Security SIG Web Home Page

COMPUTER NETWORK
SECURITY AND DISASTER PREVENTION

SPECIAL INTEREST GROUP

WEB HOME PAGE

Mission Statement: First – To learn the ability to protect our personal and business computers and network equipment from unwanted access (attacks) and other disasters for the purpose of protecting our data and communications, and recovery of our systems from problems. Second – To have fun. (not necessarily in that order!)

Past SIG Structure: Monthly lectures from the SIG leader, guest speakers, equipment and software demonstrations, SIG members’ presentations, group discussions, and labs with setting up our own equipment.

Present SIG Structure: Up-to-date Web site with the latest computer security information. Annual special meetings will be held. Time, date and room location will be announced once another meeting is scheduled.

Current Security Topics: (New security issues that have developed over the past year)

1. NEW; If you are using the AVG virus detection system (many at HAL-PC are), they have a new version 7 out now. If fact, AVG is not supporting updates on any of their earlier versions as of the end of last year. To keep current, you must upgrade to the latest version. The new version is nicer and more reliable than their old version and it’s still free. I am using it.

2. NEW; You can get a free certificate if you want to setup a SSL type link or secure e-mail and you do not what to have to setup your own CA server or pay someone like Verisign for one. You can read all about it in the April - June 2004 HAL-PC Magazine, page 45 (if you can still find one) or check it out at CAcert.org.

3. NEW; Every open port on a firewall or a router is a security risk. That's why a technique called "port knocking" can be valuable. Port knocking is a method of allowing access to firewalled services given a preconfigured "knock." The knock consists of a sequence of access attempts to closed ports on a system. These attempts are logged and a daemon, which is preconfigured to watch for the sequences, opens up the corresponding port. This provides the advantage of being able to keep a port closed until it is needed. To find out more, go to Portknocking.org.

4. There is a service pack 2 available for Windows XP that adds many new security features to the system. Some of the items include:

- Malware attachment warnings

- Malware download warnings

- Pop-up blocker

- Firewall turned on by default

- Windows Security Center GUI that lets end users see and manage security settings

- Enhancements to auto updates, including improvements for dial-up users

- Better management of browser add-ons and e-mail addresses

- A new wireless deployment wizard useful for small businesses

- Buffer Overflow Protection

- Internet Explorer Restrictions

- MIME handling and MIME sniffing

- The NETSH command has been updated

- Installs IPv6 and firewalls it automatically

- RPC Restrictions

Some applications may have trouble running after this service pack is installed, most likely because the new firewall blocks a port required by an application’s need to access something else on the network to work properly. In most cases the firewall can be set to allow these applications to function properly.

Microsoft posted a kit designed to help organizations test and update their internal apps for use with SP2. Called the "Application Compatibility Testing and Mitigation Guide for Windows XP Service Pack 2," it's available through the Microsoft Download Center.

The file, AppCompat-XPSP2.msi, is about 3MB.

NEW! 4a. Remember that, by default, Windows Firewall disables most incoming traffic except the basics like file and print sharing. Everything else -- Remote Desktop, Windows Messenger and so forth -- may require you to add an exception. Windows Firewall will normally offer to create the exception for you the first time you run an application, by popping up a dialog and asking if you'd like to keep blocking (don't create an exception) or stop blocking (create an exception) the application.

5. New desktop search engines are coming out (Google is one) and they can be security threats for your system. Security risks can be posed to those who use SSL remote access because the tools copy material accessed during SSL sessions and make it available to unauthorized people who later use the same PC. Also files, e-mail documents or attachments that you thought you deleted from your hard drive, may in fact still be in your system. This also makes it easier for hackers to search the machines they have taken over.

NEW! 5a. There is now a tool available to help avert this above problem, called Founstone SiteDigger 2.0. SiteDigger uses search information gathered by Google to quickly pinpoint potentially damaging confidential or sensitive data. It is a free download. I haven’t tried this myself since I haven’t used the Google Search yet.

6. Encrypting your files on your computer adds a high degree of security for your system, but many users are afraid to use it because managing which files or folders are encrypted or not seems a hassle. Use the Efsinfo.exe tool. You can identify which folders or files are encrypted at a glance. It also displays information about the user, recovery agent, and certificate. You can download a copy of Efsinfo.exe from Microsoft's Web site. For information on the syntax and options for this tool, type EFSINFO /? at a command prompt after installing Efsinfo.exe from its setup file.

7. Honey pots, whole machines dedicated to attract and catch hackers, have been around for some time, but a new technique called honey drops are being used. False admin accounts or luring looking files are setup as bait for hackers then they are monitored by an IDS systems, ISAPI filters or the Microsoft auditing system that is monitored in the Event Viewer. Easier than dedicating a whole computer for this, yet can be just as effective.

8. Most intrusion detection systems (IDSs) have been criticized with too many false positives (false alerts) and missing too many attacks. There is now a new system called passive fingerprinting that can greatly improve their reliability. Passive fingerprinting works by comparing key TCP and IP header information from the sender host with a "signature" database containing specifics of the target host. The most common header identifiers are window size, time-to-live, DF bit, and total length. We do not have the space here to go into those details, but if you are looking at IDSs, look for passive fingerprinting.

9. There are new password cracker tools out there called Brutus and Rainbow Crack (just to name a couple). They can crack practically in no time, even some of the longest and hardest passwords. This makes it even more important to use really tuff passwords, like using long phrases with lots of varied characters (combos of letters, numbers, caps, symbols, etc.) or add in smartcards or biometrics. I can see a time coming shortly where passwords will not be effective at all or WAY too hard to remember.

10. A new study from CompTIA, the Computing Technology Industry Association, says 84% of 900 organizations that participated in this year's survey "blamed human error either wholly or in part for their last major security breach." All these technology solutions are not going to do you much good if you are sloppy or ignorant of security practices. That is one reason this web page exists!

11. I know all you have seen those small key-chain attached USB storage devices. The existence of those things can be a security headache. They can easily and stealthfully transfer data from any USB equipped computer. To help prevent this you can:

- Disable USB ports in BIOS (but then you can’t use it either).

- Assign certain users or groups the Deny permission on the files usbstor.pnf and usbstor.inf, located at %systemroot%\inf. Doing so will prevent users from installing a USB storage device on the computer.

- Make devices Read-only. XP SP2 allows you to give Read access on USB devices requiring it, but it requires a registry hack.

- Don't allow users to be Administrators. Administrators can undo the things you've just done.

- Purchase Read-only USB storage devices or USB-to-device bridges for your organization.

- Purchase software that locks out users from specific USB device types. There are several programs available.

12. Vulnerability Mitigations. Here are several of the vulnerabilities, and the recommendations for mitigation or workaround:

- LSASS Vulnerability: A standard firewall configuration probably protects from a remote attack that might take advantage of this vulnerability.

- LDAP Vulnerability: Block LDAP ports by firewall. This affects Windows 2000 domain controllers only. Block 389, 636, 3268, 3269 (Where clients must authenticate to DCs across networks, blocking these ports will prevent it. Configure VPNs or other ways to allow authentication traffic.

- PCT Vulnerability: Use of Web Publishing with ISA Server can block attempts to exploit, or disable PCT modifying the registry.

- Winlogon Vulnerability: Permission to modify user objects in a domain is necessary. Give permission only where necessary and vet administrators. Audit changes to user objects. Review records.

- Metafile Vulnerability: Read e-mail in plain text format.

- Help and Support Center Vulnerability: Open messages in the restricted sites zone

- Utility Manager Vulnerability: Disable this service or use software restriction policies.

- Local Descriptor Table Vulnerability: The user must have valid logon credentials and be able to logon locally.

- Windows Management Vulnerability: The attacker must have valid logon credentials.

- H.323 vulnerability: Block firewall ports 1720 and 1503.

- Virtual DOS Machine Vulnerability: Must have user account and local logon.

13. Application Security Gateways are actually the new buzz word for layer 7 firewalls. Many of the new devices can do:

- SSL acceleration

- Business object protection. Analyzes outbound application traffic to identify sensitive information.

- Web I/O acceleration

- Application cloaking. Prevents hackers from collecting sensitive information.

- Application proxy. Consistent URL translating.

- Defacement protection for web sites

These application firewalls can filter at the application layer, can analyze application behavior and seek protocol anomalies, catch worms and Trojans and can trigger firewalls or other devices to respond to attacks. Normal stateful inspection firewalls can not do these.

There are two new technologies that are underway that should help in these areas; Application Vulnerability Description Language (AVDL) and Extensible Rights Markup Language (XrML). Again, no space to get into those now.

14. Some of the new ways (and old ways) that web pages or applications are being attacked is through:

- XSS (Cross-Site Scripting)

- SQL Injections

- Hidden Form Field Manipulation

- Parameter Manipulation (also called “command execution”)

- Weak Session Cookies (cookie poisoning, cookie snooping)

- HTML Comments

- Authentication Hijacking

- Buffer Overflow

- Forceful Browsing

The use of the above mentioned application security gateways or Proxy Appliances will prevent a lot of these or the use of specialized Web Application Firewalls. Be prepared to spend a chunk of money for those devices though.

Topics covered in past meetings:

Encryption

Algorithms, digital signatures, hashing and tunnels

IKE, pre-shared keys and Certificate Authorities

Encrypted authentication (CHAP, EAP, Kerberos, etc.)

Encrypted File System and recovery agents

IPSec vs SSL, S/MIME and SSH

Auditing, Logging and Reports

Government compliance requirements for auditing

Cisco and Microsoft audit and logging setting up

Syslog server setup

Event Viewer and other logging tools

Handout #6 – Event Security ID Numbers List

Network Forensics and Frameworks Appliances

Filtering and Blocking

Access Control Lists (ACLs)

Proxies (Clients and Servers)

Demo of Microsoft Internet Security and Acceleration Server

Network Filtering Appliances (multi-purpose devices)

Intrusion Detection Systems (IDS)

IDS working with firewalls

IDS verses Intrusion Prevention Systems (IPS)

Host verses Network based IDSs & IPSs

Process of how IDS functions

Demo of IDS Snort and how to configure it

Virus Prevention and Elimination

Virus detection and prevention

Virus removal procedures (Automatic tools and Manual methods)

Examined several virus detection systems capabilities

Group discussion on our virus infection experiences

Hack Attacks! (Attack Methods)

Viruses (worms, trojans, mass-mailers, malicious code, buffer overflows, DoS, DDoS, etc.)

Hacker methods (password crackers, social engineering, hacker web sites, etc)

Handout # 5 – How To Tell If Your Computer Has A Virus

Secure Network Topologies

DMZs

Network Taps

Fail-over Systems

VPNs (Virtual Private Networks)

NATs (Network Address Translations)

Quarantine (added remote VPN security)

Firewall Special!

Handout # 3 – Firewall Topology and Security Policy Planning Checklist

Handout # 4 – What To Do When Your Firewall Asks For Advice

Restricting Access

GPS & “Phone Home” Recovery devices

MS Security Configuration and Analysis Tool

Locks (Computers, racks, rooms)

Smart Cards & Biometrics

Hardware Security Policies (Group Policies, Passwords, Timeouts)

RADIUS & TACACS Servers

Handout #2 – Dangerous Defaults on The XP Desktop

Wireless Security

WWAN (cellular-data) & WLANs (Wi-Fi Ethernet)

802.11 b, a, a/b, & g Options Chart

Wireless security Evolution Chart (WEP, WPA, WPA2 {802.11i})

“WAR driving” presentation (equipment, software, procedures and results)

Handout #1 – 6 Steps to Wireless Security

Protecting Data and Systems

Backups (Hardware, software, procedures)

Redundant storage (Offsite, clustering, replication)

File Permissions/Sharing (NTFS vs FAT)

Securing Applications (Critical Updates and patches, SUS, MBSA, software audits, services disabling, and eliminating spyware and cookies)

Administrator Accounts (Dos & don’ts)

Vulnerability Assessment Systems (port scanners, security check lists and link lists)

If you have any expertise in any of the above topics and would like to make a presentation to the group, contact overman@hal-pc.org or bring it up at the next meeting.

WEB Links:

Below are some web links that were discussed and/or demonstrated in earlier SIG lectures.

You can copy/paste the links into your browser.

The links were current at the time we discussed them.

If they do not work now, let me know and I will correct or delete them.

« To search your computer for security violations or viruses:

www.symantec.com/securitycheck

« Freeware utility that can scan Wi-Fi frequencies for unsecured APs:

NetStumbler:

www.netstumbler.com.

« On the wired end, use an open-source utility network security scanner:

Nmap:

www.insecure.org/nmap.

(seen used in the movie The Matrix Reloaded)

« Microsoft now offers a downloadable client modification for Windows XP which allows you, assuming your wireless access points and NICs are compatible, to implement WPA on your wireless network. The download is at:

http://microsoft.com/downloads/details.aspx?familyid=009D8425-CE2B-7A4-ABEC-274845DC9E91&displaylang=en

(grab the whole thing)

« A researching security site that can reveal exploits that will work on the systems discovered during scanning and enumerating:

http://www.securityfocus.com/

« Site with free and shareware crackers:

Russian Password Cracker site:

http://www.password-crackers.com/crack.html

« Site with commercial crackers/services:

Password Crackers, Inc.

http://www.pwcrack.com/index.shtml

« Virus removal tool example:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html