Oh our love of wifi. We have all seen the funny access point
names and usually it is nice to see them instead of the generic
“Linksys”. Wifi has come a long way in its short history from
being totally insecure to a relative state of being secure we have
today. What is really crazy to me is that there are still people
utilizing WEP. It makes me wonder why the manufacturers are even
including WEP into their equipment when it has been cracked for a
long time now.
Due to the way that WEP encrypts its data there is a weakness in
the algorithm. Thankfully there has been evolutions in the way wifi
is encrypted and we now have WPA and WPA2. Here is the deal though.
Your data is only kind of secure. Wireless is transmitted to places
you probably didn't think of someone can pick up the signal when you
really didn't want them to. Do you have a shared bathroom for your
workplace with another company? Someone could be sitting in the
stall capturing traffic on their lunch break. Sound like it would
never happen right? Wifi can go further than you may think and if
someone has the time to spend sniffing your network then you could be
compromised.
Another aspect to this is the rogue access point. If your company
allows personal devices in the workplace they may still want to get
on the internet with that device. Thing is your company doesn't
allow them to connect it. Next thing you know they have brought an
access point from home and connected it to your network without you
knowing. In a worst case situation they even left it unsecure and
now you have all sorts of people accessing your network and using
your internet connection for crazy things.
On the lesser side of the scale is bluetooth. Its great for
connecting small devices to your phone or laptop but is still an area
of concern for security professionals. Blue jacking and bluesnarfing
are the main things that come to the front when addressing bluetooth
issues. Ever got some strange spam message on your phone and your
not sure where it came from? That would be blue jacking. The name
is a little missleading as they are not actually taking over your
phone. Bluesnarfing is where they actually are able to gain access
to your phone and check out your contacts, files, etc.
I was once on a forum where someone wrote their company was 99%
wireless. This made me really nervous for their company. There is a
common misconception that your network is secure with WPA2 and that
no matter what, no one will see your data. Well I am sure that is
what they said for WEP too. Here is the deal. Wifi traffic can be
captured and saved forever and then decrypted later. Lets say a
competitor has been logging your wifi traffic for the last 6 months.
They havn't been able to see what is on it but they still have it.
Tomorrow there is a crack released for WPA2 allowing an attacker to
see your network key, network traffic, etc with the click of a
button. Not only is the attacker able to see the traffic moving
forward but they would be able to use the crack against the logged
network traffic. They now have all your company secrets for the last
6 months.
-- Joe McShinsky
Sunday, June 17, 2012
Wednesday, May 23, 2012
Security+ Topic - Sneakernet
10 points to griffendor if you know what sneakernet is. I find it
really interesting how technology has come 360 in the way that we all
share files. Here is your history lesson. Before networks became a
major part of our lives, people would have to share files by taking a
floppy disk from one computer to the other. This was commonly
referred to as sneakernet because of the sneakers on your feet to
move the files. Now ask yourself this. How many times has someone
wanted a file you have and so you copy it to a flash drive or cd/dvd
to give it to them? Probably a whole lot. These forms of data
transfer are not immune to security threats as they pose their own
problems that must be addressed.
The most important thing you can do to try and protect yourself is to turn off the auto-play feature. The auto-play feature makes a disk more user friendly by automatically bringing up a selection or interface. The concept is great from a developer standpoint as it looks all fancy and users get excited about what they are seeing. From a security standpoint, this is a nightmare. The ability of a cd, dvd, or flashdrive automatically executing code on my computer makes me nervous. Sure there is good software out there but there is also bad software. I would like to give you an example of how you or your company may get infected.
From the standpoint of an attacker, I have learned some names of people in your company and their positions. I may not know how tight your computer security policy is but I am going to do a little test on employee computer privileges. After getting some materials such as documents headers, logos, and other company related items I create a CD named “Company Christmas Pics”. I walk into the company asking for directions some place, leaving a cd by the front desk, another by the elevator, and a few more around employee break areas or parking lots. As an employee you become curious when you see one but don't remember any company christmas parties this last year so you decide to check it out. When you put in the CD it automatically pops up with an error saying that it is unable to open due to an error. You don't think anything of it and pull the disk out, most likely throwing it in the trash. What just really happened though is that your computer got infected with a virus in the background because you run your account under administrator privileges.
The same can be true for flash drive as well as CD's or DVD's. For flash drives it could be almost the opposite of this scenario though. As a manager for your department, you are charged with taking the backups for your employees to a safe deposit box via a flash drive. Its been a long day and your tired so when you get in your car you accidentally drop the flash drive out of your pocket into the parking lot. You get home, noticing it is gone but think it must be in your car somewhere. The next day you forget about the whole thing and make your way to work like normal. During this whole time someone picked up the flash drive from the parking lot and is using the information to exploit your company.
The bottom line here is that you have to be careful with how you handle your removable media and take caution to how you open it. The best bet would be to have a separate lab computer that you can test media with before putting it into your regular work computer. This may not always be possible though so steps can be taken to prevent any malicious code from running in the first place.
-- Joe McShinsky
The most important thing you can do to try and protect yourself is to turn off the auto-play feature. The auto-play feature makes a disk more user friendly by automatically bringing up a selection or interface. The concept is great from a developer standpoint as it looks all fancy and users get excited about what they are seeing. From a security standpoint, this is a nightmare. The ability of a cd, dvd, or flashdrive automatically executing code on my computer makes me nervous. Sure there is good software out there but there is also bad software. I would like to give you an example of how you or your company may get infected.
From the standpoint of an attacker, I have learned some names of people in your company and their positions. I may not know how tight your computer security policy is but I am going to do a little test on employee computer privileges. After getting some materials such as documents headers, logos, and other company related items I create a CD named “Company Christmas Pics”. I walk into the company asking for directions some place, leaving a cd by the front desk, another by the elevator, and a few more around employee break areas or parking lots. As an employee you become curious when you see one but don't remember any company christmas parties this last year so you decide to check it out. When you put in the CD it automatically pops up with an error saying that it is unable to open due to an error. You don't think anything of it and pull the disk out, most likely throwing it in the trash. What just really happened though is that your computer got infected with a virus in the background because you run your account under administrator privileges.
The same can be true for flash drive as well as CD's or DVD's. For flash drives it could be almost the opposite of this scenario though. As a manager for your department, you are charged with taking the backups for your employees to a safe deposit box via a flash drive. Its been a long day and your tired so when you get in your car you accidentally drop the flash drive out of your pocket into the parking lot. You get home, noticing it is gone but think it must be in your car somewhere. The next day you forget about the whole thing and make your way to work like normal. During this whole time someone picked up the flash drive from the parking lot and is using the information to exploit your company.
The bottom line here is that you have to be careful with how you handle your removable media and take caution to how you open it. The best bet would be to have a separate lab computer that you can test media with before putting it into your regular work computer. This may not always be possible though so steps can be taken to prevent any malicious code from running in the first place.
-- Joe McShinsky
Saturday, April 7, 2012
Security+ Topic - Physical
You know those really cool server rooms in the movies where they
are surrounded by glass and you can see all the neat stuff? I have
only ever seen one telco closet that I would put in a fishbowl like
that. Mostly as there was nothing configurable in it and the wiring
was very tidy. I don't need people looking in on my equipment and
seeing that something is out of date or not supported anymore. I
will take an extreme example here but lets assume that someone is
still using a Cisco 2500 series router for their core system. If my
rack was in a fishbowl and some attacker posing as a repairman saw
that, they would immediately know that a DOS attack would bring down
my network in no time. Or they could use a specific exploit on my
router as they now have more specific knowledge on where to start.
Don't get me wrong; I love seeing those sweet setup in movies but
common, they are not realistic.
The physical setup of your equipment is important for a variety of reasons. I run Cisco gear at home and one day my son came with me into my workshop. That little guy loves to push buttons and can you guess what button he pushed right away? Yep. My main Cisco router. My physical security of my home equipment was breached by a 2 year old. It didn't help that the button was right at his eye level but you get the point. Buttons have a way of being pushed by people that don't know what they are doing or don't realize how close they are to equipment. You could invite your friend from college to see the cool gear you are working with and the next thing you know they accidentally pulled a network cable out just enough to lose connectivity but not pop out of the port.
A general rule of thumb is that there needs to be three physical barriers to keep people away from your important gear. The most obvious one is the main entrance to your workplace. Depending on where you work it could be a simple door to the business or protected by armed guards. Either way when someone walks into your business they should see someone there to greet them. This is the first step in making sure that people don't wander where they shouldn't.
I have worked in a variety of business sizes and in general the companies servers are separate from the rest of the employees (as they should be). This would be the second level of defense in our little “push random buttons” game. Even regular employees should not have access to the IT department or computer lab areas.
The third level of physical security would be the locked server room door. There are multiple ways to secure a server room including a simple key lock to a biometric scanner but the end goal is the same. Keep people out of there! You wouldn't want someone on their last day of work walking by and turning off all the power to your servers or plugging network cables into random spots. That would be no fun.
Last but not least; don't forget your motion sensors and cameras. Motion sensors can activate the cameras or simply provide you an alert to your phone that someone has walked into the server room. Cameras are obvious as they give you a visual of who was in there.
-- Joe McShinsky
The physical setup of your equipment is important for a variety of reasons. I run Cisco gear at home and one day my son came with me into my workshop. That little guy loves to push buttons and can you guess what button he pushed right away? Yep. My main Cisco router. My physical security of my home equipment was breached by a 2 year old. It didn't help that the button was right at his eye level but you get the point. Buttons have a way of being pushed by people that don't know what they are doing or don't realize how close they are to equipment. You could invite your friend from college to see the cool gear you are working with and the next thing you know they accidentally pulled a network cable out just enough to lose connectivity but not pop out of the port.
A general rule of thumb is that there needs to be three physical barriers to keep people away from your important gear. The most obvious one is the main entrance to your workplace. Depending on where you work it could be a simple door to the business or protected by armed guards. Either way when someone walks into your business they should see someone there to greet them. This is the first step in making sure that people don't wander where they shouldn't.
I have worked in a variety of business sizes and in general the companies servers are separate from the rest of the employees (as they should be). This would be the second level of defense in our little “push random buttons” game. Even regular employees should not have access to the IT department or computer lab areas.
The third level of physical security would be the locked server room door. There are multiple ways to secure a server room including a simple key lock to a biometric scanner but the end goal is the same. Keep people out of there! You wouldn't want someone on their last day of work walking by and turning off all the power to your servers or plugging network cables into random spots. That would be no fun.
Last but not least; don't forget your motion sensors and cameras. Motion sensors can activate the cameras or simply provide you an alert to your phone that someone has walked into the server room. Cameras are obvious as they give you a visual of who was in there.
-- Joe McShinsky
Monday, March 12, 2012
Security+ Topic - IDS
The Intrusion Detection Systems available for network
administrators today are some amazing pieces of equipment able to
detect everything from a single pin-pointed attack to a well masked
distributed attack on your network. These vital parts of your
network provide the administrator with immediate notification of
issues or potential threats and if integrated with an Intrusion
Prevention System are able to repel attacks. The first part of the
process is making a positive identification of a potential threat.
Historically this is done based off of signature files similar to
traditional virus scanners. As of this writing they are able to
analyze traffic patters, sources of data, combined logs from outside
nodes, and other resources to detect threats. In general, they are
trying to check for any compromise of confidentiality, integrity, or
availability of resources.
There are a lot of different alerts that could act as triggers for the Intrusion Detection System such as an excess of ping or traffic patterns that are extremely abnormal. There is also the data source of the requests to take into consideration. An easily detectable source would be from a single node while a distributed attack may take the intrusion detection system longer to detect.
How can you use an Intrusion Detection System in your network?
It all boils down to available resources and money. Seriously, money. Who has the money to put down on something that is just going to sit there? Well now you do. Now is the time to let your boss know the threats that are out there and business impact of those threats. Ask someone in finance if they are able to give you a ballpark figure of how much money would be lost if the company was unable to perform their work for one hour. If you work for a medium to large size business then the number they give you may surprise you. Historically companies have been down for many hours at a time waiting for an attacker to finish getting their kicks or for anti-virus companies to update definitions to get rid of a botnet. To me, the few thousand dollars for an Intrusion Detection System is cheap insurance for keeping the company running.
Up until now I have not been specific on a network intrusion detection system or a host intrusion detection system. Well, that is because what I talked about was kind of generic. To close out here I would like to bring up the network side of things. Granted there is a lot of encrypted traffic on the network, they are still able to analyze traffic patterns that may be problematic for your network. There is a huge amount of data that needs to be processed on a network and so the system requirements for such a device cannot be something like an old school 486. Don't know what that is? Ok, not even a Pentium (ya the original) would work out for you unless you had very little traffic to check. An interesting part about the network detection is that it doesn't have to be in line with any of your network and so an attacker would have no clue that it even exists. It can be on a mirrored port of your switch.
-- Joe McShinsky
There are a lot of different alerts that could act as triggers for the Intrusion Detection System such as an excess of ping or traffic patterns that are extremely abnormal. There is also the data source of the requests to take into consideration. An easily detectable source would be from a single node while a distributed attack may take the intrusion detection system longer to detect.
How can you use an Intrusion Detection System in your network?
It all boils down to available resources and money. Seriously, money. Who has the money to put down on something that is just going to sit there? Well now you do. Now is the time to let your boss know the threats that are out there and business impact of those threats. Ask someone in finance if they are able to give you a ballpark figure of how much money would be lost if the company was unable to perform their work for one hour. If you work for a medium to large size business then the number they give you may surprise you. Historically companies have been down for many hours at a time waiting for an attacker to finish getting their kicks or for anti-virus companies to update definitions to get rid of a botnet. To me, the few thousand dollars for an Intrusion Detection System is cheap insurance for keeping the company running.
Up until now I have not been specific on a network intrusion detection system or a host intrusion detection system. Well, that is because what I talked about was kind of generic. To close out here I would like to bring up the network side of things. Granted there is a lot of encrypted traffic on the network, they are still able to analyze traffic patterns that may be problematic for your network. There is a huge amount of data that needs to be processed on a network and so the system requirements for such a device cannot be something like an old school 486. Don't know what that is? Ok, not even a Pentium (ya the original) would work out for you unless you had very little traffic to check. An interesting part about the network detection is that it doesn't have to be in line with any of your network and so an attacker would have no clue that it even exists. It can be on a mirrored port of your switch.
-- Joe McShinsky
Friday, January 20, 2012
Anonymous
I don't understand the hacker group anonymous. They take down websites to make a statement (usually big ones). If the really wanted to affect the organization they would understand that most large organizations usually run servers on a different network than employees. Thus if you figure out the employee network and attack it you reduce the productivity and give the organization a much larger headache due to employees sitting idle. A organization is going to be much more upset with paying idle employees than having a few hours of downtime. Now I also understand that the website may take orders etc and even a half hour can result in lots of money lost. My point is about anonymous though. It seems they only want to be in the news for taking down a website (which is trivial and extremely common). Wouldn't it be much more effective to attack the bottom line?
Subscribe to:
Posts (Atom)