Wednesday, November 25, 2009

Survey Says 2/3 of Websites Have a Serious Security Flaw

According to a recent SecurityFocus report, "nearly two-thirds of Web sites have at least one serious security issue that would allow someone to remotely attack the site."

The number of known vulnerabilities increases with time. Every day we learn of new flaws in software. For the average business owner today, in this troubled economy, the flawed cyber-jutsu tactic is the old "head in the sand" trick. Unfortunately, unless you are sticking the attacker's head in the sand, this generally doesn't help.

Organizations without dedicated internal security teams must partner with Information Security Service Providers such as CyberCede Corporation. A company like CyberCede can assist a CIO or business owner in improving their situational awareness. Without knowing what is going on, you can't make informed decisions. Your chosen Information Security provider should employ individuals with well known and useful certifications such as the CISSP.

An Information Security professional should help you to know yourself and know the enemy. Many of the website vulnerabilities come from improper configuration. These issues can usually be remedied quickly. For organizations with large amounts of custom code, including web applications, and dynamic sites based upon database back-ends, the work can take longer; but, is even more important to accomplish.

How often should a vulnerability assessment be performed? Only you can decide; but, your Information Security Professional should help you assess the risks to your organization so you can make an informed decision.

Don't forget to breathe!

Sensei Metajunkie

Zero-Day exploit for Internet Explorer

Here is a security advisory issued by Microsoft:

If you are running MS Internet Explorer, you should keep an eye out for when they actually patch this zero-day vulnerability. In the mean time, practice safe cyber-jutsu.

This was originally posted to the Bugtraq mailing list last Friday. At the time, the exploit code was said to be "unreliable". It is getting more reliable, and the threat is growing.

The attack will probably come in the form of malicious websites being set up with the exploit code, as well as hacked websites being made use of as un-knowing agents of the malicious hackers. The style of attack is sometimes referred to as a "drive-by". If you visit the site with the vulnerable Internet Explorer browser, you will be compromised.

So, the safe cyber-jutsu move here would be to use an alternative browser, at least for the time being. Both Firefox and Safari are availble for the Windows platform. Knowing how to use more than one browser shouldn't stress your cyber-jutsu too much.

If you love Internet Explorer, it will still be there after Microsoft finds, implements, and rolls out a fix. It is said that the latest version of IE is not impacted by this. So, you could update to IE 8 as well. I still recommend having more than one brand of web-browser.

If you had two cars, and one of them had a recall for the breaks - you would drive the other car until the flawed one was fixed. This is really no different. Except the alternative browsers aren't going to cost you a dime.

Sensei Metajunkie

Tuesday, November 24, 2009

Shaolin Temple Hacks beg age-old question

I try to read the taosecurity blog, by Richard Bejtlich, when I can. For all of you fans of The Hitchhiker's Guide to the Galaxy, we could say he is a hoopy frood who really knows where his towel is.

In a recent post, Richard pointed out some information about recent hacker attacks against the Shaolin Temple in China. The temple was hacked "three times in a row", according to abbot Shi Yongxin.

This of course begs the age-old question. Which is better: Chinese Martial Arts, or Japanese Martial Arts.

So here is the answer:

It depends upon the practitioner.

That may sound like a cop-out answer, but I assure you it isn't. One must know their limitations and their strengths if one is to excel at anything in life. A short and stout person with short arms and legs, in most cases, should not be surprised if they have a hard time mastering a martial art that requires high jumping kicks through the air. Even if they learn it all, when it comes to a real combat scenario they will find that they are on the losing end against similarly trained enemies with long legs and arms. One should seek to maximize their strengths and minimize their short-comings. In the end, it is more about the practitioner than the art they choose to devote themselves to. Given any genuine system of martial arts, it is all the same at the top. They are all paths that could be called "the art of winning".

How can we apply this to our cyber-jutsu?

You must start by knowing yourself, or in the case of cyber-jutsu, knowing your information infrastructure. We have talked about this in other posts - it is the basis of all good cyber-jutsu and must be accomplished before you seek to "know the enemy".

If you are running a web server farm, and have decided that your cyber-fu or cyber-jutsu will center around your packet-filter firewall, you are making a mistake. Certainly you will want to limit the traffic through the border router or firewall; but, your attacker will certainly look for weaknesses in your web implementation.

In such a case, we might be better served by taking a more "zen-like" approach to control. The Zen Master says that you cannot control another's actions. So, you should not try to control them. Instead, just watch them. In this way, you are in control in a wider sense of the word. In your cyber-infrastructure, this translates to out-of-band IDS systems that are tuned by those who "know" your applications. It might also translate to having a robust and fast restoration process. Surely the tao of true event correlation that leads to specific knowledge rather than piles of useless data could become a part of such a cyber-jutsu strategy. How else can we better know our selves? Perhaps adding a visualization strategy to effectively and quickly communicate threats would go far in improving our cyber-jutsu.

As in hand-to-hand combat with one or more attackers, the key to success is being aware and "in the moment", and "riding the martial wind". Yes, you need techniques. But you can learn techniques anywhere. In the Bujinkan, Sensei Masaaki Hatsumi
stresses learning the "feeling" of an attack. It should be no different for cyber-jutsu.

If you are struggling to decide which new "wiz-bang" security software or security appliance to purchase, I advise you to put your purchase request down. Hire another cyber-jutsu practitioner. Hire another Systems Administrator. Hire another Information Security Professional. Invest in the talent you already have in-house. Set up attack labs that mirror your environment, and learn the "feeling" of the attack. Most of you are not even reviewing your log files with any regularity.

The path to expert cyber-jutsu is different for each of us at times. But, in common, we have a long journey toward our goal.
"Step by step, we walk the thousand mile road."
- Miyamoto Musashi
The Book of Five Rings

You can check out Richard's post at: taosecurity

You can read the original news article at: PCWorld

-- Sensei Metajunkie

Tuesday, November 17, 2009

Password Security: White Belt Education

Identification, Authentication, and Authorization are important words to consider when contemplating cyber-jutsu.

While one of the least secure methods of authentication available today, passwords are nearly ubiquitous on information systems as a means to verify the identity of an authorized user.

Words have meaning. You will find your cyber-jutsu training most illuminating if you keep a dictionary and thesaurus handy. I have physical versions of these books, as well as computerized and on-line versions. To get you started, you can investigate Merriam-Webster online. Here is a good tip: you can easily remember "m-w" for Merriam-Webster. You can reach their site by typing in for the address. I find this faster than navigating through bookmarks.

The human brain is better than a bookmark list, but, using both is best.

What is your identity? Who are you? For the skilled cyber-jutsu practitioner, hiding ones identity may be important. For the white-belt, being able to understand "identity" is most important.

Leaving behind the philosophical question of who you are, let us consider who you are to a computer system. To a computer system, you are, in most cases, a "user". The computer system maintains a unique "user name" for each person wanting access. Some computer systems allow a special user named "guest" to log in, but we are considering only your unique identity here.

Since computer systems have become wide-spread in our lives, a new problem of identity has arisen. Many of us have too many identities to easily remember. There have been and will continue to be interesting proposals for the solution to this problem. Some current technologies include: Single Sign On (SSO), and OpenID.

Regardless of the technologies we use to help ease the problem of recalling multiple identities (i.e. user names) and authentication mechanisms (i.e. passwords), if the system uses a password to validate your identity, you need to choose and recall a lengthy and complex password.

This can be difficult if you want it to be. I, however, choose to make it a fun and/or meaningful process. The choice to suffer or rejoice is yours alone. I will share with you one method to create a password that I find rewarding.

Before I go into my technique, let us discuss what we mean by a secure password. A secure password is one that is changed before an attacker can "crack" it (i.e. reveal, or guess it). Because of the progress of technology, that time grows shorter every year. Therefore, we could say that the time of the user generated password grows short. Some replacements for the password, or enhancements to the password include bio-metrics (i.e. a human number) and tokens (i.e. something you have, like a physical key or card). If you hear someone say two-factor authentication, they are referring to two mechanisms working in concert to verify your identity. We can think about a password as "something you know". We can think about bio-metrics as "something you are". Lastly, we consider a token "something you have". By mixing and matching these "factors", we can create secure authentication.

An example of a bio-metric authentication device would be a finger-print scanner/reader. Other bio-metric authentication devices in use today include iris scanners as well as the more intrusive retinal scanners. Future bio-metric authentication devices may include genetic material "finger-printing". Such devices could work off of dead skin cells, hair, mouth-swabs or blood. A device that could quickly determine the identity of a person based upon a unique number generated by their unique DNA would be the ultimate authentication mechanism. It could also be thought of as "the number of the beast" from Revelations. For better or worse, we will most likely see such a device in our time.

A good example of a token, or "something you have" would be the device you can get from PayPal to enable two-factor authentication to their site. Remember that two-factor authentication uses two of the above factors we described. In this case, PayPal uses something you know, a password, and something you have, their token. The PayPal token can be kept on your key-ring and provides a new six digit number every minute. When I log into my PayPal account, I first enter my username, or identity. I then enter a password as the first factor that they will consider towards verification of my identity. After successfully entering my password, I am then prompted to press a small button on my token. When I press the button I am given a six digit number to enter into the website. Because they know the serial number of the token they sent me, they know what that number is going to be. They validate that the number I enter is correct, and then authorize me to use their website and conduct my online financial affairs.

Now let us consider the password generation technique. Sit quietly for a moment. Sit with your back straight. Relax your muscles, but maintain proper posture. Take a deep breath. Let your belly expand as you breathe in, rather than your chest. Take another deep belly breath. As you exhale, feel the pressures of the day leaving your body like morning mist melting off a mountain lake. Take another deep breath and feel the essential joy filling your body. As your belly fills with your breath, feel the life energy filling every molecule of your body. It is a renewing energy. Each deep breath pulls in new energy and each deep exhale releases those things you do not need in your life. Breath deep again. Allow your mind to drift toward a happy time in your youth. Capture that moment with words. Bring those words back with you as you continue to breathe. Breath deep and reflect on the phrase you have brought back with you. Breath deep and feel the healing, cleansing breath become a part of you. Come back to the present time, and create your password.

I did this exercise, just now, with you (I hope). This is what I brought back this time. Because I'm sharing it with you, I can't use it as a password. I'll find more though, don't worry.

The phrase I brought back was:
"We battled for hours with water-pistols. We painted the walls like two children."
I can use some of this or all of this. I can use whole words if the system I'm creating the password for doesn't limit the length, or I can use just the first letter of each word. If you are a brain, perhaps you can quickly recall the last letter of each word, or the second letter of each word. Let us start by using the first letter of each word.

  • wbfhwwpwptwltc

This is certainly unique, but let us consider for a moment our attacker. Without going into the details of how passwords are cracked (we can do that another time), let me say that we want to make the password more "complex". By complex I mean that we want to create a password that isn't all lower-case letters. In fact, we could like it to be upper-case, and lower-case, and use also numbers and/or special characters. We also want the length to vary, but never be less than eight characters. Having all passwords exactly eight characters long gives the attacker something standardized that he can use against us.

Here are some alternatives that I feel would make a good password:

  • Wb4hwW-P.
  • wB4hw/w-p.
  • Wbfhw/w-p!
  • wPtwl2c.
  • Wb4hw/w-p. Wptwl2children.

Some password security analysts will say that you should never have any word that can be found in any dictionary as any part of the password. If you follow that advice, then the last password given above would not be a valid choice. But let us look at what is good in these passwords. I am using upper and lower case letters in all of them. In the second example, I have chosen not to use an upper case letter to start the password, because I don't want to be predictable. In this second case, I chose to emphasize the "Battle" that took place. In this example I also chose to use the "/" special character that is often seen in text regarding the word "with". In the third example, I chose to replace the period with an exclamation point. In most of the examples I chose to replace the word "for" with the number "4". Some people will sometimes replace the letter "A" with the number "4", or the letter "B" with the number "8", and the letter "O" with the number "0" (zero). The only rule here - is that you need to remember what it is you are going to do. Don't over-complicate this process. Keep it fun. If it gets boring, then maybe you can add something more to it.

Try a simple phrase, and stick to the basics I've outlined, and your passwords will be much more secure until you change them. I recommend changing all of your passwords at least once per month. Choose a time of the month that will be the same every month. Then sit down, relax, and breath! :)

Sensei Metajunkie

PS -
here are a few examples that are BAD CHOICES and should NOT be used:

  • painted this is a dictionary word
  • Painted this is still a dictionary word
  • p41nt3d
    even though the last one doesn't look like it on the surface, there are dictionaries for cracking passwords that replace the common numbers for letters - don't use this type of obfuscation for a dictionary word-based password.

Friday, November 6, 2009

What is the CISSP security certification about?

Several of you have asked me about my CISSP status. There have been questions such as:

  • What is it?
  • Is it useful?
  • Was it hard to obtain?
  • Once you get it, are you done?

To start, CISSP stands for "Certified Information Systems Security Professional". It is a certification granted by the (ISC)2 (ISC squared) international organization. You can find out more about (ISC)2 at their website.

As for the question of usefulness... I think it is a very useful certification. (ISC)2 defined (and continues to update) a Common Body of Knowledge (CBK) which professionals like yours truly can use to communicate effectively on matters of Information Security.

It was not easy to obtain my CISSP, but I'm not certain I would say it was hard either. The exam was allocated five hours for completion. Many of the questions required "the best" answer of several correct answers, given a particular situation. I took four hours to complete my exam. Any one thing that I sit down to do, which takes four hours, immediately loses the ability to be called "easy". I went to an exam preparation intensive course, and purchased three books to assist in taking the exam.

The ten domains of the CBK that I was tested on included:

  • Access Control Systems and Methodology
  • Application and Systems Development Security
  • Business Continuity Planning and Disaster Recovery Planning
  • Cryptography
  • Law, Investigation, and Ethics
  • Operations Security
  • Physical Security
  • Security Architecture and Models
  • Security Management Practices
  • Telecommunications and Networking Security

The above really are Information Security in a nutshell. However - that is a very large nut.

Regarding the question of being done after the test, the answer is "no". Becoming a CISSP is really the entrance into a community or society of Information Security Professionals. Each CISSP must adhere to an Ethics Policy as well as submit information concerning their ongoing education and experience within the CBK domains.

I think if anyone would say that obtaining the CISSP certification status is "hard", it would be due to the sheer broad expanse of the topics that must be studied to be prepared for whatever the exam may choose to throw at you. There is a lot of information to be assimilated. If anyone has any particular questions about the CISSP, I'd be happy to help out where I can.

Monday, November 2, 2009

What is best in life? ... "Crush your enemies..."

"Crush your enemies. See them driven before you. Hear the lamentation of [their] women." - Conan

Ah - Conan... those were simpler times, no?

So often the question of the newbie to cyber-jutsu reaches my ears. "Sensei, how can we crush them? What is the best way to destroy them? What is the best tool to pwn with?"

For those of you who are willing to hear what I have to say, listen. Before seeking to destroy the enemy, seek to understand yourself.

What does this mean? Do you have your accurate inventory? If you have been following this blog, you may have created an inventory of every system and every application that is within your Information Infrastructure. If you did this last week, or the week before - is it still accurate? Have you devised a way to keep it up to date, up to the minute?

Which systems contain your private information? Which known vulnerabilities currently threaten those systems?

What was the last attack that failed? What was the last attack that succeeded? How do you know it failed? What damage was done by the success? How are you tracking these incidents?

It is not difficult to set up an open source intrusion detection system (IDS) such as SNORT, and have it report into an open source database such as MySQL. It is even quite easy to have a front end such as BASE (successor to ACID) to monitor the events. Slightly more advanced would be to set up Sguil. All of this should be done. However, the trick of it is to "tune" the IDS signatures you are using. The signatures must be updated regularly also. This takes time.

It takes time to secure your information infrastructure. It takes paying the price of perpetual vigilance. It takes time to read log files, to follow security mailing lists, to identify, track, patch, and report on known vulnerabilities. It takes time to manage a firewall and an IDS system. It takes time to educate users on how to create a significantly complex password, and remember it. It takes even more time to explain to them why they should do this.

All of this must be done before you seek to crush your enemies. Know yourself first. The better you know yourself - the faster you will learn to know your enemy.

Changing Passwords - Yes, you must

This morning I read a disturbing post by a security professional, who suggested that we don't need to change our passwords for 25 years.

His or her suggestion was based upon a belief that an attacker will not take any significant amount of time to crack your password. This simply isn't the case.

The whole notion of cryptography is based around trying to keep a secret. The practice of cryptography understands, however, that the secret can only be kept for so long. This is why we "change keys". While a password isn't directly cryptography, it does try to keep a secret. Also, sometimes an attacker will be trying to break cryptography in order to get at your password.

A good example is the Windows login password. Your password is never actually sent across the wire. In its place is a "hash" of your password. The hash is composed using a cryptographic function. Because Windows doesn't ever "change the keys", it is possible for an attacker to use tools to generate what are called "rainbow tables". A rainbow table is a pre-generated table of every possible hash that could result, given a certain set of parameters.

The parameters in question are the character set and length. For example, I could create a rainbow table set which would pre-generate the hashes for every password you could create that was up to 8 characters, and included upper and lower case letters, numbers, and special characters such as a dollar sign, period, or asterisk. It takes a long time to generate a rainbow table, but once it is completed, matching the pre-generated hash with the windows password hash that was sent across the wire can take micro-seconds to mere minutes.

The longer and more complex the password you are trying to crack (perhaps "match" would be a better word here), the longer it will take you to create your rainbow tables. Also, the larger the set of pre-generated hashes, the longer it will take the computer to search through them all to match your password.

Certainly, the longer and more complex a password is, the longer any brute-force method of cracking that password will take.

Since we can now see that there will be times when the amount of time you give an attacker to crack a password, before you change that password can be critical to security - let us all change our passwords today.

If you have any questions, please let me know. This is the place to do it - go on ... post a comment. :)

Sensei Metajunkie