Security+ Topic - Wireless Antennas and Power

I’m not sure I know of anyone who doesn’t use wifi.  It has become part of our everyday lives and without it I am not sure some people would know to cook.  When it comes to our homes, most of us will simply plug in an access point and we are good with the setup as long as we can get a signal in our living room.  In business, most IT departments will setup a distribution of access points to cover the entire area as seemless as possible.  Both of these are great strategies but there is another scenario that I would like to bring up as the normal setup provides an easy gateway for any attacker to monitor your wireless network.

I worked with a gentlemen that setup wireless communications between buildings for companies.  Now this sounds like a task that almost any IT person could accomplish but the reason he was contracted for it was that this connection needed to be secure.  Some of you may be saying at this point that they could just setup WPA2 and be done.  The little  bit of information here that is missing is the antenna used for the communication.  Generally, antennas will be omni-directional which means that the signal goes in every direction.  This is good for most setups but not for the ultra-secure setups needed by this company.  Antenna design is something that can go very in depth and I have experimented with designs as an amature radio operator so I will not be going into the details here except to give you an overview.

The antenna that needs to be used for this scenario is a yagi antenna that points the signal as much as possible in one direction.  This is not to say that the signal will be one hundred percent in one direction.  Signals will still propagate in every direction but the yagi antenna does a great job of focusing the signals in one direction.  Generally there will be a little bit of back-black of signal but it is not that big of radiation in the direction opposite of where you are pointing.  There are two benefits to this.  One being that signals can be pin-pointed to the target.  The second is that a yagi antenna can help extend the distance of the signal.  I encourage you to take a look into the yagi radiation pattern if this is something that sounds interesting to you.

Now comes the part of actually verifying that your antenna is doing what you want it to do by performing a site survey.  I personally use software called Heatmapper where I can import my own image (or floorplan) for where the signal is the strongest.  Basically you walk around the office clicking on where you are and the software creates a heat map of how strong the wireless signal is.  In the original application, it is good to see if every square inch of the office is able to get its wireless signal.  In the second part of this top, talking about a yagi, it can work wonders on if your antenna is working correctly by only giving signal in one direction.  Basically we are looking for an oblong shape of a signal and the heat map software will show strong signal in one direction away from the access point antenna.

Security+ Topic - End to End Security

As we move data from one computer to the next we can do it by transferring file in the clear text or be securing that data.  One of the big questions is how to secure that data for transfer.  We can use our browsers, a file transfer tool, or text shells to move this data and every one of them has some type of encryption that they can utilize.  The days of making excuses for why we do not encrypt our data over the wire are over.

When it comes to utilizing our browser, it comes pre-set for taking advantage of SSL and TLS. Secure Sockets Layer is a widely used security standard for establishing an encrypted link between a web server and a browser. It creates a behind the scenes connection for passing data between server and client in a secure manner.  Only a few years ago you could generate a self-signed certificate for a person web server and could rest a little easier about people seeing the private data transferred.  Recently the major browser developers said that if a certificate is self-signed, or not matching the URL, that it would give an error about being insecure.  This is due to man-in-the-middle attacks.  They would spoof the connection that you thought was secure and then forward the requests to the true web server so you wouldn’t know they were decrypting and re-encrypting all of the data on its way.

Now we have more secure protocols such as TLS which came out to address certain limitations of  the Secure Sockets Layer protocol. TLS gives additional security to the transfer of data over wide area network connections.  While the older SSL 3.0 is still in use today, there are minor upgrades made to TLS 1.0 which make it much more secure.  Where possible each one of your servers should be setup to force TLS encryption if the client is able to do so.

Now we have the matter of whole network connection encryption instead of just one protocol.  VPN connections are made which force the network to go across a virtual private network.  Most of the time these connections are then routed out the destination network and the public ip of the remote machine will be the ip of the vpn server network.  These connections are made using IPSec which is ideal for authentication, integrity, and confidentiality.  Each of these are a core item for this process to work because if any part is skipped or not authorized, then the connection could be compromised.

One final item I want to touch on is the use of SSH.  This is the default tool used for almost every linux server and is a required item for server deployments.  The secure shell created has a high level of encryption so anything sent over is sure to be safe.  I am actually a little surprised that windows hasn’t embraced the use of SSH to connect to windows servers in order to provide quicker remote session to their servers.  Even with windows core you need to make a remote desktop connection to use the command prompt…. weird.  SSH is able to do some really cool stuff such as tunneling.  Similar in behavior to the VPN connection, SSH is able to move more than just remote commands on the connection.  SCP and SFTP are built off SSH and are able to move files securely.  Even your browser can make a local proxy connection to the SSH connection to transfer all browser traffic over SSH.

Security+ Topic - Data Wiping, Retention, Storage

What happens to your devices when you are through with them?  Do you put them in a closet and call it a day?  When it comes to the expiration date of your hardware there are a few thing that need done to ensure that your data is safe after you are done with it.  Even after you hit the delete key, there are methods and tools available to recover data from your system even though it was deleted.  So what does it mean for you as an IT admin?  It means that you need to securely wipe your devices of all old data.

Just like a lot of things in the IT industry, there is more than one way to skin a cat.  The first option is a full format of a hard drive.  This will overwrite the drive to being blank and will make it much harder to recover data.  Still that data exists on the drive if someone were very motivated to get the data.  After it has been wiped, one option here would be to overwrite the data with new dummy data.  For most consumer tools, this basically guarantees that the most basic of tools will be unable to recover the data.  I’ll jump ahead at this point to the wiping standards of the military.  The tools used for this, such as the dukes boot and nuke live CD, make many passes over the entire hard drive to the point that it becomes nearly impossible to recover the data.  I say nearly impossible because without physically destroying it, there is a one in a gazillion chance that one sector may be recoverable.

The flip side of this whole situation is the retention of the data.  When it comes to how log you are to hold the data it boils down to company or industry standards.  For some companies they will only require that seven days of backup data be held while others such as monetary institutions will require the data to be held for years.  While this does touch into the realm of backups a bit more than security, the security aspect of the requirements must be addressed.  It is not enough to simply install a server somewhere, encrypted the transmission via SSL, and then call your backups good.  Take for example a remote datacenter that shuts down.  They let you pull your data off and then shut everything off.  All that hardware gets re-sold to salvage companies and the hard drives are scanned by curious people who are able to recover your secret files.  That data held in the long term retention must be encrypted the same or higher level than your local data because you may not have physical access to it.

One consideration here is that you may not be able to remotely wipe the data without the physical access.  That remote storage is way out of your control so it may be worth an investment in remote wiping capability.  In this area there are a lot of options from failed access attempts triggering a data wipe to  a timeout wipe.  In the first scenario, the remote server is setup to automatically wipe the data with a certain number of failed login attempts (similar to cell phones these days).  The other option is a data wipe that happens after a certain amount of time.  It tries to heartbeat with a certain user or group and if it doesn’t hear anything after awhile, it will automatically the data.

Security+ Topic - Removable Media Encryption

Do you remember the days of sneakernet?  That was a long time ago when people would move files between machines with a floppy disk as there was no network infrastructure.  These days its quite simple to transfer a file over the network but for some reason, the use of USB flash drives seems to have brought new light to the term sneakernet.  With how small they are and sometimes can fit nicely onto your keychain, USB flash drives have found their way back to being mainstream for moving files around.  Part of this is due to the mobility of laptops.  When in a desktop environment, files are usually moved on the network no problem but as people get together with laptops, it is much quicker to transfer files with a USB drive.

There are a couple big concerns with this process that needs to be addressed.  To start, you never know what is on that drive.  Most operating systems will have an automount and then an autoplay function to make it easy for you to open it up.  While this is a nice feature, it also lets in potential dangers.  An attacker may decide to have software setup on the flash drive that loads when inserted and then installs some sort of backdoor or phone home software.  There is even campfire stories of hackers installing malicious software onto cheap USB drives and then purposely leaving them around the city for people to plug into their computers.  So what is to prevent this, disabling autorun would be a good start.  Making sure your anti-virus software is up-to-date would also be good with on-load scanning.

The above paragraph is really the background that I want to give for this part though.  What about those files that YOU put on the drive.  Say you work from home sometimes and your internet service provider connection is really slow, so you decide that you will put your work onto a USB drive and offload it onto your desktop in the office the next day.  Sounds like a simple plan but what about that USB drive in transit?  Wouldn’t it be quite easy for it to slip out of your bag or fall out of the door of your car?  I could describe quite a few scenarios here but I hope you get the point.  Someone is most likely going to pick up that USB drive and plug it into their computer.  If that USB drive is not encrypted in some way, then you have opened up all your secret files to the public.

There are also a lot of cool ways to protect those files.  The easiest way would be to simply add a password to the file if the software allows you to.  This would still allow someone to see the files and possibly brute force their way into it.  Another option is encryption software such as bitlocker or truecrypt.  These can encrypt the entire USB drive so when someone plugs it in, the operating system just thinks it needs formatted as it cannot read the drive properly.  One of my favorite ‘cool’ ways of USB drive protection is my fingerprint reading USB flash drive.  When you first plug it in, the user is presented with a small accessible filesystem.  It also mounts a fake cd drive with fingerprint reading portable software.  After my fingerprint is authenticated, it unmounts the public filesystem and then mounts my private filesystem.  Neat eh?

Security+ Topic - Drive Encryption

Data encryption is a major part of computer security and this comes in at every form that you can think of.  From where the data originates, how it is transferred, and stored long term must all be taken into consideration.  Take for instance your mother's secret recipe.  It was on her fridge for years so you decide to make a copy of it on your computer.  Years later you donate the computer to the thrift store.  Then someone checks out the hard drive and the secret recipe is used to make millions at a chain restaurant.  Is this a silly example?  No.  It happens all the time where data is not secured and thus is exploited down the road.

Securing your data starts with where it originates most of the time.  Your computer.  When it comes to making sure that your computer is encrypted is usually thought of when it comes to laptops but it really does impact every computer you ever touch.  In the laptop realm it boils down to the fear of the computer being stolen.  Something happens at a coffee shop and the next thing you know it was stolen with no recourse.  Things like this happening is why employers require laptops to be encrypted.  They never know what may be permanently or temporarily stored on your laptop while you are away from the office.  Its a level of insurance and safety for company secrets.

I’m going to break off here in the realm of full disk encryption in regards to full disk encryption on virtual machines.  This is something that you don’t see much (these days) and most people don’t think about it.  Our virtual machines are the first thing that people think about when it comes to spinning up an environment for their needs.  They will then go through the process of firewall, hardening, password management, and more to make sure they are secure.  As the environment grows, what about the VHD or VMDK?  Backups will be taken and snapshots made.  The important take away point here is the risk of whole virtual machine theft and the ease of access after they have the virtual machine file itself.  Without encrypting the drive, the inside of the virtual machine file, they can mount the drive and take what they want.

There are two lines of thought here for encrypting the drive.  One is to simply encrypt the HDD where the virtual machine drive files exist.  This is fine except it is not protecting you.  Sure if someone walks away with the physical hard drive then its useless to them but if they can copy the virtual machine hard drive while the system is turned on then you just handed them unencrypted data.  The other line of thought is installing the encryption software inside of each virtual machine.  In large deployments this can be a nightmare to manage.  Especially if you are rebooting the server remotely and have no way to see the console for entering the encryption password.  There are trade-offs for the scenarios that must be taken into account.

Finally there is concern about the speed of the HDD responses with encryption software in place.  With todays encryption opens such as truecrypt (no longer supported, sad) and bitlocker, they are basically as fast as writing directly to the hard drive.  In situations where encrypting the drive is not an option due to certain company requirements, you may be left with the only option of a literal lock and key.  Lock down the network so they have no way to copy off the virtual hard drive and place the virtual host behind lock and key with no options for removable media.

Security+ Topic - Basic Network Security Tools

A common topic that comes up from people just getting into the computer security realm is what tools they can use to break into a computer.  Well that is a seriously loaded question with a lot of different directions you could go.  I want to take a moment and step back from the question and really dig into what most people are really asking.  To me it seems they want to know right from the start how to hack their neighbor in under 10 seconds like in the movies.  While you may be able to accomplish something similar to this deep into your career, it most likely isn’t going to happen from the start.

What really needs to happen at this point is the basic understanding of ports and what services may be associated with them.  I’m going to assume at this point that you have some sort of networking knowledge and will be able to follow the conversation without breaking down every point moving forward.  Every service listens on a port to do its normal functions.  Using this information some smart people have developed tools that can scan through a set of common ports to see what is currently accepting connections.  These port scanners can be very simple such as opening a TCP connection and then that is it or they can see what service is listening on that port by sending a query.  Generally speaking though, the tools such as nmap will simply open a TCP connection and then close it when done.  The list of ports it finds is then reported back with the common services associated with it.

We can then move on with the information of what ports are listening to something a little deeper.  A vulnerability scanner will take the list of ports it found to be open and start analyzing the information on those ports.  An example here would be a SMB server that the vulnerability scanner would send specific packets to in order to get more information.  A locked down system would simply report back that the port is open.  A less secure system would give out all sorts of information such as software version number and then try to make a connection based off that.  This is where the part about being a vulnerability scanner comes into play.  A simple port scanner is just for ports but a vulnerability scanner uses the version information reported back and does a search through its databases for known issues.  If it finds that you are running version 1.2.3 and there is a known issue with that version, it could formulate a specially crafted packet to take advantage of the exploit.  Now not all software does this.  Some white-hat software simply lets you know that there is a known exploit and then provides you with the CVE numbers for you to take action.

The next step in this whole thing is the protocol analyzers.  Generally speaking these are not used by the average joe.  Sure they are great tools for seeing what is going on with your network but until there is something interesting (such as an exploit) that you are able to take action on, there is not a ton to see.  Oh you made it this far?  Good.  I then want to talk for a moment about protocol analyzers and insecure transmissions.  The easiest way to explain to people about insecure protocols such as FTP and Telnet is to capture one of the sessions.  It becomes clear as day how insecure these protocols are and how a protocol analyzer can capture the data.  There is even protocol analyzer software available which monitors the network for these insecure connections and provides them in a GUI for the user to review.