Performance Measurement for Information Security

Although measuring information security performance is required by law in USA such as the Clinger-Cohen Act, the Government Performance and Results Act (GPRA), the Government Paperwork Elimination Act (GPEA), and the Federal Information Security Management Act (FISMA). Also, I do believe that the driven factor for any thing is the business need or monetary value.

What do we need to measure for Information Security?

NIST specified three measure types which are:

1. Execution of security policy.
2. Effectiveness/efficiency of security services delivery.
3. Impact of security events.
   

Performance Measurement for Information Security Challenges:

• Inconsistent process, when you try this kind of process you will find it challenge to specify your performance targets to measure.
  

• Identifying the goals and objectives of performance management. The best start will be from business/stakeholder interest.
  

• Establishing Performance Targets. Setting performance targets for effectiveness/efficiency and impact measures is more complex because there isn’t a specific level of performance.
  

What do we need to implement this Performance Measurement?

1. Collecting data.
2. Analyze collecting data.
3. Identify Corrective Actions.
4. Develop Business Case.
5. Apply Corrective Actions.
   

By building Performance Measurement for Information Security we facilitate decision making and improve effectiveness/efficiency of information security service delivery.

Reference: NIST & ISF “Security Health check Project”

Critical Information Infrastructure Protection (CIIP)

In The ISNR 2007 Conference from 3^rd-5^th December in London they took about CIP challenges.

Definition of Critical Infrastrucre:

Critical infrastructure is a term used by governments to describe material assets that are essential for the functioning of a society and economy. Most commonly associated with the term are facilities for:

1. Emergency services
2. Energy
3. Finance
4. Food
5. Government & public services
6. Health
7. Public Safety
8. Telecommunications
9. Transportation systems
10. Water

In other words, critical infrastructure refers to those assets, systems, and functions so vital to the nation that their disruption or destruction would have a debilitating effect on our national security, economy, governance, public health and safety, and morale.

Let’s try to figure out from the above definition what is our Critical Information Infrastructure. You will find it depends on your business, for example critical infrastructure for supply chains/logistics is different, but the common will be Network communication.

So,

What is Critical-infrastructure Protection (CIP)?

It is the study, design and implementation of precautionary measures aimed to reduce the risk that critical infrastructure fails as the result of war, disaster, civil unrest, vandalism, or sabotage.

Critical infrastructure and information security have similar requirements, particularly in the area of availability. Let’s take USA CIP model to learn how to build Critical Information Infrastructure Protection (CIIP) model similar to it. From Wikipedia let’s have a look on US CIP life cycle which consists of six phases as following:

• Analysis and Assessment (occurs before an event) - The Analysis and Assessment phase is the foundation and most important phase of the CIP life cycle. This phase identifies the assets absolutely critical to mission success and determines the assets’ vulnerabilities, as well as their interdependencies, configurations, and characteristics. An assessment is then made of the operational impact of infrastructure loss or degradation.

• Remediation (occurs before an event) - The Remediation phase involves precautionary measures and actions taken before an event occurs to fix the known cyber and physical vulnerabilities that could cause an outage or compromise a National Defence Infrastructure, or NDI, or critical asset. For example, remediation actions may include education and awareness, operational process or procedural changes or system configuration and component changes.

• Indications and Warnings (occurs before and/or during an event) - The Indications and Warnings phase involves daily sector monitoring to assess the mission assurance capabilities of critical infrastructure assets and to determine if there are event indications to report. Indications are preparatory actions that indicate whether an infrastructure event is likely to occur or is planned. Indications are based on input at the tactical, operational, theater, and strategic level. At the tactical level, input comes from asset owners. At the operational level, input comes from the NDI sectors. At the theater level input comes from regional assets such as allied intelligence, NATO, command intelligence, allied governments, and coalition forces. At the strategic level, input comes from intelligence, law-enforcement, and the private sector. Warning is the process of notifying asset owners of a possible threat or hazard.

• Mitigation (occurs both before and during an event) - The Mitigation phase comprises actions taken before or during an event in response to warnings or incidents. DoD Critical Asset owners, NDI sectors, DoD installations, and military operators take these actions to minimize the operational impact of a critical asset’s loss or debilitation.

• Incident Response (occurs after an event) - Incident Response comprises the plans and activities taken to eliminate the cause or source of an infrastructure event.

• Reconstitution (occurs after an event) - The last phase of the CIP life cycle, involves actions taken to rebuild or restore a critical asset capability after it has been damaged or destroyed. This phase is the most challenging and least developed process.

Effective management of the CIP life cycle ensures that protection activities can be coordinated and reconciled among all DoD sectors. In many ways, DoD CIP, is risk management at its most imperative. Achieving success means obtaining mission assurance. Missing the mark can mean mission failure as well as human and material losses. For critical infrastructure protection, risk management requires leveraging resources to address the most critical infrastructure assets that are also the most vulnerable and that have the greatest threat exposure.

Reference:

Wikipedia & ISNR 2007 Conference

Vendor liability & User Responsibility

We always hear this words "It is your responsibility" in case some one stolen money from your credited card or your password of your email.

Why we don't say the same words to software vendors if they have security vulnerability in their software make us lose a lot of money.

When we install any software, have to sign off EULA for software's vendor. But, we have to accept this license to install the software.
So, I think most of use tried to read this EULA agreement before sign it off. You could find a lot of EULA analyzer tools on the Internet could highlight the important points to you, such as Privacy, Vendor rights, your responsibility.

The point here, as long as we don't have any other options to install the software, the vendor must be liable of his software. By the end of last month, Symantec Web Security Response Webblog wrote about "Privilege Escalation Exploit In the Wild", one week later they wrote a follow-up on this vulnerability. This vulnerability as written in "SECDRV.SYS Driver". Microsoft posted Microsoft Security Advisory (944653) about this vulnerability. Lets analysis the FAQ as posted in Microsoft Security Advisory (944653).

What is the scope of the advisory?

Microsoft is aware of a new vulnerability report affecting the Macrovision secdrv.sys driver on supported editions of Windows Server 2003 and Windows XP. This affects the software that is listed in the “Overview” section.

What is secdrv.sys?
The driver, secdrv.sys, is used by games which use Macrovision SafeDisc. The driver validates the authenticity of games that are protected with SafeDisc and prohibits unauthorized copies of such games to play on Windows. The secdrv.sys is included with Microsoft Windows XP, Windows Server 2003 and Windows Vista to increase compatibility of the games on Windows. Without the driver, games with SafeDisc protection would be unable to play on Windows. SafeDisc remains inactive until invoked by a game for authorization to play on Windows.

The question which raises here, If this vulnerability exploited and Microsoft customers lost millions of money, would Microsoft/Macrovision liable for this?. The answer is NO.

Lets have a look on "Windows Server 2003 End-User License Agreements", by using EULA Analyzer or read this EULA you could find

23. LIMITATION ON AND EXCLUSION OF DAMAGES. You can recover from Microsoft and its suppliers only direct damages up to the amount you paid for the software. You cannot recover any other damages, including consequential, lost profits, special, indirect or incidental damages.
This limitation applies to

• anything related to the software, services, content (including code) on third party Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if

• repair, replacement or a refund for the software does not fully compensate you for any losses; or
• Microsoft knew or should have known about the possibility of the damages.

It is unfair if the customers lost millions of dollar and they can claim only the amount they paid for the software. Ira Winkler ;The author of Spies Among Us; wrote a wonderful article on this point with a title "Vendor liability: A pointless argument?". Also, Art Coviello , RSA's president, in last RAS Conference 2007 which held in London made this interview with ZDnet.

At the end I see the software vendor should be liable for their software as users responsible of their mistakes.

Security Assessment Roadmap

In my last role with my ex-employer when my manager asked me to develop security assessment service. I made some Google search and I found the best way is to establish a framework, also because working under a formal process model make the task easy and development after that efficient,. I found the NSA developed INFOSEC Assessment Methodology (IAM). I started to read more about it and I found a brilliant book which helped me a lot from Syngress which is “Security Assessment: Case Studies for Implementing the NSA IAM”.

After that I started to use these resources to start to build our Security Assessment framework and I have just decided to share this information with my peers who interested in IT Security. Here is what I got.

Let’s assume we are going to make security assessment for company called “XYZ”

Introduction

XYZ company network may expose vulnerabilities to attackers in many ways. A key area is information exposure. Many details about XYZ Company that an attacker can gather can be used to assist in an attack. This includes technical data, such as what public services XYZ company offer, as well as Non-technical items, such as who your business partners are. The next area of importance is connectivity. Can attackers send and receive information to the systems within XYZ company network? This is dominated by the impact XYZ company s’ firewalls (and filtering routers) have on connectivity into XYZ company network, but it can also be affected by the controls XYZ company have in place to allow workstations and notebook computers to connect to XYZ company internal network. The last major area that needs to be examined is whether the services XYZ company network relies on contain exploitable vulnerabilities.

The roadmap for making security assessment consists of the following core phases with corresponding deliverables:

1. Planning

Determine the scope of our assessment at XYZ Company. Decide how we will conduct it. Develop written rules of engagement to control the assessment and, most important, gain proper written approval to perform it. Assemble our toolkit to perform the assessment.

2. Reconnaissance

Obtain technical and non-technical information on the XYZ Company and known public hosts, such as mail, web, and DNS servers…etc.

3. Network service discovery

Determine which hosts and network devices at XYZ Company can be accessed from the outside. For each of these systems, determine what services are running on them.

4. Vulnerability discovery

Probe externally accessible systems and remote services to determine whether they expose known vulnerabilities to the outside. Analyze initial results to eliminate false positives.

5. Verification of perimeter devices

Evaluate firewall and router configurations at XYZ Company to ensure that they are well configured. Verify that firewalls at XYZ Company do not pass traffic that should be blocked. Verify that anti-discovery and anti-DoS controls are in place and work as expected at XYZ Company. Test intrusion detection/prevention sensors to ensure that they detect, log, and alert on suspicious activity.

6. Remote access

Verify security controls of known remote access systems, including remote access servers, wireless access points, and VPNs. Search for unauthorized (rogue) modems and wireless access points at XYZ Company.

7. Exploitation (optional)

Attempt to use exploitation techniques against the discovered vulnerabilities. Based on the goals of the test, this may be an iterative activity. Successful exploitation may lead to additional access on the network, which may open the opportunity up for further exploitation.

8. Results analysis and documentation

Analyze discovered vulnerabilities to determine their overall effect on the level of risk to the network's security at XYZ Company. This is normally based on the vulnerabilities' impact to the affected system, the criticality of the system, the likelihood that the vulnerabilities will be exploited, and the effort required to remediate the vulnerabilities. Produce an assessment report that provides a list of prioritized vulnerabilities by level of risk and provides recommended steps to resolve the individual and root causes for the vulnerabilities.

9. Recommendations

A final report will be compiled with recommendations and possible solution to be implemented at XYZ Company to leverage security and/or defend against breaches.

Reference: NSA & Syngress

Facebook Safety - 1

I'm very interested with web 2.0. I red a lot of papers about the security challenges and Identity Management or what some call Identity 2.0

But I haven't finished my research yet. What I'm going to do is sharing some of the information which I have. I think this one will be first of coming Facebook security issues which I will try to raise here.

I choose a Facebook for reasons which are:

* Active users: 47 million (as of October 2007)
* Monthly new user average: 4 million
* Daily new user average: 150,000
* Page views: Over 15 billion per month
* Searches: Over 500 million per month
* Search index size: 200GB
* Largest networks: London, UK 1,268,000 and Toronto, Canada 859,000
* Traffic rank: 7th
* Photos: 1.7 billion (which averages to about 44 photos per user)

Also, on March 2, 2007, a poll conducted by eMarketer.com of American youths in the United States discovered Facebook was the most viewed site among all respondents with more females aged 17-25 (69%) visiting the site than males (56%). Try to check this and this also.

The fact here it become important to look at this service from security prospective. Alot of concerns such as Facebook Privacy Policy, Facebook opens profiles to public, Facebook Safety and Facebook Query Language.

My going articles will be just giving an example about security issues in Facebook. We will start by Facebook Safety.

Chris Kelly is Facebook's Chief Privacy Officer. He wrote on Facebook blog two days ago.

But right now, we want to make clear some of the things we are working on to prevent abuse from happening through Facebook. We are automatically moving complaints about nudity or pornography, and harassing or unwelcome contact to the top of our queue for Customer Support to address within 24 hours. We are limiting certain search functionality as it applies to minors. We are making sure that minors know explicitly when they are in contact with someone who is an adult.

Also, he added

As we continue to build out our proactive and reactive systems, we still believe that this is a partnership with you, our users. Practice smart internet safety; get to know our privacy options. Whether you're a minor or an adult, you should learn how to be smart online. No one wants anything bad to happen as a result of something on Facebook; we can all do our parts to make sure it doesn't.

So, I have decided to be smart online and made some google search on how to hack Facebook and I found a lot of links explain how to hack Facebook video application as an example. As facebook claims, the Facebook Video Application does not allow sharing videos outside of Facebook. Users will not be able to export or download videos from Facebook. But, the fact you can bypass this with a piece of cake. Userscripts.org has a very good article on how you could do this,you could check it. I tried it with my self and I downloaded my friends clips and some others. That means if bad guys got these clips he could modify it put some embarrassing things on it and resend to your friends.

That is explain you can't trust what Facebook claims, please watch this presentation.

BC & DR Planning Tips

• What’s the difference between disaster recovery and business continuity planning?

Disaster recovery is the process by which we resume business after a disruptive event. The event might be something huge-like an earthquake or the terrorist attacks on the World Trade Center-or something small, like malfunctioning software caused by a computer virus.

Given the human tendency to look on the bright side, many business executives are prone to ignoring "disaster recovery" because disaster seems an unlikely event.

Business continuity planning suggests a more comprehensive approach to making sure the business can keep making money. Often, the two terms are married under the acronym BC/DR.

• What does a disaster recovery and business continuity plan include?

All BC/DR plans need to encompass how employees will communicate, where they will go and how they will keep doing their jobs. The details can vary greatly, depending on the size and scope of a company and the way it does business.

The critical point is that neither element can be ignored, and physical, IT and human resources plans cannot be developed in isolation from each other. At its heart, BC/DR is about constant communication. Business leaders and IT leaders should work together to determine what kind of plan is necessary and which systems and business units are most crucial to the company. Together, they should decide which people are responsible for declaring a disruptive event and mitigating its effects. Most importantly, the plan should establish a process for locating and communicating with employees after such an event. In a catastrophic event (Hurricane Katrina being a recent example), the plan will also need to take into account that many of those employees will have more pressing concerns than getting back to work.

• How do I get started?

A good first step is a business impact analysis (BIA). This will identify the business's most crucial systems and processes and the effect an outage would have on the business. A BIA will help companies set a restoration sequence to determine which parts of the business should be restored first.Here are 10 absolute basics the plan should cover:

1. Develop and practice a contingency plan that includes a succession plan for your senior management.

2. Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency may not be available.

3. Determine offsite crisis meeting places for top executives.

4. Make sure that all employees-as well as executives-are involved in the exercises.

5. Make exercises realistic enough to tap into employees' emotions so that you can see how they'll react when the situation gets stressful.

6. Practice crisis communication with employees, customers and the outside world, for example spoken person to the media.

7. Invest in an alternate means of communication in case the phone networks go down.

8. Form partnerships with local emergency response groups such as firefighters and police to establish a good working relationship. Let them become familiar with your company and site.

9. Evaluate your company's performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses.

10. Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

• Is it really necessary to disrupt business by testing the plan?

Read this example which gives you an example of a company that thinks walk-through and paper simulations aren't enough. Preparedness test usually the cost effective test for your BC/DR plan.

• What kinds of things have companies discovered when testing a plan?

- Some companies have discovered that while they back up their servers or data centers, they've overlooked backup plans for laptops.

- One company reports that it is looking into buying MREs (meals ready-to-eat) from the company that sells them to the military. MREs have a long shelf life, and they don't take up much space.

- The issue of where employees go immediately after a disaster and where they will be housed during recovery should be addressed before something happens, not after.

- USAA discovered that while it had designated a nearby relocation area, the setup process for computers and phones took nearly two hours. During that time, employees were left standing outside in the hot Texas sun. Seeing the plan in action raised several questions that hadn't been fully addressed before: Was there a safer place to put those employees in the interim? How should USAA determine if or when employees could be allowed back in the building? How would thousands of people access their vehicle if their car keys were still sitting on their desk? And was there an alternate transportation plan if the company needed to send employees home?

• What are the top mistakes that companies make in disaster recovery?

1. Inadequate planning

2. Failure to bring the business into the planning and testing of your recovery efforts.

3. Failure to gain support from senior-level managers. The largest problems here are:

a. Not demonstrating the level of effort required for full recovery.

b. Not conducting a business impact analysis and addressing all gaps in your recovery model.

c. Not building adequate recovery plans that outline your recovery time objective, critical systems and applications, vital documents needed by the business, and business functions by building plans for operational activities to be continued after a disaster.

d. Not having proper funding that will allow for a minimum of semi-annual testing.

• Can we outsource our contingency measures?

Disaster recovery services-offsite data storage, Hot site, Warm , Cold site, mobile site are often outsourced.

The type of offsite determined by recovery point objective (RPO) & recovery time objective (RTO).

• How can I sell this business continuity planning to other executives?

The advice is to address the need for disaster recovery through Business Impact Analysis (BIA). Work with your legal and financial departments to document the total losses per day that your company would face if you were not capable of quick recovery. By thoroughly reviewing your business continuance and disaster recovery plans, you can identify the gaps that may lead to a successful recovery. Remember: Disaster recovery and business continuance are nothing more than risk avoidance. Senior managers understand more clearly when you can demonstrate how much risk they are taking."

• How do I make sure the plans aren’t overkill for my company?

By implementing Business Impact Analysis (BIA) you could build effecitve and effecient BC/DR plan because the driven factor here is how much the copmany loss in case disaster or intruption of normal business processes. companies have to weigh the risk versus the cost of creating such a contingency plan.

Reference: CSO Online

Cyberwar race

I wanted many times to write about Cyberspace ware but I didn't have enough time to do this.

Lets review what happened for two months ago. On the BBC I red that the United Nation site hacked from hacktavism group. The speeches of the Secretary-General Ban Ki-Moon has been replaced with the following lines:

Hacked By kerem125 M0sted and Gsy
That is CyberProtest Hey Ýsrail and Usa
dont kill children and other people
Peace for ever
No war

After that I red also on the BBC's site about Estonia attack. It is consider the first Cyberwar.

For month ago I red on FT's site that Chinese military hacked into Pentagon.

Also, the last Black Hat USA 2007 in Las Vegas. The speech of Jim Christy was on Cyber Crime and he asked cooperation between Black Hat community and Governments.

And since 3 days ago the The Air Force Association (AFA) unveiled their report "Victory in Cyberspace".

have you noticed some thing from all of these events?

Yes, It is moving fast and became Hidden ware and that will have a lot of consequence things:

such as, selling security exploits as Wabi-sabi's auction site.

Security researchers/expert once find security vulnerability they prefer to sell it and I red story before I couldn't find its link again,once I get it I will post, for security researcher found IE vulnerabilities in IE and he tried to sell it and he did under condition which is this vulnerability applicable to certain version of MS Windows and IE. He didn't know the buyer but he guessed it is military agency.

He sold it with $80,000 upon his speech academic career will not make him gain this a mount of money.

Challenge-Response authentication isn't enough

I have a question raised in my mind since I came to UK. Why do banks still use challenge-response authentication as a identification on the phone.

What is Challenge-Response?

challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

When I came to UK I tried to get Bank account and I got Bank account with one of the street banks in UK. But, I found they have a weak authentication system for their e-Banking service,like accept only alpha numeric characters as passcode, and their customer service staff using challenge-response to identify the caller.

Here is how they doing their Identification on the phone:

Customer Service (CS): Hello Sir., may I take your account number please.

Me: It is XXXX-XXXX-XXXX CS: How could I help you Sir? Me: I need ..... Please CS: May I know your surname please? Me: Galal CS: I'd like to go through some security questions with you before I process with your request. Me: Okay CS: What is your date of birth? Me: XX-XX-XXXX CS: what is your post code? Me: XXXX-XXXX CS:What is your house number please? Me:XXXXX CS: May I know what is the last transaction you did from your account,please? Me: I withdrawn £1 pound for 2 days ago. CS: That is enough sir, You have been identified and I will process with your request right now.

As we see, it is completely not enough to identify caller on the phone. Why?

Referring to “Identification & Authentication” blog you will know that identification should be combined with strong authentication process. Also,most of the asked questions could be gathered easily from many sources.

1- Social Engineering with your current employer to gather this information about you. 2- If you applied for voluntary work or any social activity as I did, they have most of these information. 3- from social sites like Facebook and Myspace...etc. 4- Threats raised after attacks on sites like Monster.com or other sites which contains users informations'.

But you may say to me , All of the above doesn't have the information about your last transaction.

Yes, you are right, But it's also could be compromised. How?!!

Well, By using some of social engineering techniques which explained well in “The Art of Deception” by Kevin Mitnick.

Using of challenge-response authenication is simple especially via phone and also easy for end users to have answers for the asked questions but it isn't enough to use it as the only method of identification nowadays.

SELinux & Access Controls - 3

What is SELinux ?

SELinux was originally developed by the NSA. SELinux is an operating system based on Linux which includes Mandatory Access Control . With SELinux you can define explicit rules about what subjects ( users, programs ) can access which objects ( files, devices ). You could think of it as an internal firewall, which gives you the ability to separate programs and thereby ensuring a high level of security within the operating system. SELinux is implemented as a LSM, and utilises the LSM kernel interface.

So,What is LSM ?

SM ( Linux Security Modules ) is an extension of the Linux kernel which allows security systems to be easily added to the kernel.The LSM homepage is at lsm.immunix.org

Why should I run SELinux?

Because SELinux gives you the ability to secure processes from each other within the system. For example, if you have a web server on the Internet which is also serving Email and DNS then you would not want a vulnerability in the web server process allowing the attacker access to corrupt your DNS server. SELinux is one of the very few practical operating systems available which can provide such a level of protection.

What does SELinux do that others can't ?

In a conventional Unix/Linux system, access control is under the control of the user. The user choses the other users that may access the files that the user owns. SELinux is under the control of the security administrator. This includes the files that the user owns. Even if the user wants a specific other user to have access to a file, if that user is not in a domain containing the other user (ie, both are in the same domain) then the other user still cannot access the file. The difference is in mandatory access vs discretionary access. As far as the system files go, if all are carefully given approprate ACLs, then they can be protected. However, if the root accout is hacked, the files are still vulnerable. If a SELinux system is hacked, unless the hack itself contains an all powerful label/domain, the hack still doesn't have access to all of the files. Only those belonging to the domain of the hacked daemon.

How is SELinux works?

Security like file permissions or user account passwords are Discretionary Access Control (DAC) systems. They are referred to as “discretionary” because every object (files and directories) has an owner, access to objects is based on user identify, and users (the object owner or root) are able to–at their discretion–grant access to other users. In contrast, SELinux is a Mandatory Access Control (MAC) system. Access to objects is controlled by a system-wide policy, regardless of the ownership of any object, enforced by the kernel. Users, including the root user, cannot grant other users access to their objects in violation of the policy. Using a MAC security system requires a different mindset. When people first encounter a permission violation enforced by SELinux, they often try to diagnose the problem by checking the ownership of the file and the read/write/execute permissions on the object. But even if the ownership and permissions are correct, the access is still blocked. The user and file/dir ownership is not the deciding factor with SELinux, the policy is.

Why is this distinction important? Here’s an example. Let’s say that you’re running an http server for a retail web site paired with a mysql database containing customer data (including credit card information). The software that runs the web site has a security vulnerability. If someone breaks into the server, what’s the risk to your system? it’s just the web sever, right? Wrong! Suppose the attacker is able to obtain a root shell. With root on a non-SELinux system, he can access your credit card database. Once the attacker gains access through the web server, the whole system is at risk. If this same system was protected by SELinux, the user might be able to use the vulnerability to break into the web server, but he would be prevented from touching the database or any other parts of the system, even if he got a root shell. SELinux would only allow the http process to communicate with the database through the named pipe. In other words, with SELinux, you don’t trust the application–which may be buggy, insecure, or compromised–to secure itself. You rely on the SELinux policy.

This diagram illustrates the httpd web server example:

Fig 1. httpd web server example

SELinux provides security to a system in a way similar to a ship or submarine’s design. They are divided into multiple water-tight compartments. If the ship springs a leak in any one compartment, only that compartment will fill up with water.

The following diagrams illustrate this difference:

Fig 2. Discretionary and mandatory access control diagrams

Reference:

1- The UnOfficial SELinux FAQ

2- RedHat Magazine – SELinux step-by-step by Dan Walsh

3- NSA – what is new in SELinux

Identification and Authentication

What is the I&A?

It is the process by which the user provides his claimed identity to the system and the credential needed to authenticate this identity and the system validate both information provided. If the information is correct then the user gain access as legitimate user otherwise he denied getting access.

What are the common vulnerabilities of I&A?

• Weak authentication method.
• The potential for users (like System Administrators) to bypass the authentication mechanism.
• Lack of confidentiality and integrity for the stored authentication information..
• Lack of encryption and protection of information transmitted over the network.
• User’s lack of the risks associated from sharing his authentication information.

Is I&A different?

Yes, Identification is completely different from Authentication because of the following:

• Meaning of each of them is different.
• Methods and techniques supporting them is different.
• Requirement in terms of secrecy and management of each one is different.
• The identity has attributes such as, name, validate date but the authentication doesn’t have attribute.
• The identity doesn’t normal change, while authentication tokens bound to secrecy must be regularly changed.

What is the type of I&A?

• Logon IDs and Passwords
• One Time Passwords, Token Devices
• Biometrics
• Palm
• Hand geometry
• Iris
• Retina
• Fingerprint
• Face
• Signature recognition
• Voice recognition

Reference: ISACA

DNS rebinding

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption.

What is the hell of this?

It is DNS Princeton or rebinding.

DNS rebinding attacks subvert the same-origin policy and convert browsers into open network proxies. The basis of the attack is rather old. It was described by the Princeton University in 1996.

What is the same-origin policy?

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.

Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. To illustrate, this table gives examples of origin comparisons to the URL http://store.company.com/dir/page.html.

URL	Outcome	Reason
http://store.company.com/dir2/other.html	Success
http://store.company.com/dir/inner/another.html	Success
https://store.company.com/secure.html	Failure	Different protocol
http://store.company.com:81/dir/etc.html	Failure	Failure Different port
http://news.company.com/dir/other.html	Failure	Failure Different host

There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes this statement:

document.domain = "company.com";

After execution of that statement, the page would pass the origin check with http://company.com/dir/page.html.

However, using the same reasoning, company.com could NOT set document.domain to othercompany.com.

What are open network proxies?

Generally, a proxy server allows users within a network group to store and forward internet services such as DNS or web pages so that the bandwidth used by the group is reduced and controlled. With an "open" proxy, however, any user on the Internet is able to use this forwarding service. By using some open proxies (the so-called "anonymous" open proxies), users can conceal their true IP address from the accessed service, and this is sometimes used to abuse or interrupt that service, potentially violating its terms of service or the law; open proxies are therefore often seen as a problem. It is possible for a computer to be running an open proxy server without knowledge of the computer's owner. This can be the result of misconfiguration of proxy software running on the computer, or of infection with malware (viruses, trojans or worms) designed for this purpose.

What this attack can do?

• Circumvent firewalls to access internal documents and services.
• Sending spam and defrauding pay-per-click advertisers.
• Obtain the (internal) IP address of the hosting web browser
• Port scan the LAN to locate intranet http servers
• Fingerprint these http servers using well known URLs
• And (sometimes) to exploiting them via CSRF (Cross-site request forgery).

How DNS Rebinding Works

DNS rebinding allows an attacker to completely bypass the same origin policy. It does this by dynamically switching the target IP address for a host name the attacker controls. One scenario might work like this:

1. You connect to egyptrose.com, which resolves to IP 69.17.8.14 with a very short TTL, 1 or 2 Sec,.
2. 69.17.8.14 delivers some Javascript code to your browser to execute in 15 seconds approximately, but check the reference for accurate time period.
3. The DNS server in control of *.egyptrose.com immediately points attacker.example.com to 192.168.2.1
4. 15 seconds later, the Javascript on your browser connects to egyptrose.com, in compliance with the same origin policy, and retrieves a web page from your internal server at 192.168.2.1
5. The DNS server resets egyptrose.com to 69.17.8.14 and after some period of time, your browser reconnects and sends 69.17.8.14 its findings.

Socket in FLASH

FLASH has the Socket class in the new version of FLASH Player ( version 9.0 or higher, ActionScript 3.0 ). --Quoted from the documentation-- The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols. ---- This is really great for the attackers. With Anti-DNS Pinning + Socket, the attackers can... - Scan any IP addresses and any ports in intranets ( and the Internet ). - Make the users browser send shellcodes to any hosts. - Make the users browser send spam emails. - Use the users browser as a proxy ( stepping stone ). - Break any IP address based authentication. - Exploit protocols other than HTTP. ... and maybe more.

. Java Applet Java Applet is relatively secure because the Java VM "pins" DNS by default. Sun's engineers know DNS Spoofing attack. InetAddress Javadoc --Quoted from the documentation-- The positive caching is there to guard against DNS spoofing attacks ... networkaddress.cache.ttl (default: -1) A value of -1 indicates "cache forever". ---- But in some situations( LiveConnect or Using browser with proxy enabled ), Java Applet is vulnerable to the Anti-DNS Pinning attack as well.

Defending Against DNS Rebinding

There have been a number of suggestions made as far as:

· defending your network against this kind of attack, including disabling the Flash plug-in, JavaScript and any other plug-ins.

· using a personal firewall to restrict browser access to ports 80 and 443

· And making sure all your web sites have no default virtual host, but instead require a valid Host header.

· For information about defenses, please read this paper “Protecting Browsers from DNS Rebinding Attacks”

References:

1. Slashdot
2. Wikipedia
3. SPIDynamic
4. Princeton University, Department of Computer Science
5. Flash scanning.

Passing your company security policy

This is a great article by VAUHINI VARA. He highlighted a very important problem and the weakest link in the IT Security which is the human behavior. The company start to build its security policy and security controls but employees always looking for bypassing these policies. Also this video from Mark Lobel of PricewaterhouseCoopers describes the most common things employees do on the internet to jeopardize company security.

1. How to send giant files?

Use online services such as YouSendIt Inc., SendThisFile Inc. and Carson Systems Ltd.'s DropSend, which let you send large files.

2. How to use software the your company won’t let you download?

There are two easy ways around this: finding Web-based alternatives or bringing in the software on an outside device..

The first is easier. Say your company won't let you download the popular AOL Instant Messenger program, from Time Warner Inc.'s AOL unit. You can still instant-message with colleagues and friends using a Web-based version of the service called AIM Express (AIM.com/aimexpress.adp).

The other approach to this problem is more involved but gives you access to actual software programs on your computer. There is a company called Rare Ideas LLC (RareIdeas.com), which offers free versions of popular programs such as Firefox and OpenOffice. You can download the software onto a portable device like an iPod or a USB stick, through a service called Portable Apps (PortableApps.com). Then hook the device up to your work computer, and you're ready to go. (But if your company blocks you from using external devices, you're out of luck.)

3. How to visit websites your company blocks?

By using proxy web sites -- so you can see the site without actually visiting it. Proxy.org, for one, features a list of more than 4,000 proxies. Another way to use Google's translation service, asking it to do an English-to-English translation.

4. How to clear your tracks on your work Laptop?

5. How to search for your work documents from home?

First, you'll need to set up a Google account on both machines by visiting Google.com/accounts. (Be sure to use the same account on both computers.) Then go to Desktop.Google.com to download the search software. When it's up and running -- again, do this on both machines -- click on Desktop Preferences, then Google Account Features. From there, check the box next to Search Across Computers. After that point, any document you open on either machine will be copied to Google's servers -- and will be searchable from either machine.

6. How to store work files online?

Use an online-storage service from the likes of Box.net Inc., Streamload Inc. or AOL-owned Xdrive. (Box.net also offers its service inside the social-networking site Facebook.). Another guerrilla storage solution is to email files to your private, Web-based email account, such as Gmail or Hotmail.

7. How to keep your privacy when using webemail?

When checking email, add an "s" to the end of the "http" in front of your email provider's Web address -- for instance, https://www.Gmail.com. This throws you into a secure session, so that nobody can track your email. Not all Web services may support this, however.

To encrypt IM conversations, meanwhile, try the IM service Trillian from Cerulean Studios LLC, which lets you connect to AOL Instant Messenger, Yahoo Messenger and others -- and lets you encrypt your IM conversations so that they can't be read.

8. How to access your work email remotely when your company won’t spring for a Blackberry?

In Microsoft Outlook, you can do this by right-clicking on any email, choosing Create Rule, and asking that all your email be forwarded to another address. Then, set up your hand-held to receive your personal email, by following instructions from the service provider for your hand-held.

9. How to access your personal email on your Blackberry?

10. How to look like you are working?

Hit Alt-Tab to quickly minimize one window and maximize another.

Reference: The Wall Street Journal