi net- of almost 82%. At CeBIT 2006 these networks works are more evolved in Paris in compari- comprised a little over half (51%) whereas the son to networks in the other cities where we analogous figures for China and London were have conducted research. The most surpris- a mere 36% and 68% respectively. ing is the significant difference between the Parisian data and the data from London, a city This clearly indicates that there is far more we had previously considered to be setting networking equipment utilizing newer versions something of a benchmark. of 802.11 used in Paris than in London. It's difficult to believe that this difference of more Network equipment manufacturers than 15% is caused simply by the rapid evolu- tion of Parisian networks in the six months The data we collected on network equipment since we published our figures from London. manufacturers in Paris differed significantly from data we collected in other locations. We The second most common network speed is have therefore decided to analyze each data 11MB, with between 14% and 21% of all net- set individually. works transmitting at this speed, and an aver- age figure of 17.70%. More than 58% of all In total, equipment from 28 different manufac- networks in China transmitted at this speed, turers was detected. with 47% at CeBIT and 28.5% in London. At La Defense, equipment from 19 different The number of networks transmitting data at manufacturers was detected. Five manufac- speeds between 22MB and 48MB did not ex- turers were found to be the most widespread, ceed 1% in any area of Paris. This was sig- and equipment from these sources was de- nificantly less than the number detected in ployed in more than 12% of networks de- tected in the business region of Paris.

Manufacturers Percentage

Symbol 2,99%

Trapeze 2,99%

Airespace 2,14%

Cisco 2,14%

Aruba 1,92%

www.insecuremag.com 44 Equipment produced by the other 14 manu- Equipment from 21 manufacturers were de- facturers was used in less than 8% of all net- tected in networks other regions of Paris. Of works. Unfortunately, it was impossible to es- these, the equipment of 5 manufacturers was tablish the manufacturer in more than 80% of the most common, and used in more than cases (Fake, unknown, user defined). This 10% of the networks detected. figure is far higher than that for CeBIT (66%) and London (61%).

Manufacturers Percentage

Senao 4,17%

Delta (Netgear) 2,18%

Gemtek 1,59%

USI (Proxim Orinoco) 1,59%

US Robotics 1,19%

Equipment from the remaining 16 manufac- clear advantage in London. Equipment from turers was used in less than 6% of networks. Cisco was detected in Paris, as was equip- In 83% of cases, the equipment manufacturer ment produced by Aruba, which was the third couldn't be established (fake, unknown, user- most common type of equipment in London. defined), which is lower than the figures from Overall, it should be stressed that the market other cities, and close to the figure for La De- share of equipment manufacturers not only fense. differs strongly from country to country, but also from region to region within a single city. As the data shows, the equipment used in each location varies in terms of manufacturer. The aggregate data for the top five equipment The figures for Symbol and Trapeze at La De- manufacturers in the two locations is as de- fense, and the high amount of equipment pro- picted in the table below. duced by Senao in other locations are the most striking figures when the Paris data is In 82% of all cases, the equipment manufac- compared to London, with Cisco having a turer could not be established.

Manufacturers Percentage

Senao 4,17%

Trapeze 2,18%

Symbol 1,59%

Delta (Netgear) 1,59%

Linksys (GST) 1,19%

Traffic encryption around the world show that approximately 70% of all networks do not encrypt traffic in Probably the most significant figure is the ratio any way. In Peking, we obtained a figure of of protected to unprotected access points. less than 60%, at CeBIT approximately 55%, Older data collected by war drivers in cities and in London 50% of networks which did not www.insecuremag.com 45 use encryption. Our research in Paris was de- First of all, let's look at the data collected dur- signed to find out whether unencrypted net- ing InfoSecurity together with the data col- works were still more common than encrypted lected around La Defense: ones, and whether London was the only ’digi- tal fortress’.

La Defense / InfoSecurity

Only 37% of networks did not use any type of first encountered in London is general prac- encryption! This is a stunning figure, which is tice, and shows that system administrators slightly better than the figure for London's Ca- are well aware of the issue. nary Wharf. The two regions are very similar: a great many international banks, oil and in- Part of this data is naturally made up of ac- surance companies, news agencies etc. could cess points at InfoSecurity. As we have previ- be targeted by hackers on the hunt for infor- ously mentioned, such access points are usu- mation of commercial value. ally configured in a hurry, often incorrectly, and they can easily be targeted by hackers. This is the lowest figure that we have come The security of the networks detected at across so far. If we take into account that fact InfoSecurity London was worse than the se- that some of the access points which make up curity of networks in the rest of the city. It's this 37% are public access points which are quite possible that this was also the case in located at the La Defense shopping centers, it Paris, as 37% was by far from the most sur- seems to reinforce our assumption that the prising figure which we encountered. high number of secure networks which we

Other regions of Paris www.insecuremag.com 46 The figures for other regions of Paris turned access points belonging to home users also our preconceptions of secure wireless net- implement encryption. works upside. A figure of 22% isn’t only al- most twice as good as the data we collected Undoubtedly, one of the reasons for these fig- in the ‘protected’ business district, but it’s the ures is that wireless networks in Paris are bet- lowest percentage of unprotected networks ter developed than in other cities, as is shown that we’ve ever encountered in the course of by their use of newer protocols and the speed our research. The general belief that approxi- of data transmission. Just as in London, we mately 70% of networks are unprotected was should highlight the high level of computer lit- in part borne out by China (59%), Moscow eracy and awareness of Wi-Fi security issues (68%) and London (50%) but brought down among users. The data from Paris shows that by the data from Paris. And not just by data the era of unprotected wireless networks is from the business district, where one would gradually drawing to a close. expect networks to be secure, but standard

Combined data for Paris

While the data collected in other regions of was 89% to 11%, at CeBIT 2006 58% to 42% London slightly detracted from the high fig- and in London 95% to 5%. ures collected at Canary Wharf, in Paris the opposite was true. The high figures were We expected to find a high number of Peer weakened by the public access points and the networks at InfoSecurity Paris (in London, ap- access points established by InfoSecurity par- proximately 50% of the networks were of this ticipants, bringing the average number of un- type.) This is because they are constructed protected networks down. In spite of this, within the framework of an exhibition (a tem- however, we returned a figure of less than porary space) and use multiple connections 30%! Paris is therefore awarded our unofficial between computers without network cables. victor's palm for the city with the best pro- The high number of Peer networks found at tected wireless networks, overtaking London La Defense might also be due to the fact that (49%) and establishing a new qualitative wireless devices, such as printers, for in- benchmark. Paris is the city with the fastest stance, are becoming more and more popular and best protected Wi-Fi. in offices. The data collected shows that more than 20% of access points both at the trade Types of network access fair and in office buildings are of the Peer type, and such networks are used exclusively Wi-Fi networks are either made up of ESS/AP to connect devices to each other. access points or via Peer/AdHoc computer-to- computer connections. Data shows that ap- Figures from the other regions of Paris give a proximately 90% of wireless networks are ratio of approximately 9 to 1. The results are composed of ESS/AP access points. In China, closer to those from Peking than those from the ratio of ESS/AP to Peer/AdHoc networks London. www.insecuremag.com 47 Types of Network Access

Default configuration more than 300 used default SSID. London gave us a figure of slightly higher than 3% in Networks with default configuration are the the city itself, and approximately 1.5% at Ca- juiciest morsel for hackers of wireless net- nary Wharf. works. As a rule, Default SSID means that the adminstrator of the access point has not One of the best ways of protecting a network changed the name of the router. This may against war driving is to disable broadband also be an indirect indicator of the fact that the spreading of the network identifier (SSID). administrator account is still using the default Let’s take a look at the networks we detected password. from this point of view.

The Internet is full of information about which The figures from La Defense are far better in default passwords are used by different types terms of Default SSID than the figures from of network equipment, and if a hacker knows Canary Wharf. Less than 0.5% is praisewor- the origin of the equipment, s/he will be able thy. to take complete control over such a network. More than 8% of the networks in Peking re- SSID was disabled in almost 33% of net- tained their default configuration, which is a works, almost the same as the figure for Lon- worryingly high figure. The situation at CeBIT don, with the French having a slight edge. was better - only two access points out of

SSID Broadcast — La Defense

www.insecuremag.com 48 Taking into account the fact that we already ures from La Defense (to be expected) but know that wireless networks are highly still better than the 3.68% detected in London. evolved in Paris, the figures from other re- The only area in which the English led the gions of the city were not surprising. French was in terms of disabled SSID broad- cast. In Paris, this was found in less than 26% Default SSID was detected in 1.39% of net- of networks, in comparison to London’s 32%. works, which was slightly lower than the fig-

SSID Broadcast — Other regions of Paris

Network components Around La Defense and at InfoSecurity 207 networks were detected. These networks con- This section includes statistics on the number tained more than 400 access points. of network access points in individual net- works. Of course, a network has one or more As the data shows, the vast majority of net- access points but how many access points is works (more than 84%) only have one access common? point. Just as in London, networks with 4 ac- cess points were fewer in number than those made up of 2, 3, or 10 access points.

La Defense

On the other hand, there were some very access points. Many access points could not large networks found, including two which had be included in this data as SSID Broadcast 10 and 11 access points respectively. How- has been disabled in the networks which they ever, there were no networks composed of 7 were a part of (more than 150 access points). www.insecuremag.com 49 The 84% of networks composed of a single networks composed of a single access point) access point is a figure very similar to the was comparable to the data for Paris overall. 82% from Canary Wharf. We were interested to see if the data for London overall (51% of

Other regions of Paris

And this is where we were surprised. Nearly Wireless devices such as printers, scanners, 95% of the 292 networks (made up of more etc are becoming more and more widespread, than 500 access points) had only a single ac- making it easier to create office networks. cess point. Was this due to home users, or to This is clearly shown by the gradually increas- connections from small business? Whatever ing number of Peer networks. the reason, it was all the more surprising in light of the high level of encryption used in Finally, it’s not possible to identifiy a clear these networks, which we mentioned earlier. leader among the manufacturers of Wi-Fi equipment. Every country has its own prefer- As for record breaking numbers, we found ences. three networks with 14, 16 and 18 access points respectively. These were undoubtedly Overall, it should be stressed that our re- public access neworks. Overall, 292 networks search over the past two years shows that the were found, not including the more than 100 number of networks which use some time of access points where SSID was disabled. encryption (WEP or WAP) is steadily increas- ing. In fact, one could say that the situation Conclusions had changed radically over the past two years - from 70% of networks in Moscow and 60% The data gained from our Paris wardriving in Peking to 30% in Paris. This is surely not leads us to draw the following conclusions: due to socio-economic factors. It’s a clear global trend, which shows that both users and • The vast majority of networks transmit data system administrators have recognized secu- at a speed of 54MB a second. rity on open networks as being a serious is- • There is an unprecedentedly high use of sue. The life of wardrivers is going to become encryption in Parisian networks in comparison more difficult as it becomes more difficult to with networks in other cities around the world. hack networks in order to steal data or simply • Much of the data from the business regions to gain access to the Internet. of Paris coincides with data collected from similar regions of London. Bluetooth • The majority of networks only have one ac- cess point, which results from the widespread The most widespread method of transmitting use of wireless networks among home users. data by WiFi is currently the Bluetooth proto- col. Almost all modern mobile phones have a www.insecuremag.com 50 wireless module which enables the exchange The research was conducted both within the of data with similar devices, also making it InfoSecurity Paris exhibition hall, and around possible to use the ‘hands free’ function. Blue- La Defense, the business district of Paris. Al- tooth is an integral part of smartphones, PDAs though fewer Bluetooth devices were de- and some laptops. tected than at InfoSecurity London, neverthe- less, at least 30 - 40 devices could be de- In the spring of 2006 at InfoSecurity in London tected at any one time within a 100 metre ra- we conducted our first research into Blue- dius. tooth. We detected more than 2000 Bluetooth enabled devices in “visible to all” mode. We We also collected Bluetooth data while col- decided to conduct similar research in Paris in lecting data about WiFi networks in other re- order to gain comparative data which might gions of Paris. The areas investigated in- support our conclusions. This report includes cluded the Paris Metro, the Gare du Nord (a the data we gathered, and compares it to the major railway station), and areas with a high data from London. We detected more than concentration of tourists. 1300 Bluetooth enabled devices in “visible to all” mode; although this is fewer than the Types of device 2000+ detected in London, we believe that this data is nonetheless representative. Let’s take a look at what Bluetooth devices we detected: We used Blue Soleil, Blue Auditor and BT Scanner to collect data.

The graph clearly shows that the vast majority The second most popular type of device (if we of devices are normal mobile phones. They exclude Unknown devices) is smartphones. make up approximately 60% of the total, They make up approximately 14% of all de- which is 10% less than the figure for London. vices detected, which is significantly less than This is a fairly significant difference. This the 25% found in London. This is surprising, might be due to the fact that approximately as France definitely is among the countries 14% of the devices couldn’t be identified cor- with the most smartphones in the world, and rectly, which could account for the difference. is one of the most developed markets for such Standard mobile phones do not have a fully devices. However, the statistics speak for functional operating system, and they are only themselves. theoretically vulnerable to viruses, e.g. mali- cious programs written in Java for Mobile. In third place, with almost 5% were standard cordless phones of the type often used in of- However, all of these telephones are vulner- fices. This figure is higher than that for Lon- able due to Bluetooth protocol issues which don, and laptops with Bluetooth were in third we’ve written about before. place in London, making up approximately 3% of all devices found. www.insecuremag.com 51 The figures for Paris are of a similar level - Equipment manufacturers more than 2%. We should stress that although this isn’t a high number, the risk of hacker at- This figure is very significant: we can use data tacks on such devices is greater than the risk about equipment manufacturers to establish of attacks on a standard handset or smart- what operating system is being used (in the phone. This is because the data saved on a case of smartphones/ PDAs) or get data laptop is far more extensive and attractive to about an individual manufacturer's market hackers than data stored on a telephone. share.

In terms of other devices, the number of Overall, we detected equipment from 39 dif- PDAs (Palm sized PC PDA and Handheld PC ferent manufacturers (in contrast to the 35 PDA) detected was less than 2%. This is iden- which we detected in London.) 6 manufactur- tical to the figure from the UK, which we see ers appeared to be the most popular, with as confirmation of the fact that users of such their devices making up more than 38% of all devices are very aware of Bluetooth security devices detected. issues and take the appropriate precautions. Unfortunately, in approximately 50% of cases, All in all, we detected more than 1300 devices we were unable to establish the equipment of 15 different types. The number of Uncate- manufacturer. This is a surprising figure, as in gorised and Miscellaneous devices was less London the percentage of such devices was than 1.5%, although we still classified this as only slightly over 25%. Could it somehow be a type of device. The single blot on our statis- connected with grey market telephones? tics was the 14% of Unknown devices.

Equipment manufacturers - Paris

www.insecuremag.com 52 Manufacturers Percentage

Noname 50,18%

Sony Ericsson Mobile Communications AB 9,69%

Nokia Danmark A/S 9,33%

TECOM Co., Ltd. 6,25%

Samsung Electronics Co., Ltd. 5,74%

Texas Instruments 4,59%

Inventel Systemes 3,16%

Other 11,06%

The data above shows that in Paris there is Texas Instruments is in a similar position, per- no clear market leader among equipment haps explained by the limited prevalence of manufacturers; this is in contrast to London, Motorola telephones. Interestingly, well known where Nokia manufactured more than 30% of manufacturers such as USI and Murata aren't devices detected. In Paris, Sony Ericsson is in among the list of leaders, having been first place with 9.69% of the devices detected, squeezed out by Tecom and Inventel. How- but Nokia is not far behind. However, the fig- ever, they do come just below the top six most ures from London were very different, as popular manufacturers, together with LG and these two companies had almost half of the Sharp. As we’ve mentioned in the past what entire market share. The figure for Samsung, type of equipment different manufacturers on the other hand, is very similar in both cit- produce, the following data may be of com- ies: 5.74% in Paris and 4.52% in London. parative interest:

Brand Phone/Smartphone Phone/Mobile

Nokia 30% 70%

Sony Ericsson 12,5% 87,5%

Brand Phone/Mobile Phone/Cordless Other

Samsung 56,8% 40,7% 2,5%

Brand Phone/Smartphone Phone/Mobile PDA

Texas Instruments 56,8% 40,7% 2,5%

Accessible services allowed a friend's device to connect to yours in order to exchange data, you are also mak- The data on accessible services is of great ing it possible for your friend's device to make interest to us as it illustrates the opportunities calls from , send SMSs, read your both for hackers to attack handsets and for address book etc. And of course, it could be a viruses to spread. When a device establishes hacker in place of your friend, a hacker who a Bluetooth connection with another device, it has used social engineering or a Bluetooth makes it possible for the second device to use vulnerability to gain access to your device. some of its services. For example, if you've The data we collected on accessible services www.insecuremag.com 53 gives us a picture of what services could be • Telephony (making calls, sending mes- accessed by remote malicious users. Let’s sages). This is used in more than 91% of de- start by taking a look at the data for all serv- vices. ices. We detected approximately 3800 serv- • Networking (provides Internet access and ices on over 1300 devices, distributed as the ability to use an inbuilt modem). This is seen above. Given the ratio of 3800 to ap- used in more than 66% of devices. proximately 1300, this means that each de- vice had, on average, around 3 accessible These figures are practically identical to the services. Some devices had 5 or 6 accessible data we collected in London, with the differ- services. As the graph shows, three services ence in all three cases being less than 1.5%. were the most common: As we are primarily interested in smart- phones, which are among the most vulnerable • Object Transfer (sending/ receiving files). Bluetooth devices, it's worth taking a look at This is used in more than 95% of devices. the data relating to them separately. As the graph below shows, the ratio of devices: serv- ices is approximately 1: 2.

There’s a slight difference between the figures of slightly more than 10%. The data from our for smartphones and the data for other de- research supports our previous conclusions: vices. With more than 93%, Object Transfer although some users of Bluetooth devices are remains the most widespread accessible aware of the risks posed by cyber threats, service, followed by Telephony with 91%, and user education is still needed. Networking in third place, with the low figure

Alexander Gostev is the Senior Virus Analyst at Kaspersky Lab, a leading developer of secure content man- agement solutions that protect against viruses, Trojans, worms, spyware, hacker attacks and spam. www.insecuremag.com 54

Black Hat DC Briefings & Trainings 2007 26 February-1 March 2007 – Sheraton Crystal City http://www.blackhat.com

The 14th Annual Network & Distributed System Security Symposium 28 February-2 March 2007 – Catamaran Resort Hotel, San Diego, CA, USA http://www.isoc.org/isoc/conferences/ndss/07/

InfoSec World Conference & Expo 2007 19 March-21 March 2007 – Rosen Shingle Creek Resort, Orlando, FL, USA http://www.misti.com/infosecworld2007

WebSec Conference 2007 26 March-30 March 2007 – London, UK http://www.mistieurope.com/websec

Black Hat Europe 2007 27 March-30 March 2007 – Amsterdam, Netherlands http://www.blackhat.com

Business Continuity – the Risk Management Expo 2007 28 March-29 March 2007 – Excel, The Docklands, London http://www.businesscontinuityexpo.co.uk

ARES Conference 2007 10 April-13 April 2007 – University of Technology, Wien, Austria http://www.ares-conference.eu/conf/

If you want your event included in the HNS e-mail us at [email protected] www.insecuremag.com 56 Joanna Rutkowska has been involved in computer security research for sev- eral years. She has been fascinated by the internals of operating systems since she was in primary school and started learning x86 assembler on MS- DOS. Soon after she switched to Linux world, got involved with some system and kernel programming, focusing on exploit development for both Linux and Windows x86 systems. A couple of years ago she has gotten very inter- ested in stealth technology as used by malware and attackers to hide their malicious actions after a successful break-in. This includes various types of rootkits, network backdoors and covert channels.

How did you get interested in Windows Control feature which will hopefully force peo- security? ple to work from restricted accounts. UAC is still far from perfect - e.g. it's pretty annoying When I started to play with Windows internals, that every single application installer (even if it I already had a background with Linux user- is Tetris) asks for administrative credentials mode exploitation and kernel programming. and the user has no real choice to continue Move to Windows was a natural evolution and the installation *without* agreeing on that. was mostly dictated by my curiosity. However, I see UAC as an important step to- wards implementing the least-privilege princi- What's your general take on the security ple in Windows. aspects of Windows Vista? Is it much more secure than Windows XP as Micro- Also, Microsoft introduced some anti- soft is telling us? exploitation technologies, like e.g. ASLR and invested a lot of money and time into improv- Indeed, Vista introduced lots of security im- ing the quality of the code behind the operat- provements comparing to XP. The most im- ing system and the applications. portant one is probably the User Account www.insecuremag.com 57 The introduction of BitLocker technology lieve this mechanism to be effective in stop- which makes use of the Trusted Platform ping kernel malware. Also, the much dis- Module (TPM) to assure the integrity of the cussed (AKA Patch booting processes seems like an important Guard), should not be though of as an effec- improvement. Of course, this should not be tive protection against kernel compromises, though of as a silver bullet solution against as it's relatively easy to bypass by the mal- rootkits and all other malware. ware authors. Still, I see those two mecha- nism as useful when it comes to system com- In the 64-bit version of Vista, Microsoft also promise *detection* (in contrast to prevention) introduced the requirement that all kernel - at least when it comes to type I malware. drivers must be digitally signed, but I don't be-

When we look at the quality of the advisories published these days, I have the feeling that people are looking for cheap publicity.

In your opinion, what is the biggest mis- Naturally, from time to time we see a very in- take Microsoft has made when it comes to teresting bug report, sometimes presenting a security in 2006? new class of bugs or a new method of exploi- tation. It's hard to overestimate the value of I don't really see any particular, spectacular such reports for the security community, so if mistake made my Microsoft in 2006 but there the author decided to release those informa- are some things which I don't fully agree with, tion for free, I guess we all should only be like e.g. the design of Integrity Level mecha- grateful to the author. nism which prevents only against writes not reads or issues regarding kernel protection or What is your opinion about Microsoft the fact that they concentrate only on preven- Patch Tuesdays? Shouldn't there be more tion (like most other OS vendors) and haven't frequent patch releases? done anything to make systematic compro- mise detection feasible. I guess these are just I guess there should be, but I can also under- different points of view and I would not call stand that releasing a patch is a complicated any of them a 'big mistake'. business process, because it requires lots of testing, etc. I also realize that even if we had What do you think about the full disclosure patches released on a daily basis, that still of vulnerabilities? would not be a sufficient solution, as attackers might still exploit some unknown vulnerability. I'm quite neutral about this. On one hand, I think that it should be every customer's right Thus, I think it's much more important that the to point out flaws in the products they buy and OS itself provided various anti-exploitation I really don't see why those who find bugs technologies and also be designed to limit the should be *obliged* to first report it to the damage of the potential successful exploita- vendor - i.e. why should they be forced to do tion (least privilege design, strict privilege a free Q&A with the vendor? separations, etc). And it's clear that Microsoft is going this way, although there's still room On the other hand, when we look at the qual- for improvement in this area. ity of the advisories published these days, where most of the bugs reported are just What is the most interesting fact you've some denial of services, I have the feeling become aware of while researching for that people are looking for cheap publicity. It's your recent papers? quite understandable that companies which are victims of those "audits" might feel a bit It's hard to point to just one fact. Usually the pissed off. most amazing thing is that something you though of before (e.g. some attack) actually

www.insecuremag.com 58 does work after you implemented the proof-of- despite the new protection mechanism and concept code. That's always very amazing for also demonstrated that recent hardware virtu- me. alization technology can be used to create a new class of stealth malware - something I What's your take on the open source vs. call type III malware (e.g. "Blue Pill"). And just closed source security debate? recently I found that hardware based memory acquisition as used for forensics, believed to I don't like when people say that something is be absolutely reliable, because it uses so secure just because it's open source and in- called "Direct Memory Access" to read mem- herently insecure, just because it's a commer- ory, can be cheated in some cases. cial, closed source product. Unfortunately I haven't seen any serious effort Although it should be admitted that a lot of in the security world to address most of those security technologies have been introduced in threats. We still don't have any effective way the open source systems for the first time, like to combat type II malware. Network intrusion e.g. ASLR which has been invented by PaX detection systems and firewalls are years be- about 6 years ago. hind when it comes to detecting or preventing any more advanced covert channels. We still What are your future plans? Any exciting don't have any good solution to prevent or de- new projects? tect hardware virtualization based malware...

I think that I would like to focus more on the I would like to work more on the defense side defense side now. In the past two years I now - I believe that we should convince OS have worked on several offensive techniques, vendors (and also CPU vendors) to make sys- starting from passive, very hard to detect cov- tems verifiable - so that we could come up ert channels ("Nushu"), then I presented with *systematic* ways to check whether the "Stealth by Design", type II malware, then I system is infected by any of type I, II or III showed that Vista kernel can be subverted malware.

www.insecuremag.com 59 “So you want to be a rock & roll star? Then listen now to what I say. Just get an electric guitar Then take some time And learn how to play.” The Byrds - So You Want to Be A Rock & Roll Star.

So, you want to be a security star, huh? Well, reading this magazine is a good start. But the reason that they have asked me to write this article is to tell you about all of the things that you need to do past that. Reading a few articles on SSH and security in Web 2.0 isn’t enough to make you into a security super- star than listening to a few records will make you a rock & roll star. As the song lyric says, you have to learn how to play. That’s what this article is go- ing to be about. But first, a question: Why do you want to be in security?

That’s a tough one to answer, sometimes. take for the money or the coolness. I have met Maybe you saw a movie like Hackers, War many people who started in security for one of Games or Firewall (though I really hope it’s those two reasons, and very few of them have not the last one). Or you went to Defcon or actually managed to make a career out of the HOPE and think it’s cool to be one of those security field. people. Or perhaps you read the recent salary surveys that put CISSPs at the top end of the The most important question that you need to salary scale. answer: why do I want to be a security engi- neer? Because, as the old self-help slogan If it’s any of those, you’re in trouble. Because goes, “if your ‘why’ is strong enough, you’ll security isn’t a career path that you should find the ‘how’”. www.insecuremag.com 60 While the rest of this article is going to be fascinating. I have met hundreds of informa- about the “how” of becoming a super-star se- tion security professionals over the years, and curity engineer, I can’t emphasize this enough: almost all of them have a story like that, me spend some time figuring out what it is about included. security that calls to you over all of the other cool things you could be doing with your life. The good news is that, by the sheer fact that you’re reading this article, you probably have The Prerequisites that interest. That’s the first step up the infor- mation security career mountain. So, let’s One of the things that makes being a security look at the path up the side of that big hill. engineer so interesting is that security applies to all of the different technology areas. Thus, The Security Career Mountain in developing a real career in security, there are very few areas of technology that you The career path of a security professional is won’t be required to know and understand at a quite varied. One of the great things about in- significant level. If you meet some of the best formation security is that your career can be security professionals, you’ll quickly realize incredibly tailored to your own experience and that they unix like a unix admin, Cisco routers your own desires. But there is also a general like a CCNP, Oracle like a DBA and C++ like a progression that most careers take - I’ll de- software engineer. And they can keep up in a scribe that general path and some of the im- conversation with any of those people. portant steps along the way.

Because of the well-rounded skill-set required, The diagram on the following page is a gen- becoming a great security professional is in- eral representation of the mountain that is a credibly challenging, but also incredibly re- security career. You’ll start at the bottom, usu- warding. You will spend the rest of your life ally in another field (as I mentioned above). learning, because any time a new technology comes out, you’ll be required to learn about it. Entering the security career track, you’re gen- As an example, one of the best engineers I erally going to start out as a one-dimensional know has spent the past couple of months security engineer, who brings your skills from learning the ins and outs of MySpace on a another discipline and your love of security deep technical level. together to be a security expert in your chosen field. This is where you’ll find job titles like Because of the incredibly varied skill-set re- “web application security engineer” or “unix quired, most of the best security professionals security administrator”. don’t start out their career “in security”. They usually come to security from another spe- From there, you’ll spend a year or two gaining cialization - system administration, software the all-around experience required to really be development, data networking or telco. Using a security professional. And that’s where you myself as an example, I started as a system have to make the hard choice: do you want to and network administrator, helping companies be a technical security expert or a manager? keep their servers, desktops and routers up (As I’ll talk more about, this is somewhat a and running. But I was always interested in false choice, but it’s useful for the purpose of security: it was the thing that I studied in my simplicity here). Your decision there will de- spare time. And I was always most interested termine your career path for much of your ca- in figuring out how to protect (and break in to) reer: you’ll be focused on honing either the the systems that I was building and maintain- skills of an incredibly technical security expert, ing. or of an information security manager. And you’ll get the jobs that go along with that. It’s that interest in security that is common to every long-term security professional that I And finally, you’ll get to the snow-capped peak have met. Talk to anyone who has had secu- of the security career mountain... and you’ll rity as a large part of their career, and they’ll have to read on to find out what’s at such a likely tell you about their time as a young lofty summit. But, first, let’s talk in more detail technologist where they found either the about each of the camps along the mountain. “breaking” or “protecting” aspects of security www.insecuremag.com 61 Base Camp - The One Dimensional Secu- able to smell risks, threats and vulnerabilities rity Engineer in the air around you.

You just decided to climb the security career This is the point in your career where you mountain, and you arrived at the first camp. need to start focusing on that. Look at all of The air down here is still very much as it was the skills that you have, and start tying in the while you were working your other career path core concepts of security thinking into your as an admin, a coder, or engineer. In fact, daily tasks. your title is probably very much the same: you’ve probably just put the word “Security” in The other thing you need to do is simple: Be a the title somewhere. sponge. This is the time in your security ca- reer where you need to learn about being a Success at this step involves taking the inter- security professional absorbing what security est that we talked about before and combining professionals know, and what they’re all it with the skills that you already have: your about. So, what you want to do during this job at this level of your career is to learn to time in your life is to spend as much time as think like a security professional, even if you you can reading books and blogs, attending aren’t one. This generally means that you’re conferences and local meetings, listening to going to start learning (on an intuitive level) podcasts (like mine at episteme.ca) being ac- about the three main concepts in security: tive on mailing lists and online forums. In vulnerability, threat, and risk. I’m not going to short, get to know everyone in security, learn go into those definitions here, but, suffice it to what they know, and learn how to start doing say that, as a security pro, you’ll get to know what they do. those definitions on an experiential level. If you’re already a security pro, you know what I In other words, learn what a well-rounded se- mean: as you move up the mountain, you’ll be curity professional knows. www.insecuremag.com 62 Camp 2 - All-around Security Engineer No, you don’t have to become a writer or pre- sent at next year’s BlackHat Briefings. The This is the point at which you’ve finally estab- key here is to start to differentiate yourself as lished your skills. You can now expound at a security pro. Answer these questions, and length the difference between a cross-site you’ll start to understand: How am I different scripting vulnerability and a buffer overflow, as a security professional than the guy in the the different types of authentication factors cube next to me? Or than the guy who sat be- and their strengths and weaknesses, and how hind me during my CISSP exam? What to assess risk in an organization. And you can makes me unique as a security professional? do it while you’re thinking about something else. You probably have (or have thought As an example, for me it has been my interest about or decided consciously not to get) a and focus on personal development. While I’m CISSP. And you didn’t have to take one of a security professional at heart, my ability to those “boot camps” to get one - you got it on work with people to help them be better at the knowledge that you already had. what they do is something that not every se- curity professional has. This is what lead Mike While your learning shouldn’t stop, it probably Rothman to dub me “Mr. Security Career” - will become more subtle. You’ll stop finding this is what makes me different. As you reach the real key stuff in books and focus more on this stage in your career, what you need to do conference papers, blogs and magazines (like is to figure out what it is that makes you differ- this one) because that’s where the real “new” ent. Because, while you’re continuing to round stuff is. This is where some people can get out your technical and security skills, it’s the bored and stagnant, but that feeling is just the answer to the “what makes you different” beginning. Because it’s now time to start questions that will ultimately lead you to the generating content of your own. career that you want. Which leads you to the moment where you need to choose a path up the mountain...

As you reach this stage in your career, what you need to do is to figure out what it is that makes you different.

Camp 3 - The Fork in the Road professional) is incredibly intense. I once asked a security super-star that I worked with At this point in your career, it’s time to make a why he accepted the management job that he choice: will you head towards becoming a was in when he clearly wanted to spend his technical guru, or a high-powered security ex- time working on the technology. His answer ecutive? Because it’s nearly impossible to do was telling: “It’s just what you do, I guess.” He both at once. (We’ll come back to that later). spent most of his days miserable dealing with Your choice at this point depends on who you staff issues, until he finally quit and went back really want to be in your life - what I would call to working as a senior-level security consult- your “calling”. Who are you? Are you a person ant doing high-level penetration tests and se- who comes up with neat technical solutions? curity engineering. And he has never been Or someone who builds, leads and inspires happier. teams of people who come up with neat tech- nical solutions? When you dream of the per- The key here is to know which path is most fect day at work, which do you see yourself right for you. While you can change your mind doing? later, it’s probably pretty evident if you look at your temperament and skill-set. Not every- This isn’t the easiest point for most people, body wants to spend their life with technology, because it’s often hard to make a choice. Es- just as not everyone wants to manage. You pecially if you’re going to choose to become a probably have a good idea which one you great technical resource, because the pres- want. (And if you don’t, email me and I’ll help sure to go into management (especially if you figure it out). you’re a high-performing all-around security www.insecuremag.com 63 Load up on Oxygen Bottles the year after? What’s the scalability of the system - what happens if we grow from 1000 The air from here on up gets a little rarified, users to 10,000 users? and it’s going to get harder and harder to breathe unless you load up on the equipment Camp 5 - The Management Path that will allow you to survive higher and higher up the career mountain. Those skills can be The management path is a path that has been summed up in two words: business acumen. covered by a huge number of books and magazines out there. I’m not going to spend a And it doesn’t matter which path you choose lot of time on this path, except to give a quick to take: both require an understanding of overview. If you’re trying to move forward in business at the same level. This doesn’t mean the management path, your skills are going to that as a technical expert that you need to go need to be about business and people. This is off and get an MBA. But it does mean that the point in your career where you may want you’re going to need to understand how busi- to start thinking about an MBA (or at least nesses make decisions about spending time, learning the skills of an MBA), learning to play money and other resources to solve problems. golf, and focusing on how to manage and lead And how things actually get done. security professionals.

As an example: it’s a relatively naive security If you’re thinking about taking this path, you professional who makes the assertion: we should check out Mike Rothman’s “Pragmatic should work to eliminate every security hole in CSO” book - it will give you incredible insight the organization. While that may be true from into the skills and thoughts that are required to a technical perspective, and even from a risk- succeed on this path up the security career focused perspective, it’s not at all true from a mountain. business perspective. It’s your understanding of business decision-making, processes and The View from the Summit culture that will let you operate higher and higher up the security career mountain. I told you that we’d talk about the “snow- capped peak” of the mountain - this is it. Camp 4 - Navigating The Technical Path Summating the mountain is the point at which you transcend the path of “manager” or “tech- So, you took the technical path up the moun- nologist” - this is the point in your career at tain. You’re going to be called on more and which you’re generally called “visionary”. more to do one thing: solve hard problems. There’s only one thing that you can do to im- The people who get to this level are the ones prove your skills at solving hard problems, and who become household names: Steve Jobs that’s to practice solving hard problems. This and Bill Gates are popular examples. But means that you’re going to have to continue to there are examples in the security industry as learn more and more nuanced detail around well: Marcus Ranum, Mary Ann Davidson, the things that you’re going to become an ex- Ron Gula, Tim Keanini and Bruce Schneier pert in. are great examples of those who have reached this pinnacle of the security career. The biggest challenge in this path is going to be expanding your vision to see “the big pic- This is that rare person who can “cross the ture”. This relates to my previous advice on streams” - who can manage a business and business acumen; this is where you need to stay involved in technology at the same time. learn to keep all of the details in your mind at Neither strictly managers nor strictly technolo- a given time. When you’re developing an gists, these are the people who are known as authentication strategy, it’s not just about experts on both. which crypto algorithms you use and what the password strength is, but, as you get to be a But How do I do it? more senior resource, the questions you need to ask are around strategy. For example: how Getting to the top of the security mountain does this authentication system play with the isn’t an easy task - it takes a lot of work. And, technology we’re going to deploy next year or more than anything, it’ll take a lot of good luck. www.insecuremag.com 64 Talk to anyone who has been successful in Then, do those things. But that sounds like a security (and, in fact, any industry) and you’ll LOT of work!!! Yeah, I know. Here’s where I hear the story of someone who has been in share the dirtiest little secret of all great secu- the right place at the right time. rity pros: Becoming great at security IS a LOT of work. In fact, that is, as I mentioned earlier, the place where you need to start: you need to That’s the bad news. The good news is that start meeting people who have done what you becoming great at anything is a lot of work. want to do. Get to conferences and on email Which is where that first question comes in lists and read their blogs. Learn how they got again: you have to have a really great reason to where they are, and take whatever advice for wanting to do this one. Because, other- they have that is useful to you. Then, start to wise, those days when you’re reading an RFC apply it to your own life and career. because somebody like me told you that it’s worth getting to know the protocols at a really Most importantly, figure out what they know deep level (which it is), you’re going to decide that you don’t know. Figure out what books that you’d rather be playing Xbox360. (Heck, they’ve read that you haven’t. What papers even if security is your calling, you’re going to they read that you don’t. What blogs they decide that sometimes... but the point is that read. What podcasts they listen to. And do you’ll do it eventually if you really want to be those things. great at this).

A 10-year veteran of the security industry, Mike Murray focuses his expertise on building successful and fulfill- ing careers. Dubbed "Mr. Security Career", his blog at Episteme.ca and his "Technology Career Excellence" podcast have become known as resources for those in technology who want more than just a job. His new book "Forget the Parachute, Let Me Fly the Plane" is targeted at careers in fast-moving industries like informa- tion security. Learn more at ForgetTheParachute.com and at Mike's blog at Episteme.ca.

www.insecuremag.com 65 We attended the enormous RSA Conference Companies from all over the world exhibited last week in San Francisco. With around their products and services and a large 15,000 attendees, a myriad of in-depth lec- amount of announcements were made at the tures delivered by some of the industry’s most show. The amount of new releases shows just important figures, as well as keynotes from how important the RSA Conference is to the leaders such as Bill Gates and Colin Powell, security industry as a whole. What follows is a we can truly say the event was a giant suc- roundup of product releases announced at the cess. show as well as a gallery of photos.

Announcements Arxceo Corporation - Arxceo Ally ReconAlert, a free software package for Windows that en- Absolute Software - Announced that Dell is ables network administrators to continuously bundling Computrace LoJack for Laptops with monitor Syslog output from their Ally ip100 their computer accidental damage services security appliance. sold to consumers. Bradford Networks - New NAC Director prod- Aladdin Knowledge Systems - Aladdin eSafe uct line gives organizations running Microsoft HellGate appliance, the company's first Network Access Protection the power to man- gateway-based anti-virus, spyware control, age and control guest access to the Internet Web browsing security and application filter- while validating that guest laptops comply with ing solution specifically designed for the SMB established network security policies. market. Centrify Corporation - Centrify DirectControl Altiris - SecurityExpressions 4.0 helps keep for Mac OS X, SmartCard Login Option, which security postures consistent with security poli- enables Mac OS X users to join Microsoft Ac- cies and regulatory mandates and enforces tive Directory environments that require two- compliance through audits, remediation and factor authentication via smart cards. reporting. Check Point - UTM-1 security appliance offers Application Security - DbProtect - an inte- medium-sized businesses and enterprise re- grated suite that is built on their AppDetective gional sites complete, multi-layered protection and AppRadar product against Internet threats such as spyware, vi- Applied Identity - New Identisphere product ruses, network attacks and more. suite offers unified policy access management ConSentry Networks - The integration of functionality that provides organizations with a ConSentry’s network-based enforcement plat- seamless solution for both managing multiple form with Microsoft’s admission control and and disparate directories, and for developing endpoint posture check. and managing fine-grained user policy. Ecora Software - New features in its flagship Arcot Systems - First-to-market integration solution Ecora Auditor Professional designed with Microsoft Windows CardSpace identity to reduce the high cost of compliance man- management framework. dates, lower the cost of downtime, increase Array Networks - Beta availability of Site2Site, security, and improve operational efficiency of the first site-to-site SSL VPN solution. IT professionals. www.insecuremag.com 66

FireEye - FireEye Central Management Sys- SanDisk - TrustWatch is built around a secure tem and the FireEye 4200 2.0 appliance that network appliance and a management con- addresses the exploding threat of remotely sole, through which IT administrators can eas- controlled malicious software or . ily configure and deploy secured USB flash Greencastle Technology - Innervue prevents drives, while preventing information from be- malware and attacks by monitoring the key ing copied to unapproved devices. interfaces between hardware and the soft- Secure Elements - The C5 Compliance Plat- ware that are needed for software execution. form is the industry's first enterprise solution HID Global - Crescendo series smart cards built on open XML standards that enables a designed to provide out-of-the box, standards- range of compliance solutions such as IS con- compliant support for thousands of logical ac- trol auditing and benchmarking, vulnerability cess control applications. management, and more. Intellitactics - Plans to enhance their compre- Shavlik Technologies - Broad vulnerability hensive enterprise security management solu- management and patch management support tion, Intellitactics Security Manager. for Microsoft Vista clients. Ixia - New SSL security testing capabilities in SignaCert - Interoperability of its Enterprise its IxLoad- Triple Play test solution result in Trust Service with Microsoft Network Access performance gains of more than 300% and Protection, allowing enterprises to measure add significant new features to the product. and verify the integrity of software on devices Kaspersky Lab - Kaspersky Anti-Virus Mobile, across IT systems, ensuring greater reliability, a product that protects mobile phones using manageability, security, and regulatory com- Symbian and Windows Mobile operating sys- pliance. tems against StarNet Communications - StarNetSSH, a Lockdown Networks - Lockdown Enforcer, is fully featured suite of connection security tools now shipping with full support for Microsoft for Windows-based computers, including Network Access Protection (NAP). Windows Vista. Netronome Systems - The Netronome SSL StillSecure - Safe Access now delivers on the Inspector is designed for security and network promise of ‘Complete NAC’ which refers to a appliance manufacturers, enterprise IT or- comprehensive network access control solu- ganizations and system integrators. tion that encompasses pre-connect health Ping Identity Corporation - Version 2 of its checks, post-connect monitoring and identity consumer authentication framework, Pin- based policies. gLogin, is now available for download from its SurfControl - New Global Alliance Partner Web site, Program - alliance partners will be able to de- Privaris - Participation in the RSA SecurID liver high-performance solutions that are Ready for Authenticators Partner Program - complimentary or tightly integrated with Surf- an extension of the trusted RSA Secured Control’s secure Internet protection technol- Partner Program. ogy. Red Hat - A complete PKI solution, Red Hat Third Brigade - Deep Security 5, an ad- Certificate System 7.2 provides a security vanced, host intrusion prevention system that framework that guarantees the identity of us- detects and prevents known and zero-day at- ers and ensures the privacy of communica- tacks targeting mission critical servers. tions in heterogeneous environments. Utimaco - Support for Windows Vista Bit- Relational Security Corporation - RSAM v5.0 Locker Drive Encryption. provides many great enhancements to the ex- Vernier Networks - Support for Microsoft Net- isting RSAM v4.5 feature set, while also inte- work Access Protection (NAP) in Vernier’s grating with Relational Security’s powerful EdgeWall 7000 and 8000 series appliances. new assessment & reporting modules. Voltage Security - Voltage Security Network, a Route1 - MobiNET Aggregation Gateway, a compelling new software-as-a-service solution sophisticated appliance-based solution that Webroot Software - Spy Sweeper Enterprise provides enterprises subscribing to Route1 3.0 was named “Best Anti-Malware Solution” MobiNET-enabled services, such as remote in the Reader’s Trust category of SC Maga- access, with greater manageability of data zine. traffic that flows across the network.

www.insecuremag.com 69

Knowledge & Technology

Come together at Black Hat Europe. Once again the world’s ICT Security Elite gather to share their knowledge and experience with you. This is your chance to meet and network with peers and professionals at this world renown event. Two days. Ten Classes. Thirty presentations.

Black Hat® Briefings & Training Europe 2007 27-30 March 2007 • Mövenpick Hotel Amsterdam City Centre www.blackhat.com

sponsors

gold supporting associations When Microsoft released Windows XP in late 2001, it introduced a new with quick access to frequently used programs. The left side of the menu contains two sections, the "pinned list" (at the top) and the Most Frequently Used Programs (MFUP) list (at the bottom). When you monitor the MFUP list in the Start menu, you will notice that it is not only displaying the most frequently used programs, but also new programs that were used recently. This means that there is also a kind of time-stamp involved.

www.insecuremag.com 72 To a programmer, it is clear that the MFUP list try. Reverse-engineering techniques were re- can only be maintained by monitoring user quired to understand the format of the data activity. This activity has to be logged and (details about this process can be found in my persisted somewhere. blog).

I developed a program to display the data of Microsoft has not published documentation the MFUP list. This data is stored in the regis- about these registry keys.

Use in forensic analysis When started, the UserAssist utility retrieves the data for the current user and displays it. Now imagine that you are conducting a foren- sic investigation: you have to compile a report The display is not refreshed automatically about the activity of user U on workstation W. when Windows Explorer updates the registry entries. One important element of this report is the list of programs executed by user U. To refresh the display, execute the 'Load from local registry' command. But this is not the There are several techniques to compile a list way you want to use it for a forensic investiga- of executed programs. One can look at the tion. When you are executing your forensic last access timestamps of the program files investigation by the rules of the book, you will on workstation W, or examine the files in the image the storage devices of the involved %WINDIR%\Prefetch directory. The problem machine(s) and work on a copy of the image. with these techniques is that they are system wide: one has to deduct from the timing win- To extract the HKEY_CURRENT_USER reg- dow which user accessed the files. This is istry keys for a particular user from this image, relatively simple if there is only one user work- you will have to locate the NTUSER.DAT file. ing on the workstation, but it becomes very It is located in the C:\Documents and Set- difficult on a Terminal Server. tings\user_name directory. There are excep- tions to this. If the workstation is a member of The UserAssist utility helps one to compile a a Active Directory domain and roaming pro- list of executed programs. It reads the MFUP files are enabled, you can also find the data from the registry found under this key: NTUSER.DAT file of domain users (not of lo- cal users) on the domain controller or on a HKEY_CURRENT_USER\Software\Microsoft\ dedicated file server. Windows\CurrentVersion\Explorer\UserAssist Be aware that this file will only be up-to-date Notice HKEY_CURRENT_USER, it means with a proper logoff, pulling the plug on the that this data is user related. It ties activity workstation will not allow for synchronisation such as running executables to a specific of the roaming profile. user. www.insecuremag.com 73 If you find a NTUSER.MAN and no ing a registry hive will modify the NTUSER.DAT file, you are out of luck: this is NTUSER.DAT file and create a the mandatory profile setup by the system NTUSER.DAT.LOG file. administrator. It does not persist changes made by the user. After locating the Load Hive is only enabled for keys NTUSER.DAT registry hive, you will have to HKEY_USERS and HKEY_LOCAL_MA- export the registry entries as a .REG file. The CHINE UserAssist utility cannot read registry hive files directly (I will add this feature once I find If you need to limit the size of the .REG file, a suitable open source ), they have to navigate to be converted to .REG files. Software\Microsoft\Windows\CurrentVersion\ Explorer\UserAssist and export this key in Follow this procedure to create the .REG file: stead of the complete registry hive. 1) Make a copy of the NTUSER.DAT file of the involved user Now that you have the exported registry hive 2) Start Regedit as a .REG file, start the UserAssist utility. It 3) Select HKEY_USERS will display a table with the commands you 4) Launch command File/Load Hive... have executed, just ignore this for the mo- 5) Select the copy of the NTUSER.DAT ment. 6) Type a Key Name, for example Investigation Execute these steps to view the UserAssist 7) Select HKEY_USERS\Investigation data: 8) Right-click and launch Export 1) Launch Commands / Load from REG file 9) Type a file name, for example Investigation 2) Select the .REG file, for example 10) Launch command File/Unload Hive... Investigation.reg

Recommendations All the commands executed by the user are displayed in a table, the meaning of the data I recommend working on a copy of in the columns is explained below. NTUSER.DAT, because loading and unload-

www.insecuremag.com 74 Key notepad, then the session ID for the notepad entry will be 123. This value is {5E6AB780-7743-11CF-A12B- 00AA004AE837} or {75048700-EF1F-11D0- Counter 9888-006097DEACF9} These are the keys found under the UserAs- This is the number of times the program was sist registry key, and they are included in the executed (a 4 byte integer). table to distinguish the entries. Last Index This is the last time the program was exe- This is a running counter, indicating the se- cuted (an 8 byte datetime). Watch out for time quence of values in the registry. At first, the zone differences when importing a REG file entries are listed in the sequence they appear from a system with different regional settings. in the registry. You can sort columns by click- It is important to understand that there is only ing on the header. To revert to the original se- one entry per executed program: e.g., if note- quence, sort the column Index and then the pad is executed twice, there will only be one column Key entry in the table with Counter equal to 2 and Last equal to date and time notepad was last Name executed.

The name of the value registry entry. This ref- The result of executing these commands: erences the program that was run. This key is Notepad.exe ROT13 encrypted, the displayed name is de- Calc.exe crypted. Notepad.exe

There is a registry setting to prevent encryp- is this table: tion of the log, but the UserAssist utility does "UEME_RUNPATH:C:\Windows\system32\cal not support this setting. c.exe","","146","1","3/01/2007 21:02:33" "UEME_RUNPATH:C:\Windows\system32\not ROT13, also know as the Caesar cipher, is a epad.exe","","146","2","3/01/2007 21:02:40" very simple encryption scheme where each letter is replaced with the letter thirteen places You can save the table as a CSV file. This file down the alphabet. A becomes N, B becomes can be imported in a spreadsheet program O, and so on… For example, UEME_RUN- like Excel for further analysis or for inclusion PATH becomes HRZR_EHACNGU. I do not in the forensic analysis report. To save the re- know why Microsoft decided to encrypt the port, launch Commands / Save and type the UserAssist registry entries with such a simple name of the CSV file. scheme. Name entries Unknown The key Names always start with UEME_. A 4 byte integer, meaning unknown. It ap- Examples are: pears to be present only for session entries UEME_CTLSESSION: session key. This ap- (UEME_CTLSESSION). pears to increase with 1 each day you use the computer. I think the 4 first bytes of the binary Session data (column Unknown) are also a timestamp, but of another format which I've still to under- This is the ID of the session (a 4 byte integer). stand (it appears to count in units of 53.69 When an entry is created in the UserAssist seconds). registry keys, the session is set equal to the UEME_RUNCPL: an entry created when the session of the UEME_CTLSESSION entry. control panel is opened. It can be followed by For example, assume the session ID of UE- a string to indicate which applet of the control ME_CTLSESSION is 123, and you launch panel was opened, like this entry for the Power Options applet: www.insecuremag.com 75 UEME_RUNCPL:"C:\Windows\system32\pow iar with Windows Explorer as the utility you ercfg.cpl",Power Options use to explore drives, but it does a lot more. UEME_RUNPIDL indicates the execution of a Windows Explorer is also the standard in PIDL. A PIDL is a Pointer to an ID List, every Windows: it is the program that displays the item in Explorer's namespace is uniquely Start Menu, the Task Bar and all those other identified by its PIDL. For example, executing GUI elements that make up your desktop. shortcuts (.lnk) are logged with this entry. UEME_UIQCUT is logged for applications Here is a fun little experiment to demonstrate launched from the quick launchbar. There is this (save all important work first): no separate entry with the name or path of the launched application. I think the logic behind 1) Start the Windows this is the following: the UserAssist registry (CTRL+SHIFT+ESCAPE) keys are maintained by Windows Explorer to 2) Select the Processes tab and search display the MFUP. Applications launched from explorer.exe the quick launchbar have already their "spe- 3) Select explorer.exe and click on the End cial" place on the Windows GUI, so there is Process button no need to keep additional data about their 4) Confirm usage. 5) Result: the start menu and are gone More details about the different types of name 6) Launch File/New Task(Run...) entries can be found at tinyurl.com/3y5ob4. 7) Type explorer and execute, this will get your back. Windows Explorer The fact that the UserAssist registry keys are The UserAssist registry keys are maintained maintained by Windows Explorer has two im- by Windows Explorer. You are probably famil- portant implications.

First implication: only programs that are executed from this will not launched via Windows Explorer are counted appear in the UserAssist registry data. in the UserAssist keys. Programs launched by the Windows Console (CMD.EXE), a service Second implication: Windows Explorer runs or by any other means are not logged. If the under the user account and since Windows user starts a Windows Console, you will see Explorer needs full access to the UserAssist this in the UserAssist keys, but all programs registry keys, the user has also full access. www.insecuremag.com 76 The user can manipulate the data. He can Ultimate Boot CD for Windows is based on change data and delete entries without you BartPE. being able to detect this. The way that the data is encoded in the registry does not make Bart’s PE has an open architecture, you can it easy for the user to manipulate individual integrate your own tools by making a dedi- entries, but the UserAssist utility also provides cated plugin. My UserAssist utility uses the functions to do this. Microsoft .NET Framework 2.0, which is not supported by BartPE. You need to add Colin In other words, the integrity of the UserAssist Finck’s Microsoft .NET Framework 2.0 plugin data is not guaranteed. One can only rely on to the Ultimate Boot CD for Windows plugins the ignorance of the user about the UserAs- to use my plugin. sist registry entries to maintain the integrity of the data. Details on how to make your own UBCD4Win CD with my UserAssist Utility plugin can be There are also settings to disable the logging found at tinyurl.com/2fdl8l. It has also a video of commands under the UserAssist registry showing you the UserAssist utility in action. key: create registry key Settings\NoLog (un- der the UserAssist registry key) and set it Closing remarks equal to 1. You will have to restart Windows Explorer before this setting becomes effective. The UserAssist utility has also been tested The UserAssist utility provides the Logging with success on Windows Vista. Apparently, Disabled command to toggle this key. Re- Microsoft did not make changes to the format enabling logging requires the deletion of the of the UserAssist registry entries, they still ex- Settings\NoLog registry key and the restart of ists and they contain the same data as in Windows Explorer. Windows XP.

Windows Live CDs My UserAssist utility is not the only program that displays and manipulates the UserAssist I have also packaged the UserAssist utility in registry keys, but it's the only one that dis- a Bart's PE plugin that I have tested with the plays the counters, timestamps and session Ultimate Boot CD For Windows (UBCD4Win). IDs in a Windows GUI program. From their website: UBCD4Win is a bootable CD which contains software that allows you to Jeremy Bryan Smith has developed a Win- repair, restore, or diagnose almost any com- dows GUI program that will decode and dis- puter problem. Their goal is to be the ultimate play the UserAssist registry entries, but it free hardware and software diagnostic tool. All does not decode the binary data containing software included in UBCD4Win are freeware the counters, timestamps and session IDs utilities for Windows. UBCD4Win is based on (tinyurl.com/3y5ob4). Bart's PE. Bart's PE builds a Windows "pre- install" environment CD, basically Windows Harlan Carvey has developed ProScripts to booted from CD. dump the UserAssist registry keys with the decoded name and timestamp Windows Live CDs are a popular trouble- (tinyurl.com/3d79zu). shooting and forensic investigation tool, they allow you to boot a (Windows) PC from a CD. The UserAssist utility was developed with Mi- crosoft Visual C# 2005 Express, a free down- Bart Lagerweij developed BartPE, a tool to load from Microsoft. The source code is in- create a Windows Live CD (a Windows “pre- cluded when you download the UserAssist install” environment CD), and several people utility, you are free to adapt this code. build their own tools based on his work. The

Didier Stevens (CISSP, MCSD .NET, MCSE/Security) is an IT Security Consultant currently working at a large Belgian financial corporation. He is employed by Contraste Europe NV, an IT Consulting Services company (www.contraste.com). You can find the UserAssist utility and other open source security tools on his IT security related blog at DidierStevens.com. www.insecuremag.com 77

For many years external security threats received more attention than inter- nal ones, but the focus has changed. Worms, viruses and the external hacker were once perceived as the biggest threats to computer systems. What is of- ten overlooked is the potential for a trusted individual with special privileges or access to steal or modify data. While viruses and worms are serious, at- tacks perpetrated by people with trusted insider status—employees, ex- employees, contractors and business partners—pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside.

Well documented breaches have heightened sources on the local area network of the com- the public’s – and regulatory agencies’ - con- pany are deemed trusted. Practically, we do cerns about how well companies are securing not firmly restrict their activities because an consumer-specific information captured at the attempt to control these trusted users too point-of-acquisition. Extended partnerships closely will impede the free flow of business. lead to that more and more tasks will be per- And, obviously, once an attacker has physical formed outside the physical boundaries of control of an asset, that asset can no longer company facilities which will add another level be protected from the attacker. While data- of due diligence we must take into account. bases often are protected by perimeter secu- rity measures and built in RDBMS (Relational Insider attacks hurt disproportionately Database Management Systems) security functionality, they are exposed to legitimate The reason why insider attacks hurt dispropor- internal users at some degree. Due to the tionately is that insiders can and will take ad- fragmented distribution of database environ- vantage of trust and physical access. In gen- ments, real time patch management, granular eral, users and computers accessing re- auditing, vulnerability assessment, and www.insecuremag.com 79 intrusion detection become hard to achieve. are indispensable protection for the network With the growing percentage of internal intru- for keeping people out, today’s focus on e- sion incidents in the industry and tougher business applications is more about letting the regulatory and compliance requirements, right people into your network. Consequently, companies are facing tough challenges to as databases become networked in more both protect their sensitive data against inter- complex e-business applications, their vulner- nal threats and meet regulatory and compli- ability to attack grows. Without extra precau- ance requirements. tions taken to secure the confidential data in databases, your company’s privacy is at risk. Threats from people working inside the en- Taking the right security approach enables terprise firewall your e-business and protects your critical data. Threats that the system would be likely Threats to your databases can come from to face, for reasons that we will describe be- hackers, attackers external to your network, or low, are 1) malicious insiders and 2) techni- from the numerous groups of people working cally knowledgeable outsiders motivated by inside the enterprise firewall. While firewalls profit.

Threats to your databases can come from hackers, attackers external to your network, or from the numerous groups of people working inside the enterprise firewall.

Outside threats Security System, it would be wise to treat it as soon as possible, however unlikely. A second category of threat that must not be neglected is outsiders. Although their motiva- Other threats tion is far more likely to be profit rather than to harm The Company’s brand reputation, it is Although we consider the above threats to be important to consider them in the analysis. At the most likely, they are in no way the only least two feasible scenarios exist that could ones that exist. Similarly, other motivations provide an outsider with a vector for launching for attacking the Store Security System may an attack on the Store Security System; both well also exist. The largest risk of successful scenarios involve poorly configured store loca- attacks by these miscreants is denial of serv- tion networks. In the first scenario, a Company ice and other forms of general havoc. Cer- store location network is miss-configured such tainly, not something to be ignored, but the that it is directly accessible to the external business impact to The Company is not likely Internet at large. In this scenario, an oppor- to as significant as in either of the previous tunistic attacker might accidentally (or other- scenarios. wise) find the The Company network and be- gin an attack. Organizations are reacting slowly

The second scenario would be involving a For companies to avoid the nightmare of a miss-configured store location network that public breach of customer privacy, organiza- inadvertently allows hotel guest data traffic to tional accountability must be established and traverse the same network that the business supported by policies and processes that en- systems, including the Local Security Server force compliance to standards and regula- itself, resides on. In both cases, a successful tions. Many states in the U.S. have adopted attack on the Store Security System itself rigid regulations about disclosure of consumer would need to include a significant additional data security breaches, and financial networks effort to explore, analyze, and learn the opera- such as VISA and MasterCard will impose tion of the Store Security System. Such an harsh financial consequences if a breach attack might well take months or more, but occurs. considering the five-year life-span of the Store www.insecuremag.com 80 The Payment Card Industry (PCI) Data Se- viduals or as members of communities. In curity Standard many ways, this is a return to a pre-mass business concept, before consumers began to The PCI Data Security Standard is a set of be treated as an amalgam of many different collaborative security requirements for the demographics, lifestyles, and buying prefer- protection of credit card transactions and ences. The difference today is that organiza- cardholder data for all brands. The PCI stan- tions can achieve a level of intimacy and still dard incorporates sound and necessary secu- perform as a large scale enterprise. Informa- rity practices, such as continuous data access tion technology makes this possible, and win- monitoring and control; assessments; and ners are using information and technology to auditing. PCI Compliance is mandatory for better understand customer preferences and any business that stores, processes, or to plan their business strategies accordingly. transmits data. The PCI Security Standards However, such strategies do not come without Council (www.pcisecuritystandards.org) is an risk. Today, enterprises must demonstrate open global forum for the ongoing develop- compliance with industry and government ment, enhancement, storage, dissemination regulations charging businesses with ensuring and implementation of security standards for the security of this sensitive information. At the account data protection. The PCI Security same time, databases are at increased risk Standards Council’s mission is to enhance from both internal and external attackers who payment account data security by fostering no longer simply seek notoriety but, instead, broad adoption of the PCI Security Standards. want financial rewards. The organization was founded by American Express, Discover Financial Services, JCB, Primary categories of threats MasterCard Worldwide, and Visa Interna- tional. Database attacks are rising

PCI and beyond Database attacks can have direct and severe economic consequences. Database attacks Industry standards, such as PCI, have been are rising and they can result in the loss or developed to prescribe best practices for en- compromise of information critical to running suring the privacy and integrity of consumer- your business day-to-day, from inventory and specific information. Now is the time to ad- billing data to customer data and human- dress the organizational and technical issues resources information. In addition databases surrounding the effective use and security of are holding increasing amounts of sensitive consumer-specific information. Those compa- information on behalf of your customers — nies that effectively use this information to financial records, healthcare histories, order drive customer value while at the same time histories, credit card and Social Security num- ensuring its privacy and integrity, will be re- bers. Any loss will be an operational and cus- warded with increased customer loyalty and tomer relationship disaster as well as a finan- improved earnings. Failure to secure cial nightmare. Do you know how many em- consumer-specific data will result in brand ployees have access to your databases? If erosion and crippling scrutiny from regulatory you are using passwords for administrators, agencies and financial networks. how are passwords being stored? Do you have security policies in place that include Examples from the retail industry auditing your database security and monitor- ing for suspicious activity? This article will review examples and use cases from the retail industry to illustrate se- Two primary categories of insider threats curity principles applied in a highly distributed and exposed environment such as retail There are two primary categories of insider ‘Store Systems’ and distributed ‘Store Security threats to a typical Store System scenario: Systems’ that are described below. Organiza- The Company employees and franchisee em- tions today have the ability to use the informa- ployees. Either or both may be enlisted by an tion captured from points-of-sale to deliver outsider(s) or may enlist the help of an out- compelling value to consumers, either as indi- sider in order to attack the Store Security www.insecuremag.com 81 System. Their motivations are likely to be ei- customers’ needs. However, consumers, gov- ther profit or to cause harm to The Company ernment regulatory agencies, and financial by way of either a direct denial of revenue networks are growing increasingly concerned and/or by tarnishing The Company brand with that consumer privacy is jeopardized by the the bad publicity that would almost inevitably potential of security breaches within organiza- be the result of a successful compromise. In tions’ technology environments. any of the above scenarios, it should be ex- pected that the insider will be able to learn Dealing with new and innovative intrusions how the Store Security System functions to a level at least significant enough to attempt an There are no guarantees that any one ap- attack. proach will be able to deal with new and inno- vative intrusions in increasingly complex tech- Security breaches within organizations' nical and business environments. However, technology environments implementation of an integrated security pro- gram which is continuously audited and moni- New technologies make it increasingly feasi- tored provides the multiple layers of protection ble for organizations to relate item movement needed to maximize protection as well as his- to specific customer information, and to ana- torical information to support management lyze that relationship to develop business decision-making and future policy decisions. strategies that are more relevant to individual

The primary problem with many compliance initiatives is a focus on existing security infrastructure that addresses only the network and server software threats.

More sophisticated data attacks furthermore, these solutions tend to be tar- geted at the perimeter and thus do not inspect Insight into data-level attacks and audit internal traffic, partner/VPN traffic, or encrypted traffic. Finally, these solutions do The primary problem with many compliance not understand the complex protocols used by initiatives is a focus on existing security infra- databases and database applications—a se- structure that addresses only the network and vere handicap when trying to detect threats to server software threats. However the data se- the database. curity capabilities required to be compliant goes far beyond these technologies. Network Limitations in defending data attacks and server software protections (network fire- walls, Intrusion Prevention Systems), while Traditional database security mechanisms are important, provide no insight into data-level very limited in defending successful data at- attacks targeted directly against a database or tacks. Authorized but malicious transactions indirectly via a web application. Regulatory can make a database useless by impairing its compliance requires an understanding of who integrity and availability. The proposed solu- is allowed to access sensitive information. tion offers the ability to detect misuse and Regulatory compliance requires an under- subversion through the direct monitoring of standing of who is allowed to access sensitive database operations inside the database host, information? From where did they access in- providing an important compliment to host- formation? When was data accessed? How based and network-based surveillance. Suites was data used? The bottom line is that data of the proposed solution may be deployed security requires a new approach that extends throughout a network, and their alarms man- the breadth and depth of IT’s ability to secure aged, correlated, and acted on by remote or information. Most existing monitoring solutions local subscribing security services, thus help- focus on network-level issues or web traffic; ing to address issues of decentralized man- agement. www.insecuremag.com 82 Traditional approaches to data security The technology enablers

Traditional approaches to security have relied Although organizations are moving aggres- on the application to enforce access control sively to use the Customer dimension to fine for application users, the database administra- tune their business strategies, they are mov- tor to maintain both database and application ing much less aggressively to utilize the tech- availability and network routers and firewalls nologies available to them to mitigate risks to restrict access to the database and applica- associated with the use of that data. This is tion. While problems such as the insider threat not for want of technology answers, however. are certainly not new, the potential for abuse Technologies such as data encryption, access has never been greater due to the amount of logging and proactive forensic analysis, pene- sensitive information being collected and the tration testing tools and services, and other willingness of criminal organizations and indi- techniques are available now. One of the most viduals to pay for such information. The nature effective ways to can avoid a serious security of the information threat today requires more breach is to protect the data in your data- sophisticated security mechanisms within the bases. There are many aspects to information database. security, but the heart of securing credit card- based transactions focuses on databases.

A defense-in-depth strategy "Checks and balances" to reduce success- ful attacks Part of the problem lies in the fact that most companies solely implement perimeter-based Traditionally, insider threats are the most diffi- security solutions, even though the greatest cult to both prevent as well as detect. Further, threats are from internal sources. Additionally, it is likely that no technology solution will be companies implement network-based security adequate to safeguard against every possible solutions that are designed to protect network attack scenario. However, other industries resources, despite the fact that the information (notably the financial services industry) have is more often the target of the attack. handled insider threats for centuries. In situa- tions where known technology weaknesses Recent development in information-based se- are recognized, the financial services industry curity solutions addresses a defense-in-depth typically compensates by instituting proce- strategy and is independent of the platform or dural “checks and balances” to greatly reduce the database that it protects. As organizations the likelihood of successful attacks. In most continue to move towards digital commerce cases, these checks and balances are in the and electronic supply chain management, the form of separation of duties and multiple value of their electronic information has in- points of (possible) failure, the result being creased correspondingly and the potential that no single employee can easily compro- threats that could compromise it have multi- mise an entire system. Instead, a conspiracy plied. would need to exist, which is deemed to be much less likely. That same methodology of With the advent of networking, enterprise- separation of duties is leveraged significantly critical applications, multi-tiered architectures in the recommendations made in this docu- and web access, approaches to security have ment in circumstances where weak points ex- become far more sophisticated. ist in the Store Security System Architecture out of necessity.

www.insecuremag.com 83 Controlling DBA access to data stays late, dumps the entire customer table into a text file, and copies it to a USB drive. Database administrators play a critical role in This type of activity is called privilege abuse, maintaining the database. Performance, 24x7 and no database vendor has built-in protection availability and backup/recovery are all part of against it. In fact, although network adminis- the DBA job description. These responsibilities trators have enjoyed firewalls for years, data- place the job of DBA among the most trusted base administrators have been left out in the in the enterprise. However, the DBA shouldn't cold. need to access application data residing within the database. The same rule should Vulnerability assessment scanners apply to highly privileged users, such as appli- cation owners. These highly privileged users Vulnerability assessment scanners discover shouldn't be allowed to use their privileges to database applications within your infrastruc- access application data outside their applica- ture and assess their security strength two tion. primary application tiers - application / mid- dleware, and back-end databases. It locates, Multiple layers of protection to maximize examines, reports, and fixes security holes protection and miss-configurations. As a result, enter- prises can proactively harden their database There are no guarantees that any one ap- applications while at the same time improving proach will be able to deal with new and inno- and simplifying routine audits. vative intrusions in increasingly complex tech- nical and business environments. However, Database scanners implementation of an integrated security pro- gram which is continuously audited and moni- Database scanners are a specialized tool tored provides the multiple layers of protection used specifically to identify vulnerabilities in needed to maximize protection as well as his- database applications. In addition to perform- torical information to support management ing some external functions like password decision-making and future policy decisions. cracking, the tools also examine the internal configuration of the database for possible ex- The "principle of least privilege" is ineffec- ploitable vulnerabilities. Database scanning tive tools discover vulnerabilities through the fol- lowing functions. Here are some examples: A small group of individuals perpetrate the maximum damage. Unfortunately, the problem • Passwords with managing this threat effectively is that • Default account vulnerabilities traditional and foundational security con- • Logon hours violations cepts—particularly that of the "principle of • Account permissions least privilege"—are ineffective. In computing, • Role permissions the principle of least privilege holds that a user • Unauthorized object owners is given the minimum possible privileges nec- • Remote login and servers essary to permit an action, thereby reducing • System table permissions the risk that excessive actions will negatively • Extended stored procedures affect the system. In the real world this princi- • Cross database ownership chining ple would mean that you are reducing the abil- • Authentication ity for IT administrators to do their jobs quickly • Login attacks and effectively. • Stale login IDs • Security of admin accounts Shield your data from malicious acts and • Excessive admin actions mistakes • Passwords • Password aging The scenario is simple: a user has rights to • Auditing trail query the database’s customer table. He usu- • Auditing configuration ally queries one customer at a time through • Buffer overflows in user name the application interface, but one night, he • Buffer overflows in database link www.insecuremag.com 84 Protect data at rest and in transit can easily be passed between applications and databases without changing the data. Good security practice Enable a strong security framework Good security practice protects sensitive data as it is transferred over the network (including Application-layer encryption allows enterprises internal networks) and at rest. Once the se- to selectively encrypt granular data within cure communication points are terminated, application logic. This solution can also pro- typically at the network perimeter, secure vide a strong security framework if designed transports are seldom used within the enter- correctly to leverage standard application prise. Consequently, information that has cryptographic such as JCE (Java-based been transmitted is in the clear and critical applications), MS-CAPI (Microsoft-based ap- data is left unprotected. One option to solve plications), and other interfaces. Because this this problem and deliver a secure data privacy solution interfaces with the application, it pro- solution is to selectively parse data after the vides a flexible framework that allows an en- secure communication is terminated and en- terprise to decide where in the business logic crypt sensitive data elements at the SSL/Web the encryption/decryption should occur. This layer. Doing so allows enterprises to choose type of solution is well suited for data ele- at a very granular level (usernames, pass- ments that are processed, authorized, and words, etc.) sensitive data and secure it manipulated at the application tier. If deployed throughout the enterprise. Application-LAYER correctly, application-layer encryption protects encryption and mature Database-Layer en- data against storage attacks, theft of storage cryption solutions allow enterprises to selec- media, application-layer compromises, file tively encrypt granular data into a format that level attacks and database attacks.

Good security practice protects sensitive data as it is transferred over the network (including internal networks) and at rest.

Allowing flexible and fine-grained control and between different applications and data stores. How about while being processed in The application usually understands which the application itself particularly if the applica- user is trying to access a given piece of data tion may cache the data for some period. and can be programmed to understand a se- Sending sensitive information over the Inter- curity policy and enforce it in the context of the net or within your corporate network as clear application data. This can allow for flexible text, defeats the point of encrypting the text in and fine-grained control of data access while the database to provide data privacy. An En- ensuring that the critical data is encrypted be- terprise level Data Security Management solu- fore it reaches the database. tion can provide the needed key management for this solution. Encryption of data fields can The sooner the encryption occurs, the be performed when entering data at the appli- more secure cation layer and decrypted down stream at the DBMS layer. Due to distributed business logic in application and database environments, it is required to Continuous data protection be able to encrypt and decrypt data at differ- ent points in the network and at different sys- A mature solution will protect data at rest, and tem layers, including the database layer. En- also while it’s moving between the applica- cryption performed by the DBMS can protect tions and the database and between different data at rest, but you must decide if you also applications and data stores. This solution will require protection for data while it’s moving protect data fields or files while being trans- between the applications and the database ported in the data flow between applications www.insecuremag.com 85 and particularly for applications that cache the tion of the control. Organizations should be data for some period in temporary files, tables aware that a particular compensating control and FTP transfers. A solution should be based will not be effective in all environments. Each on industry accepted encryption standard compensating control must be thoroughly such as AES 256 bit and allow ways to mini- evaluated after implementation to ensure ef- mize the changes to the data format and/or fectiveness. For organizations unable to ren- length. Organizations typically have many der sensitive data unreadable (for example, by third party and legacy applications in which encryption) due to technical constraints or they can not alter the DB schema so a high business limitations, compensating controls level of transparency can be extremely impor- may be considered. The basic conclusion tant. If the solution is not based on industry from this analysis is that a combination of ap- accepted encryption standard it can be plication firewalls, plus the use of data access strengthened by an additional layer of strong monitoring and logging may, if effectively ap- file level encryption to protect the data at rest. plied not provide reasonable equivalency for the use of data encryption across the enter- Example of complementing traditional data- prise since such a combination of controls base solutions: does have multiple weak spots, when it comes to preventing damage from careless behavior • Continuous encryption at the distributed end of employees or weak procedures in devel- points including store systems all the way to opment and separation of duties. the central systems • Continuous encryption centrally across a Perform a risk analysis before using com- few selected applications pensating controls • Transparent encryption centrally across ma- jor applications Only organizations that have undertaken a risk analysis and have legitimate technological Decrease the encryption overhead or documented business constraints should consider the use of compensating controls to There is a multitude of architectures and tech- achieve protection. niques to improve performance: the alterna- tives fall into two broad categories – alterna- Organizations that consider compensating tive topologies to decrease encryption over- controls for rendering sensitive data unread- head and techniques to limit the number of able must understand the risk to the data encryption operations. posed by maintaining readable data. Gener- ally, the controls must provide additional pro- In addition, performance and security, in real- tection to mitigate any additional risk posed by world scenarios, are complex issues and ex- maintaining readable data. Compensating perts should be used who understand all controls should consist of a comprehensive available options and the impact for each par- set of controls covering additional ticular customer environment. segmentation/abstraction (for example, at the network-layer), with an ability to restrict ac- Data encryption vs. compensating cess to data or databases based on IP controls address/Mac address, application/service, user accounts/groups, Data type (packet filter- The effectiveness of compensating con- ing), restrict logical access to the database, trols control logical access to the database (provid- ing separation of duties) and prevent/detect Compensating controls may be considered common application or database attacks (for when an organization cannot meet a technical example, SQL injection). specification of a requirement, but has suffi- ciently mitigated the associated risk. The ef- Example of compensating controls fectiveness of a compensating control is de- pendent on the specifics of the environment in Currently there are multiple different database which the control is implemented, the sur- segments based in different geographic loca- rounding security controls, and the configura- tions that require administration. www.insecuremag.com 86 This environment is difficult to administer due reducing access to environments. Adequate to "over segregation", sometimes people have network segmentation, which isolates systems to break “other” rules to administer effectively. that store, process, or transmit sensitive data Many security/auditing tasks have to be dupli- from those that do not, may reduce the vul- cated for every environment where database nerability of the data environment. Network resides. We need to explore the viability of components include firewalls, switches, rout- this approach. The database only network ers, wireless access points, network appli- segment(s) have advantages including cen- ances, and other security appliances. Server tralized entry point to manage and monitor all types include but web, database, authentica- activity, administrative tools can effectively tion, mail, proxy, and DNS. Applications in- manage security/auditing tasks, database en- clude all purchased and custom applications, vironments are brought together, in a reduced including internal and external (Internet) appli- number of environments, in "back office", and cations. separate databases from application further

Data intrusion prevention only be accessed, by a limited number of indi- viduals using a handful of controlled access The inability to detect novel intrusive methods. attempts Host-based intrusion detection systems Intrusion detection systems include three ba- (HIDS) sically different approaches, host based, net- work based, and procedural based detection. HIDS have their own limitations with regards The first two have been extremely popular in to database protection. Most HIDS systems the commercial market for a number of years operate by either audit trail inspection or ob- now because they are relatively simple to use, servation of system modifications; as such, understand and maintain. However, they fall they are only able to inspect those behaviors prey to a number of shortcomings such as that are logged by applications or those activi- scaling with increased traffic requirements, ties that exhibit behavior on the host for which use of complex and false positive prone signa- detection signatures can be created (e.g. ture databases, and their inability to detect modifications to key system files or settings, novel intrusive attempts. The complexity of etc.). this task was dramatically increased by the introduction of multi-platform integrated soft- Unfortunately, malicious queries to a database ware solutions, the proliferation of remote ac- (e.g. to obtain all password/credit card data) cess methods and the development of appli- will generate no such log entries or detectable cations to support an increasing number of behaviors for a HIDS to observe. As far as the business processes. In the "good old days", database is concerned, a malicious query is files and databases contained fewer types of just as valid as any legitimate query – it just information (e.g., payroll or accounting data) references different data. stored in centralized locations, which could www.insecuremag.com 87 Network intrusion protection systems Database attack detection complements traditional security measures Traditional network-level security solutions like Network Intrusion Protection Systems (NIPS) Database attack detection augments and and firewalls are designed to detect hacking complements traditional security measures attacks and exploits. Security vendors author such as access controls, encryption, scan- and distribute signatures to detect common ners, and network and host security. Database attacks such as malformed packets, buffer attack detection works by examining each overflows, attempts to download UNIX pass- SQL command or query that is sent to a data- word files, and zombie control communica- base (typically across a network) and then tions. These signatures are produced based verifying whether that query is malicious or on analysis of known exploit tools and known not. It works in real-time or near real-time, and operating system and application vulnerabili- it detects malicious attacks from both internal ties, ensuring they can detect a wide variety of and external sources. For example, consider attacks across a diverse set of customer net- what would happen if an attacker were to works. Unfortunately, many valid database at- compromise a web server and then issue a tack scenarios involve a legitimate user issu- perfectly valid query and it will be executed by ing legitimate looking commands to the data- the database without a second thought; how- base; typical database attacks do not require ever, this query has the ability to compromise exploit tools or the transmission of malformed thousands of credit card numbers from the da- packets. All the attacker has to do is log in tabase. Such a query would not likely be is- with a sufficiently privileged account and issue sued by a legitimate client application; as de- syntactically correct queries to the database. scribed below, with proper training a database There may be nothing overtly wrong with such attack detection system could easily identify a malicious query other than it may attempt to this query as an attack, block the request, and access more than the usual amount of infor- alert the administrator. mation. Consequently, such a query would not be caught by a network-based intrusion detec- Limit authorized usage of data is neces- tion or prevention solution. sary to avoid breaches

Transaction level methods cannot handle Putting limits on authorized usage of data is OS level attacks necessary to avoid breeches from the inside. Much like an ATM machine will limit the As more types of information were migrated to amount of money a person can take out of electronic formats (and ever more databases their own account, it is important to be able to proliferated, often with little planning), there set the limits on authorized use as part of data was a simultaneous increase in the number of security policy. The data intrusion prevention users, access methods, data flows among system respond to threats by notifying the ac- components and the complexity of the under- cess control system to alter the security policy, lying technology infrastructure. Add to this the for example by altering authorization and de- demand from users for ever more sophisti- nying the access request before any informa- cated uses of information (data mining, CRM, tion is transmitted to the user. Access rates etc.) which are still evolving and the manage- may be defined as the number of records a ment's enhanced awareness of the value of its user may access at one time, or the number information, and It is safe to say that the price of records accessed over a certain period of of poker has gone up. Database intrusion tol- time. Results may address a single query ex- erance can mainly be enforced at two possible ceeding the allowed limit, or a number of levels: operating system (OS) level and trans- smaller queries, individually allowed, but when action level. Although transaction level meth- aggregated, blocked. This method allows for a ods cannot handle OS level attacks, it is real time prevention of intrusion by letting the shown that in many applications where at- intrusion detection process interact directly tacks are enforced mainly through malicious with the access control system, and change transactions transaction level methods can the user authority dynamically as a result of tolerate intrusions in a much more effective the detected intrusion. and efficient way. www.insecuremag.com 88 A variation of conventional intrusion detection the access control system, and change the is detection of specific patterns of information user authority dynamically as a result of the access, deemed to signify that an intrusion is detected intrusion. The item access rates can taking place, even though the user is author- be defined based the number of rows a user ized to access the information. may access from an item, e.g. a column in a database table, at one time, or over a certain The intrusion detection profile period of time. In a preferred implementation, the method further comprises accumulating By defining an intrusion detection profile, with results from performed queries in a record, an item access rate, associating each user and determining whether the accumulated re- with one of the profiles, receiving a query from sults exceed any one of the item access rates. a user, comparing a result of the query with The effect is that on one hand, a single query the item access rates defined in the profile as- exceeding the allowed limit can be prevented, sociated with the user, determining whether but so can a number of smaller queries, each the query result exceeds the item access one on its on being allowed, but when accu- rates, and in that case notifying the access mulated not being allowed. It should be noted control system to alter the user authorization, that the accepted item access rates not nec- thereby making the received request an unau- essarily are restricted to only one user. On the thorized request, before the result is transmit- contrary, it is possible to associate an item ac- ted to the user. The result of a query is evalu- cess rate to a group of users, such as users ated before it is transmitted to the user. This belonging to the same access role (which de- allows for a real time prevention of intrusion, fines the user’s level of security), or connected where the attack is stopped even before it is to the same server. The result will be restrict- completed. This is possible by letting the in- ing the queries accepted from a group of us- trusion detection process interact directly with ers at one time or over a period of time.

A mature Intelligent Escalation recognizes evolving application threats and automatically triggers application protection.

Inference detection and selective analysis before the result is transmitted to the user. This implementation provides a second type The user, role and server entities are not ex- of intrusion detection, based on inference pat- clusive of other entities which might benefit terns, again resulting in a real time prevention from a security policy. Items subject to item of intrusion. access rate checking are marked in the policy, so that any query concerning the items auto- Intelligent protection escalation matically can trigger the intrusion detection process. This is especially advantageous if A mature Intelligent Escalation recognizes only a few items are intrusion sensitive, in evolving application threats and automatically which case most queries are not directed to triggers heightened levels of application pro- such items. The selective activation of the in- tection across the enterprise. A treat man- trusion detection will then save time and proc- agement system recognizes evolving applica- essor power. The intrusion detection policy tion threats and automatically triggers height- further includes at least one inference pattern, ened levels of application protection across and results from performed queries are accu- the enterprise. This unprecedented intelli- mulated in a record, which is compared to the gence provides organizations with maximum inference pattern, in order to determine flexibility in weighing business needs and op- whether a combination of accesses in the re- erational performance with information risk. It cord match the inference policy, and in that also ensures that an attack against a single case the access control system is notified to location triggers rapid, appropriate, response alter the user authorization, thereby making throughout the distributed enterprise. In By- the received request an unauthorized request, pass mode the treat management system www.insecuremag.com 89 allow traffic to pass through with zero per- moving at a snail's pace. Some organizations formance impact. In Passive mode it examine have a large number of Web applications, and inbound and outbound traffic to detect security those applications are changing daily. They violations. In Active mode the treat manage- may have checked for vulnerabilities in a few ment system provide full intrusion prevention of those apps, but any of them could lead to a to immediately detect threats, generate alerts, breach Security estimates that seven or eight and block attacks. out of every ten Websites are hosting at least one serious vulnerability that could put its data Intrusion prevention analysis across sys- at risk. Gartner has estimated that figure at tem layers closer to 90 percent.

It is difficult to detect advanced attacks on The favorite vectors for Web attacks data and data misuse by monitoring only one system layer. A method and system for over- Common vulnerabilities and exposures across coming the foregoing difficulties provides for the Web, include application-level attacks the introduction of a privacy policy with en- such as cross-site scripting, SQL injection and forcement points that span multiple system buffer overflow as the favorite vectors for Web layers. The privacy policy is coupled with in- attacks. SQL injection is a technique used to trusion prevention analysis between multiple exploit Web-based applications by using system layers. The scope, both in data and in client-supplied data in SQL queries. time, for enforcing data privacy and encryption is then dynamically optimized between multi- SQL injection attacks are caused primarily by ple system layers. that includes application applications that lack input validation checks. database sessions, table data access, table Yet most enterprises still do not own a Web space access, and database file level access. application firewall, and many don't yet do any application scanning, experts say. Web appli- Detect advanced attacks and data leakage cation firewalls provide essential protection against application attacks. An application In a system for overcoming the foregoing diffi- firewall is an enhanced firewall that limits ac- culties, selected rules control the amount of cess by applications to the OS of a computer. data that is exposed, and the time for exposure of unencrypted data. A policy under- Conventional firewalls merely control the flow lying the selected rules defines the extent to of data to and from the CPU, examining each which data privacy is to be enforced for par- packet and determining whether or not to for- ticular data. At the intrusion detection point, a ward it toward a particular destination. An ap- scorecard is provided to accumulate violation plication firewall offers additional protection by attempts. On the basis of the number of viola- controlling the execution of files or the han- tion attempts, session statistics, and data ac- dling of data by specific applications. Many cess statistics spanning multiple system lay- enterprises have never had a third party audit ers, one can determine whether a threshold their apps for vulnerabilities - in fact, many indicative of an attack has been reached. A large enterprises don't even know how many system as described above enhances the abil- Websites they operate, they say. The main ity to detect advanced attacks on data as well problem is there is no single tool that can find as instances of data misuse and data leakage. and fix all of the vulnerabilities.

Protecting applications and servers Web application firewalls protect against some threats, but they also let others through. App The Web application security problem scanning tools can find much vulnerability, but they are far from 100 percent effective. Ulti- All over the industry, application security ex- mately, you want to build the vulnerability perts are warning IT and security departments scanning and testing phase into your devel- that the gap is growing between today's opment process. Realistically, however, enter- rapidly-evolving app-oriented exploits and the prises should be more concerned about the still-nascent defenses that most enterprises applications they've already deployed than have in place. Yet, so far, most enterprises are about revamping their QA process. www.insecuremag.com 90 It makes more sense to start backwards and ment 6.5 requires that Web-facing applica- check the apps that are exposed. Enterprises tions be developed in accordance with secure should attack the problem first by identifying coding guidelines to guard against such at- all their sites and the applications running on tacks. A successful SQL injection attack can them, experts say. An audit by a third-party have serious consequences. SQL injection expert and a scan by a vulnerability scanning attacks can result in the crippling of the pay- tool can give the enterprise a starting point for ment application or an entire e-commerce site. remediation. Through this avenue of attack, an attacker can break out of the Web server and database PCI requirement on Web facing realms, gaining complete control over the un- applications derlying system. Another serious conse- quence can be the compromise and theft of Recently, commercial shopping cart products data that resides within the payment applica- have been the focus of attack by hackers who tion infrastructure. seek account information. PCI DSS Require-

Recently, commercial shopping cart products have been the focus of attack by hackers who seek account information.

The SQL injection problem Unfortunately, the practice of SQL injection is easy to learn. Fortunately, with a little fore- Most databases are set up in a way that thought, you can prevent it. makes breaking in relatively easy. But secur- ing the database has become simpler. A few Protection from SQL injection straightforward steps can vastly improve secu- rity, usually by locking out all users except ap- There are two primary methods to protect your plications and DBAs. But even that restriction database from SQL injection. First, make sure doesn't completely protect your data. that applications validate user input by block- ing invalid characters and use protected que- One of the primary security breaches organi- ries that bind variables rather than combining zations experience today takes place via ap- SQL statements together as strings such as plications that connect to databases. Applica- stored procedures. Second, install Application tions don't use native database security. In- Level Firewalls to protect your database from stead, they access the database as a "super SQL injection and other threats targeting web user" and, therefore, could represent a risk to applications. If you want to know exactly data security. what's going on with your Web servers, a Web application firewall, or WAF, is worth every One of the most common examples of exploit- penny. ing this risk is known as SQL injection. SQL injection isn't a direct attack on the database. Available in software or appliance form, WAFs Instead, it takes advantage of the way many work at the application layer, using deep- Web applications that access databases are packet inspection to reveal the inner workings developed. SQL Injection attempts to modify of Web applications while thwarting attacks the parameters passed to a Web application made possible by insecure programming. via a Web form to change the resulting SQL statements that are passed to the database Computers outside the control of its in- and compromise its security. If successful, an tended users attacker can hijack the database server and be granted the same permissions to add, A computer may sometimes be outside the drop, and change users that the application physical control of its intended users; for ex- has. From that point, the database is fully ex- ample, a server, USB-drive or disk may be posed. stolen rather easily. www.insecuremag.com 91 Therefore, it is prudent to restrict access to tion solution that can be application transpar- the computer's functions, for instance by re- ent and resistant to 'multiple attack vectors' quiring the entry of a password. It is also pru- protecting the access to API, to databases dent to protect the files on the computer by and to SSL communication sessions. An en- encrypting them, for instance under an en- cryption server box should be hardened and cryption key derived from the password. The the session should be authenticated (with a password itself should not be kept in the clear password or multi-factor authentication) and on the computer. In this way, only parties that encrypted (SSL or similar). Lock down the ap- know the password can use the computer and plication storage of the passwords to the log- read the files, even if they have direct ins for the database, communication and the access to the computer's storage devices. The encryption server. A mature transparent file password should be strong enough that an system encryption product on the application attacker cannot guess it and then decrypt the server platform can lock down the storage of files. We assume that user and computer the password and may also delegate a trans- have some secure means for communicating, parent authorization to the application. perhaps because the user has direct, physical access to the computer, or can establish a se- The exhaustive search attack cure network connection with the computer. The user may type a password into the server A slow one-way algorithm will not noticeably at log-in time and in addition to we add a increase the cost of one operation (e.g. for the password supplement that may be 40 bits legitimate user when logging in), but it should chosen randomly. substantially increase the task of mounting an exhaustive search attack. A common ap- Protecting credentials in applications proach is to iterate the original one-way func- tion many times. Some systems one-way Passwords are the most common form of user function encrypts a known string 25 times with authentication in computer systems. The DES using a key derived from the user's password is always a weak link in any protec- password (another feature is that the salt tion system. An administrative or master value actually modifies the DES algorithm it- password should be particularly complex. self, making it harder for an attacker to use According to a recent survey, 66% of enter- dedicated DES hardware to mount an attack. prises have more than 100 applications, 92% Given the current computer resources avail- of which connect to other applications using able, we recommend a minimum of 5000 it- hard-coded (embedded) passwords erations for constructing the hash algorithm. (SOURCE: Cyber-Ark Password Survey 2006.) Password strengthening

When two software applications connect, a Password strengthening is a compatible ex- script is created which has the powerful user tension of traditional password mechanisms. It name and password in clear text, a serious increases the security of passwords, without security risk. Studies of production computer requiring users to memorize or to write down systems have for decades consistently shown long strings. that about 40% of all user-chosen passwords are readily guessed. Passwords easily Password strengthening does not assume any guessed are known as weak or vulnerable; extra hardware, and does not introduce any of passwords very difficult or impossible to guess the vulnerabilities that come with extra hard- are considered strong. Only passwords are ware. These characteristics should make discussed in this section, but other (stronger) password strengthening easy to adopt, and authentication types should be considered appealing in practical applications. The based on a risk assessment. method does not require users to memorize or to write down long passwords, and does not Lock down the passwords rely on smart-cards or other auxiliary hard- ware. The main cost of our method is that it Below is one easy way to solve the general lengthens the process of checking a pass- password protection issue by using an encryp- word. www.insecuremag.com 92 Use salted passwords with the pre-computed list. Systems should therefore enforce password complexity rules, Each password hash is associated to a small, such as minimum length, requiring letters to usually random value called salt. The salt be chosen from different sets of characters does not need to be kept secret, and it is used (e.g. lower-case, upper-case, digits, special together with the password to generate the characters), etc. An appropriate password password hash. While the use of salted pass- length depends on the amount of resources words does not increase the task for recover- available to the attacker that an organization ing a particular password, a salt of sufficient wishes to defend against. Assuming an at- length should preclude pre-computed, offline tacker has access to optimized DES-cracking dictionary attacks, as it becomes impractical hardware, an organization may need to en- to compute a large table of hashes corre- force 12-character passwords and password sponding to possible passwords and salt val- expiration duration of 60 days to mitigate a ues in advance. brute-force attack against the password hash.

Enforce complex passwords Generate random passwords

One of the weakest aspects of password A password generator is able to a strong based authentication is the low entropy of password policy of a random sequence of commonly chosen passwords. The main numbers, lower-case letters, and upper-case attacks for recovering clear text passwords letters. These passwords are random and from hash values consist of computation of all therefore very difficult for a hacker to guess. A possible passwords up to a certain number of password generator thwarts any key-logging characters (exhaustive search attack), or per- attempts by automatically copying the gener- haps a list of typically chosen passwords (dic- ated password into the password field. Since tionary attack). The computation is usually your password is never typed and never cop- performed offline and the attacker simply ied to the clipboard, a keylogger has no compares the values on the password table chance to capture your information.

Use non-privileged users for web applications.

Challenge response to avoid replay attacks ensure the account has only the minimum privileges granted to run the application. In no Both the central and local copy will be re- cases should a user that is a member of the placed every time the user picks a new pass- DBA group be allowed to run web applications word. Both passwords will be replaced every that are exposed to public or less-privileged time the computer is re-started and can no es- users. tablish a secure network connection with the central key management computer. A Summary of protecting passwords challenge-response process may be added to avoid replay attacks if a cloned end-point Specifically, organizations can implement the server is attacked by using the manually en- following steps to protect the confidentiality of tered password part. password hashes: use non-privileged users for web applications. Restrict access to pass- Use non-privileged users for applications word hashes, Audit SELECT statements on selected views (DBA views). Encrypt IP traffic. One technique for capturing password hashes Enforce a minimum password length. One so- is to exploit excessive permissions for data- lution to the application-to-application pass- base users configured to execute web-based word dilemma is to deploy software that application code that is susceptible to SQL moves script-based passwords into a central- injection attacks. When selecting a user ac- ized and secured point. count to provide access to a web application, www.insecuremag.com 93 Example - a retail industry scenario use the data and processes on the Local Se- curity Server to decrypt cached/archived en- Each store location is storing sensitive cus- crypted credit card data. The impact of a suc- tomer information and need to operated also cessful breach of this process could be ex- in situations where the WAN connectivity to treme. Customer data could be compromised, the central system is unavailable. The Local resulting in customer identity theft. It is vital Security Server provides authorization, log- that a robust business process, complete with ging and encryption services and are man- adequate checks and balances, be instituted aged by a support person and a system ad- at every store location that will run a Local ministrator at the respective store location. In Security Server. Additional technologies could this scenario a tight integration of PKI and the be deployed to further protect this vital aspect Store Security System is deployed. Each Lo- of the Local Security Server’s operation, such cal Security Server (as well as Central Secu- as smart cards. A smartcard based identifica- rity Server) retain a cached copy of the en- tion, authentication, and authorization mecha- crypted encryption key while in an operational nism would be a significant improvement in state. The SSL private keys are stored on or in protecting the startup and unlock process for connection to the Application the servers. each Local Security Server. It is understood, however, that such measures would not be Protecting local security servers feasible to deploy at each The Company and franchisee property. As such, a robust busi- Each Local Security Server should be locked ness process as mentioned above is even upon start-up. While locked, all sensitive data more important to address carefully. In nu- is encrypted and presumably safely stored. merous other industries, mission critical appli- During the Local Security Server start-up pro- cations commonly leverage technologies such cedure the application gets unlocked so that it as smart cards, one time passwords, and oth- can get on with its business processing func- ers for protecting such vital operating states tions. Unlocking may occur through an auto- as unlocking the Local Security Server. mated or manual process – the latter is in- voked in situations where the WAN connec- Local administration staff access to keys tivity is unavailable for some reason or an- other. The security of this process depends on At various times during normal Store Security the secrecy of the startup login contexts, System operations, store location system ad- which are unique to each store location and ministration staff are likely to have access to only used once in theory. Under the automatic startup login contexts and encryption keys. unlocking process, the startup login context Despite the fact that key management has must be discarded after use (and wiped from been carefully thought through to minimize memory) and then a new startup login context these exposures, opportunities do exist for is automatically rotated in via the Security Level 1 support staff to compromise customer Administration Server, thereby greatly reduc- data. Further, detecting this sort of insider at- ing the exposure of the startup login context. tack can be extremely difficult. The impact of a successful insider attack on the Store Security An attacker with a cloned local security System could be quite severe. Best practices server in similar data environments generally include most or all of the following measures: Back- The manual unlock process, on the other ground checks of all personnel involved in hand, exposes a valid startup login context to sensitive operations such as key manage- at least two people – a support person and a ment. Separation of data. Ideally, support staff system administrator at the respective store who have access to encryption keys should location. Although the key is rotated after use, not have access to any sensitive, encrypted a maliciously cloned Local Security Server data and vice versa. This, however, can be a environment could still be unlocked using that difficult measure to implement. Separation of startup login context if the cloned system re- duties. To the extent feasible, functional duties mains off-line. This could enable an attacker should be separate within the data center. For to invoke and unlock a cloned Local Security example, first level support personnel who Server in a safe environment and potentially handle Local Security Server unlocking should www.insecuremag.com 94 not also be involved with encryption key man- would without a doubt have a devastating af- agement. The above recommendations are fect on the Store Security System. A scenario entirely consistent with practices found in nu- such as the CA certificate appearing on a CRL merous other industries where similar access could halt the entire PKI system. Since the to sensitive customer data is required. The PKI is literally infrastructure to the Store Secu- financial services industry, in particular, makes rity System, a PKI failure could have a com- regular use of operational practices like these. mensurate affect on the Store Security Sys- tem, resulting in considerable business im- Failure of PKI or authentication server pact, and great care must be taken to ensure that the PKI is operated in compliance with all If a tight integration of PKI and the Store Se- relevant PKI industry best practices and pro- curity System is deployed, a failure of the PKI cedures.

Protection of keys in memory the host itself. The above list of recommenda- tions for encryption key handling is commonly It is essential that each Local Security Server practiced throughout various industries where (as well as Central Security Server) retain a sensitive data is encrypted. copy of the encrypted encryption key while in an operational state. This is (obviously) a ne- Protecting SSL keys on application servers cessity of its business mission. An attacker with access to a Local Security Server could SSL private keys are commonly left in plain- potentially peruse the system’s processes and text on Application servers. Although not di- memory to acquire the key and decrypt en- rectly part of the Store Security System Archi- crypted data. The likelihood of this sort of at- tecture itself, this could indirectly help an at- tack succeeding is quite low, but was it to be tacker get one step closer to successfully at- successful; the impact could be very high. tacking the Store Security System. In particu- Take every reasonable precaution to protect lar, the plain-text SSL key could enable an at- the key while the Local Security Server is op- tacker to masquerade as an Application server erational. Protection measures to consider in an Application-Local Security Server con- should include: Memory compartmentalization versation. The likelihood of such an attack - Generate a separate ID that does the actual working is quite low, but could enable an at- encryption/decryption, and ensure that no tacker to do anything that an Application other process or system ID can access its server is able to do. Consider password pro- memory. Swapping - Ensure that the tecting the SSL key for the Application server. encryption/decryption process and its memory Although this can be unfeasible in some op- do not get swapped out to a virtual memory erational scenarios, if it doesn’t present an swap/page file, which could leave behind per- undue burden, it would be a good idea. Pass- sistent residue that could include the encryp- word protecting SSL keys is commonly done tion key. Memory wiping - Whenever the key on production servers throughout various in- is no longer needed, ensure that the memory dustries. On the other hand, doing so is often location/variable where it was held is thor- not feasible. Thus, it is not uncommon to find oughly wiped, so that no memory residue is plain-text SSL keys in production data cen- left behind for an attacker to search through. ters. It is less common to find plain-text keys Consider a centrally monitored host-based in- on field-deployed servers, such as the Local trusion detection system on every Local Secu- Security Server servers. rity Server to vigilantly watch for attacks on www.insecuremag.com 95 Summary of best practices in data auditing that not only tracks all authorized ac- security management tivity, it also tracks unauthorized attempts as well as any changes to security policies – it Centralization even tracks activities of the database adminis- trator (DBA), and provides a complete audit Best practices begin with the centralization of report of all these activities. Data Security Management, enabling a con- sistent, enforceable security policy across the Separation of Roles - Regulations stipulate organization. From a centralized console, the that a data security system must provide "rea- Security Administrator defines, disseminates, sonable protection from threats." Having the enforces, reports and audits security policy, ability to log and review the activities of both realizing gains in operational efficiencies while the Security Administrator and the Database reducing management costs. Administrator provides a checks-and-balances approach that protects from all reasonable Protecting data threats.

Experts agree the best protection of sensitive Selective Auditing Capabilities - Protegrity’s information is encryption. Database level en- reporting system is highly selective, allowing cryption provides the most comprehensive your security administrators to examine the protection: Protection against storage-media information most critical to their job. thefts, storage level attacks, database layer attacks and attacks from ‘super-user’ access. Protected Audit Logs - Simply put, the audit Best practices dictate that a solution delivers: logs themselves must be secure. Protegrity encrypts all audit logs to protect against tam- Focused Protection - Choose only the sensi- pering. This prevents an administrator from tive data your organization needs to protect doing something bad and changing the logs to (Credit Card, Social Security #, Salary, etc). cover his tracks. Provide individual protection for each column through individual keys to gain an extra layer Controlling access of protection in case of security breach. It is estimated that 70-80% of all security Strong Key Management - A secure system breeches come from within the firewall. Con- is only as good as the protection and man- trolling access to the data is a critical element agement of its keys with integrated key man- to any security policy agement systems that control where keys are stored, who has access to them, and ensures Control Down to the User Level - Defining a they are encrypted and protected. security policy that allows centralized defini- tion of data access, down to the data field Protecting Policy Changes - Changes to se- level, on an individual-by-individual basis curity policy are critical events that need to be across the entire enterprise is best practice. protected. It is a best practice to require more than one person to approve such changes. Setting the Boundaries - Putting limits on Protegrity delivers this through assigning the authorized usage of data is necessary to Master Key to more than one individual. avoid breeches from the inside. Much like an ATM machine will limit the amount of money a Reporting policy person can take out of their own account, it is important to be able to set the limits on Reporting and monitoring your security policy authorized use as part of data security policy. and generating protected audit logs are fun- If the use of sensitive data should be limited to damental best practices, and required by 9-5, Monday-Friday, then any attempt to ac- regulations. A comprehensive and efficient re- cess that data outside of those boundaries porting should include: should be denied.

Evidence-quality Audit - A regulatory re- Separation of Duties - An affective security quirement, Protegrity delivers evidence-quality policy should protect sensitive data from all www.insecuremag.com 96 ‘reasonable’ threats. Administrators who have access to all data are a reasonable threat, no Earlier articles also reviewed alternative im- matter how much we trust them - trust is not a plementations of database-layer encryption. policy. Implementing a separation of duties of There are several critical goals and objectives security definition and database operations of Database-layer security that need to be provides a checks-and-balances approach met, and enterprises are faced with choices that mitigates this threat. about how to accomplish these goals. The three broad approaches to database-layer en- Requirements for data encryption solu- cryption are: tions 1. Native Database-Layer encryption My earlier articles reviewed the requirements 2. Programming Toolkits for data encryption solutions and summarized 3. Packaged Security Solutions: how implementations at three different system • Software-only packages layers approach critical and practical require- • Network Attached Encryption Devices ments. • Combination of the two topologies.

The database-layer approach proves to be the Each of these solutions has its advantages most comprehensive and versatile in meeting and disadvantages. All these alternatives pro- the need for database protection. The vide a high level of security and physically database-layer approach can be combined separating the keys from the data, but Net- with Application-Layer encryption and work Attached Encryption Devices lack the Storage-Layer encryption in meeting broader architecture to scale and perform in larger dis- protection needs in heterogeneous environ- tributed enterprise environments with high ments found in today’s large complex organi- transaction volumes. zations.

Earlier articles also reviewed best practices in while providing the flexibility to allow security enterprise data protection and how to protect professionals to deploy encryption at the ap- data at rest, and also while it’s moving be- propriate place in their infrastructure. It pro- tween the applications, databases and be- vides advanced security and usability and also tween data stores. smooth and efficient implementation into to- day s complex data storage infrastructures. A mature solution should bring together data The integration with Hardware Security Mod- protection at the application, database and file ules strengthens the key management facili- levels. The encryption solution has a com- ties through the use of tamper resistant, FIPS bined hardware and software key manage- 140-2 Level 3 cryptographic hardware. ment architecture. A mature solution ad- dresses the central security requirements www.insecuremag.com 97 Conclusion Stronger database security policies and pro- cedures must be in place to accommodate the The basic conclusion is that a combination of new environment. Centralized database man- application firewalls, plus the use of data ac- agement security must be considered to re- cess monitoring and logging may, if effectively duce cost. Implementing "point" or manual so- applied, can not provide reasonable equiva- lutions are hard to manage as the environ- lency for the use of data encryption across the ment continues to grow and become more enterprise since such a combination of con- complex. Centralized data security manage- trols does have multiple weak spots, when it ment environment must be considered as a comes to preventing damage from careless solution to increase efficiency, reduce imple- behavior of employees or weak procedures in mentation complexity, and in turn to reduce development and separation of duties. cost. By implementing solutions documented above, we should be in a better position to PCI requires that Web-facing applications face growing database security challenges, to should be guarded against attacks that can proactively meet regulatory and compliance have serious consequences. There are two requirements and to better control our sensi- primary methods to protect your database tive data. Database security is an ongoing from SQL injection. First, make sure that ap- process, we must revisit and refine our strat- plications validate user input. Second, install egy regularly to adopt new technologies and Application Level Firewalls to protect your da- address new challenges as environment con- tabase from threats targeting web applica- tinue to evolve. tions. Field-level data encryption is clearly the most There are no guarantees that any one ap- versatile solution that is capable of protecting proach will be able to deal with new and inno- against external and internal threats. A protec- vative intrusions in increasingly complex tech- tive layer of encryption is provided around nical and business environments. However, specific sensitive data items or objects, in- implementation of an integrated security pro- stead of building walls around servers or hard gram which is continuously audited and moni- drives. This prevents outside attacks as well tored provides the multiple layers of protection as infiltration from within the server itself. This needed to maximize protection as well as his- also allows the security administrator to define torical information to support management which data are sensitive and thereby focus decision-making and future policy decisions. protection on the sensitive data, which in turn minimizes the delays or burdens on the sys- Sending sensitive information over the Inter- tem that may occur from bulk encryption net or within your corporate network as clear methods. text, defeats the point of encrypting the text in the database to provide data privacy. The Database attack prevention represents a sooner the encryption of data occurs, the valuable supplement to corporate information more secure the environment. An Enterprise security by defending databases against inap- level Data Security Management solution can propriate and malicious requests for sensitive provide the needed key management for a so- information. By deploying database intrusion lution to this problem. This solution will protect detection in the enterprise, businesses have a data at rest, and also while it’s moving be- powerful tool for safeguarding information as- tween the applications and the database and sets, protecting their reputation, and maintain- between different applications and data ing customer trust. stores.

Ulf T. Mattsson is the CTO of Protegrity. Ulf created the initial architecture of Protegrity’s database security technology, for which the company owns several key patents. His extensive IT and security industry experi- ence includes 20 years with IBM as a manager of software development and a consulting resource to IBM's Research and Development organization, in the areas of IT Architecture and IT Security. Ulf holds a degree in electrical engineering from Polhem University, a degree in Finance from University of Stockholm and a mas- ter's degree in physics from Chalmers University of Technology.

For more of his work download earlier issues of (IN)SECURE Magazine. www.insecuremag.com 98