Challenge-Response authentication isn't enough

I have a question raised in my mind since I came to UK. Why do banks still use challenge-response authentication as a identification on the phone.

What is Challenge-Response?

challenge-response authentication is a family of protocols in which one party presents a question ("challenge") and another party must provide a valid answer ("response") to be authenticated.

When I came to UK I tried to get Bank account and I got Bank account with one of the street banks in UK. But, I found they have a weak authentication system for their e-Banking service,like accept only alpha numeric characters as passcode, and their customer service staff using challenge-response to identify the caller.

Here is how they doing their Identification on the phone:

Customer Service (CS): Hello Sir., may I take your account number please.

Me: It is XXXX-XXXX-XXXX CS: How could I help you Sir? Me: I need ..... Please CS: May I know your surname please? Me: Galal CS: I'd like to go through some security questions with you before I process with your request. Me: Okay CS: What is your date of birth? Me: XX-XX-XXXX CS: what is your post code? Me: XXXX-XXXX CS:What is your house number please? Me:XXXXX CS: May I know what is the last transaction you did from your account,please? Me: I withdrawn £1 pound for 2 days ago. CS: That is enough sir, You have been identified and I will process with your request right now.

As we see, it is completely not enough to identify caller on the phone. Why?

Referring to “Identification & Authentication” blog you will know that identification should be combined with strong authentication process. Also,most of the asked questions could be gathered easily from many sources.

1- Social Engineering with your current employer to gather this information about you. 2- If you applied for voluntary work or any social activity as I did, they have most of these information. 3- from social sites like Facebook and Myspace...etc. 4- Threats raised after attacks on sites like Monster.com or other sites which contains users informations'.

But you may say to me , All of the above doesn't have the information about your last transaction.

Yes, you are right, But it's also could be compromised. How?!!

Well, By using some of social engineering techniques which explained well in “The Art of Deception” by Kevin Mitnick.

Using of challenge-response authenication is simple especially via phone and also easy for end users to have answers for the asked questions but it isn't enough to use it as the only method of identification nowadays.

SELinux & Access Controls - 3

What is SELinux ?

SELinux was originally developed by the NSA. SELinux is an operating system based on Linux which includes Mandatory Access Control . With SELinux you can define explicit rules about what subjects ( users, programs ) can access which objects ( files, devices ). You could think of it as an internal firewall, which gives you the ability to separate programs and thereby ensuring a high level of security within the operating system. SELinux is implemented as a LSM, and utilises the LSM kernel interface.

So,What is LSM ?

SM ( Linux Security Modules ) is an extension of the Linux kernel which allows security systems to be easily added to the kernel.The LSM homepage is at lsm.immunix.org

Why should I run SELinux?

Because SELinux gives you the ability to secure processes from each other within the system. For example, if you have a web server on the Internet which is also serving Email and DNS then you would not want a vulnerability in the web server process allowing the attacker access to corrupt your DNS server. SELinux is one of the very few practical operating systems available which can provide such a level of protection.

What does SELinux do that others can't ?

In a conventional Unix/Linux system, access control is under the control of the user. The user choses the other users that may access the files that the user owns. SELinux is under the control of the security administrator. This includes the files that the user owns. Even if the user wants a specific other user to have access to a file, if that user is not in a domain containing the other user (ie, both are in the same domain) then the other user still cannot access the file. The difference is in mandatory access vs discretionary access. As far as the system files go, if all are carefully given approprate ACLs, then they can be protected. However, if the root accout is hacked, the files are still vulnerable. If a SELinux system is hacked, unless the hack itself contains an all powerful label/domain, the hack still doesn't have access to all of the files. Only those belonging to the domain of the hacked daemon.

How is SELinux works?

Security like file permissions or user account passwords are Discretionary Access Control (DAC) systems. They are referred to as “discretionary” because every object (files and directories) has an owner, access to objects is based on user identify, and users (the object owner or root) are able to–at their discretion–grant access to other users. In contrast, SELinux is a Mandatory Access Control (MAC) system. Access to objects is controlled by a system-wide policy, regardless of the ownership of any object, enforced by the kernel. Users, including the root user, cannot grant other users access to their objects in violation of the policy. Using a MAC security system requires a different mindset. When people first encounter a permission violation enforced by SELinux, they often try to diagnose the problem by checking the ownership of the file and the read/write/execute permissions on the object. But even if the ownership and permissions are correct, the access is still blocked. The user and file/dir ownership is not the deciding factor with SELinux, the policy is.

Why is this distinction important? Here’s an example. Let’s say that you’re running an http server for a retail web site paired with a mysql database containing customer data (including credit card information). The software that runs the web site has a security vulnerability. If someone breaks into the server, what’s the risk to your system? it’s just the web sever, right? Wrong! Suppose the attacker is able to obtain a root shell. With root on a non-SELinux system, he can access your credit card database. Once the attacker gains access through the web server, the whole system is at risk. If this same system was protected by SELinux, the user might be able to use the vulnerability to break into the web server, but he would be prevented from touching the database or any other parts of the system, even if he got a root shell. SELinux would only allow the http process to communicate with the database through the named pipe. In other words, with SELinux, you don’t trust the application–which may be buggy, insecure, or compromised–to secure itself. You rely on the SELinux policy.

This diagram illustrates the httpd web server example:

Fig 1. httpd web server example

SELinux provides security to a system in a way similar to a ship or submarine’s design. They are divided into multiple water-tight compartments. If the ship springs a leak in any one compartment, only that compartment will fill up with water.

The following diagrams illustrate this difference:

Fig 2. Discretionary and mandatory access control diagrams

Reference:

1- The UnOfficial SELinux FAQ

2- RedHat Magazine – SELinux step-by-step by Dan Walsh

3- NSA – what is new in SELinux

Identification and Authentication

What is the I&A?

It is the process by which the user provides his claimed identity to the system and the credential needed to authenticate this identity and the system validate both information provided. If the information is correct then the user gain access as legitimate user otherwise he denied getting access.

What are the common vulnerabilities of I&A?

• Weak authentication method.
• The potential for users (like System Administrators) to bypass the authentication mechanism.
• Lack of confidentiality and integrity for the stored authentication information..
• Lack of encryption and protection of information transmitted over the network.
• User’s lack of the risks associated from sharing his authentication information.

Is I&A different?

Yes, Identification is completely different from Authentication because of the following:

• Meaning of each of them is different.
• Methods and techniques supporting them is different.
• Requirement in terms of secrecy and management of each one is different.
• The identity has attributes such as, name, validate date but the authentication doesn’t have attribute.
• The identity doesn’t normal change, while authentication tokens bound to secrecy must be regularly changed.

What is the type of I&A?

• Logon IDs and Passwords
• One Time Passwords, Token Devices
• Biometrics
• Palm
• Hand geometry
• Iris
• Retina
• Fingerprint
• Face
• Signature recognition
• Voice recognition

Reference: ISACA

DNS rebinding

Imagine visiting a blog on a social site or checking your email on a portal like Yahoo’s Webmail. While you are reading the Web page JavaScript code is downloaded and executed by your Web browser. It scans your entire home network, detects and determines your Linksys router model number, and then sends commands to the router to turn on wireless networking and turn off all encryption.

What is the hell of this?

It is DNS Princeton or rebinding.

DNS rebinding attacks subvert the same-origin policy and convert browsers into open network proxies. The basis of the attack is rather old. It was described by the Princeton University in 1996.

What is the same-origin policy?

The same origin policy prevents document or script loaded from one origin from getting or setting properties of a document from a different origin. The policy dates from Netscape Navigator 2.0.

Mozilla considers two pages to have the same origin if the protocol, port (if given), and host are the same for both pages. To illustrate, this table gives examples of origin comparisons to the URL http://store.company.com/dir/page.html.

URL	Outcome	Reason
http://store.company.com/dir2/other.html	Success
http://store.company.com/dir/inner/another.html	Success
https://store.company.com/secure.html	Failure	Different protocol
http://store.company.com:81/dir/etc.html	Failure	Failure Different port
http://news.company.com/dir/other.html	Failure	Failure Different host

There is one exception to the same origin rule. A script can set the value of document.domain to a suffix of the current domain. If it does so, the shorter domain is used for subsequent origin checks. For example, assume a script in the document at http://store.company.com/dir/other.html executes this statement:

document.domain = "company.com";

After execution of that statement, the page would pass the origin check with http://company.com/dir/page.html.

However, using the same reasoning, company.com could NOT set document.domain to othercompany.com.

What are open network proxies?

Generally, a proxy server allows users within a network group to store and forward internet services such as DNS or web pages so that the bandwidth used by the group is reduced and controlled. With an "open" proxy, however, any user on the Internet is able to use this forwarding service. By using some open proxies (the so-called "anonymous" open proxies), users can conceal their true IP address from the accessed service, and this is sometimes used to abuse or interrupt that service, potentially violating its terms of service or the law; open proxies are therefore often seen as a problem. It is possible for a computer to be running an open proxy server without knowledge of the computer's owner. This can be the result of misconfiguration of proxy software running on the computer, or of infection with malware (viruses, trojans or worms) designed for this purpose.

What this attack can do?

• Circumvent firewalls to access internal documents and services.
• Sending spam and defrauding pay-per-click advertisers.
• Obtain the (internal) IP address of the hosting web browser
• Port scan the LAN to locate intranet http servers
• Fingerprint these http servers using well known URLs
• And (sometimes) to exploiting them via CSRF (Cross-site request forgery).

How DNS Rebinding Works

DNS rebinding allows an attacker to completely bypass the same origin policy. It does this by dynamically switching the target IP address for a host name the attacker controls. One scenario might work like this:

1. You connect to egyptrose.com, which resolves to IP 69.17.8.14 with a very short TTL, 1 or 2 Sec,.
2. 69.17.8.14 delivers some Javascript code to your browser to execute in 15 seconds approximately, but check the reference for accurate time period.
3. The DNS server in control of *.egyptrose.com immediately points attacker.example.com to 192.168.2.1
4. 15 seconds later, the Javascript on your browser connects to egyptrose.com, in compliance with the same origin policy, and retrieves a web page from your internal server at 192.168.2.1
5. The DNS server resets egyptrose.com to 69.17.8.14 and after some period of time, your browser reconnects and sends 69.17.8.14 its findings.

Socket in FLASH

FLASH has the Socket class in the new version of FLASH Player ( version 9.0 or higher, ActionScript 3.0 ). --Quoted from the documentation-- The Socket class enables ActionScript code to make socket connections and to read and write raw binary data. The Socket class is useful for working with servers that use binary protocols. ---- This is really great for the attackers. With Anti-DNS Pinning + Socket, the attackers can... - Scan any IP addresses and any ports in intranets ( and the Internet ). - Make the users browser send shellcodes to any hosts. - Make the users browser send spam emails. - Use the users browser as a proxy ( stepping stone ). - Break any IP address based authentication. - Exploit protocols other than HTTP. ... and maybe more.

. Java Applet Java Applet is relatively secure because the Java VM "pins" DNS by default. Sun's engineers know DNS Spoofing attack. InetAddress Javadoc --Quoted from the documentation-- The positive caching is there to guard against DNS spoofing attacks ... networkaddress.cache.ttl (default: -1) A value of -1 indicates "cache forever". ---- But in some situations( LiveConnect or Using browser with proxy enabled ), Java Applet is vulnerable to the Anti-DNS Pinning attack as well.

Defending Against DNS Rebinding

There have been a number of suggestions made as far as:

· defending your network against this kind of attack, including disabling the Flash plug-in, JavaScript and any other plug-ins.

· using a personal firewall to restrict browser access to ports 80 and 443

· And making sure all your web sites have no default virtual host, but instead require a valid Host header.

· For information about defenses, please read this paper “Protecting Browsers from DNS Rebinding Attacks”

References:

1. Slashdot
2. Wikipedia
3. SPIDynamic
4. Princeton University, Department of Computer Science
5. Flash scanning.

Passing your company security policy

This is a great article by VAUHINI VARA. He highlighted a very important problem and the weakest link in the IT Security which is the human behavior. The company start to build its security policy and security controls but employees always looking for bypassing these policies. Also this video from Mark Lobel of PricewaterhouseCoopers describes the most common things employees do on the internet to jeopardize company security.

1. How to send giant files?

Use online services such as YouSendIt Inc., SendThisFile Inc. and Carson Systems Ltd.'s DropSend, which let you send large files.

2. How to use software the your company won’t let you download?

There are two easy ways around this: finding Web-based alternatives or bringing in the software on an outside device..

The first is easier. Say your company won't let you download the popular AOL Instant Messenger program, from Time Warner Inc.'s AOL unit. You can still instant-message with colleagues and friends using a Web-based version of the service called AIM Express (AIM.com/aimexpress.adp).

The other approach to this problem is more involved but gives you access to actual software programs on your computer. There is a company called Rare Ideas LLC (RareIdeas.com), which offers free versions of popular programs such as Firefox and OpenOffice. You can download the software onto a portable device like an iPod or a USB stick, through a service called Portable Apps (PortableApps.com). Then hook the device up to your work computer, and you're ready to go. (But if your company blocks you from using external devices, you're out of luck.)

3. How to visit websites your company blocks?

By using proxy web sites -- so you can see the site without actually visiting it. Proxy.org, for one, features a list of more than 4,000 proxies. Another way to use Google's translation service, asking it to do an English-to-English translation.

4. How to clear your tracks on your work Laptop?

5. How to search for your work documents from home?

First, you'll need to set up a Google account on both machines by visiting Google.com/accounts. (Be sure to use the same account on both computers.) Then go to Desktop.Google.com to download the search software. When it's up and running -- again, do this on both machines -- click on Desktop Preferences, then Google Account Features. From there, check the box next to Search Across Computers. After that point, any document you open on either machine will be copied to Google's servers -- and will be searchable from either machine.

6. How to store work files online?

Use an online-storage service from the likes of Box.net Inc., Streamload Inc. or AOL-owned Xdrive. (Box.net also offers its service inside the social-networking site Facebook.). Another guerrilla storage solution is to email files to your private, Web-based email account, such as Gmail or Hotmail.

7. How to keep your privacy when using webemail?

When checking email, add an "s" to the end of the "http" in front of your email provider's Web address -- for instance, https://www.Gmail.com. This throws you into a secure session, so that nobody can track your email. Not all Web services may support this, however.

To encrypt IM conversations, meanwhile, try the IM service Trillian from Cerulean Studios LLC, which lets you connect to AOL Instant Messenger, Yahoo Messenger and others -- and lets you encrypt your IM conversations so that they can't be read.

8. How to access your work email remotely when your company won’t spring for a Blackberry?

In Microsoft Outlook, you can do this by right-clicking on any email, choosing Create Rule, and asking that all your email be forwarded to another address. Then, set up your hand-held to receive your personal email, by following instructions from the service provider for your hand-held.

9. How to access your personal email on your Blackberry?

10. How to look like you are working?

Hit Alt-Tab to quickly minimize one window and maximize another.

Reference: The Wall Street Journal

Public Wi-Fi hot spots

Most of us nowadays can get internet access while we are in the Airport or in Cafee shop. thanks for the Wi Fi for this great feature and cheap also. But who care about security threats by using this service. In 2001 I started to think about this issue asked my self how to secure users activities while they using public Wi-Fi hot spot. I suggested using Enterprise authentication system and I made a master degree in this topic and my thesis title is "Wireless Enterprise Authentication System using Kerberos & LDAP".

In the last Black Hat event in Las Vegas. One of the co-founder of errata security announce for a tool that could sniff data while user using public Wi-Fi, This tool called FERRET.

What FERRET –Data seepage monitor- is it?

• sniffs more than just passwords.
• sniffs legitimate operations rather than intrusions.
• Sniffs Protocols: DHCP, SNMP, DNS, HTTP, AIM, MSN-MSGR, Yahoo IM, …
• Allows you to browse the data easier by using Ferret Viewer.

He used what he called Data seepage and his definition it is Information that is broadcast or available via simple inquiry or spoofing that may not by itself seem critical but become more important as pieces of a larger puzzle. He has a wonderful presentation which explain with a demo how by using this concept you can get access to users' personal information. Reference: Errata Security