January 28, 2012 is Data Privacy Day

On January 28 and in the surrounding weeks, the United States, Canada and many other countries celebrate Data Privacy Day.  Privacy is our shared responsibility.  Participate in Data Privacy Day by educating students or parents, training employees, hosting an event or sponsoring DPD.

See: Data Privacy Day

See also: October is National Cybersecurity Awareness Month

Web Application Firewall (WAF)

In what way are these products firewalls? I realize that there is precedent for using the term “firewall” loosely.

Using the Virtual Patching Challenge presentation by Ryan C. Barnett of Breach Security at Black Hat DC 2009 as an authority:

A Web Application Firewall analyzes traffic and enforces the Virtual Patching Logic so that malicious traffic never reaches the web application.

That could describe an input validation filter. He goes on to say that a Web Application Firewall (WAF) “is more than an ‘attack blocking device.” A WAF can also identify and correct Application Defects. A WAF can be used as an HTTP Auditing device.” He added that Virtual Patching can expedite the implementation of mitigation and provide protection for apps that can’t be updated.

“Virtual patching of web applications” appears to be the technology implemented on web application firewalls. Virtual patching would include filters that drop input that looks like SQL injection or cross site scripting attacks. Virtual patching should include additional approaches which modify output; in effect, wrapping the application to give the effect that the application problem has been fixed  A web application firewall would be the device which implements virtual patching.

I need a better, simpler example. The PCI Security Standards Council Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified [pdf] includes the clarifications:

WAFs are designed to inspect the contents of the application layer of an IP packet, as well as the contents of any other layer that could be used to attack a web application.

Increasingly, WAF technology is integrated into solutions that include other functions such as packet filtering, proxying, SSL termination, load balancing, object caching, etc. These devices are variously marketed as “firewalls,” “application gateways,” “application delivery system,” “secure proxy,” or some other description.

The Web Application Security Consortium has developed and continues to clarify its Web Application Firewall Evaluation Criteria.

Web application firewalls (WAF) are a new breed of information security technology designed to protect web sites from attack. WAF solutions are capable of preventing attacks that network firewalls and intrusion detection systems can’t, and they do not require modification of application source code.

That did not help, either. Identify your problem before selecting your solution. Your solution may be an additional technology marketed as a WAF. Bring the evaluation criteria to discussions.

For a critique of WAF inadequacies, see Shocking News In PHP Exploitation by Stefan Esser November 2009. For additional examples, see Bypassing Web Application Firewalls with SQLMap Tamper Scripts  by Roberto Salgado, August 26, 2011.

Effectiveness of Web Application Firewalls, by Larry Suto, concludes that WAF and IPS implementations will benefit significantly from tuning, including using Dynamic Application Security Testing (DAST) software product generated filters.

Web Application Firewall products:

• ModSecurity, with a rule set such as this one from Trustwave SpiderLabs
• Imperva SecureSphere
• Breach WebDefend
• F5 Application Security Manager
• Citrix NetScaler
• Barracuda Web Application Firewall

October is National Cybersecurity Awareness Month

Watchguard video tutorials awareness for the beginners, intermediate and advanced

Stay Safe Online from the National Cyber Security Alliance

Microsoft Excel tips

Search with two values

The VLOOKUP and SUMIF functions can be used to search using a single value, but there are times when you may wish to search using two values. A generalized example is the following array formula (use Ctrl+Shift+Enter to save this array formula):

• E20 is one value to search for, within A20 through A28
• F20 is the other value to search for, within B20 through B28
• When both match, return the value within C20 through C28

=INDEX($C$20:$C$28,MATCH(1,($A$20:$A$28=$E$20)*($B$20:$B$28=$F$20),0))

The attached spreadsheet shows two problems, and both are solved with this model.

Suppress zero

If the result appears as “0″ and you would rather it was blank, you can use the following custom cell format:

General;-General;

IPv4 manipulation

Sorting by the familiar dotted decimal IPv4 format may not produce the result you want. For example, 192.168.1.12 would appear between 192.168.1.119 and 192.168.1.120.

192.168.1.11

192.168.1.119

192.168.1.12

192.168.1.120

192.168.1.121

192.168.1.13

In these cases, expressing the IPv4 number in its familiar dotted decimal notation is producing a result you did not expect. You can express the IPv4 number as a decimal number, which will sort in the manner you expect.  Assuming the IPv4 dotted decimal number is in cell A2, the following formula will produce its decimal equivalent:

=((VALUE(LEFT(A2, FIND(".", A2)-1)))*256^3)+((VALUE(MID(A2, FIND(".", A2)+1, FIND(".", A2, FIND(".", A2)+1)-FIND(".", A2)-1)))*256^2)+((VALUE(MID(A2, FIND(".", A2, FIND(".", A2)+1)+1, FIND(".", A2, FIND(".", A2, FIND(".", A2)+1)+1)-FIND(".", A2, FIND(".", A2)+1)-1)))*256)+(VALUE(RIGHT(A2, LEN(A2)-FIND(".", A2, FIND(".", A2, FIND(".", A2)+1)+1))))

Conversely, a large decimal number can be expressed in the familiar IPv4 dotted decimal notation. Assuming the decimal number is in cell A2, the following formula will produce its dotted decimal equivalent:

=IF(A2<>"", CONCATENATE(INT(A2/256^3), ".", INT(MOD(A2, (256^3))/(256^2)), ".", INT(MOD(MOD(A2, 256^3), 256^2)/256), ".", MOD(MOD(MOD(A2, 256^3), 256^2), 256)), "")

DNS lookup, PING

You can add functions named Address2Name(cell name or IP string) for DNS lookup and PingAddress(cell name or IP string) to see if the device is alive.

To perform a DNS lookup and a ping test will require macros.

To enable macros, see Create or delete a macro Record a macro steps 1 and 2:

1. If the Developertab is not available, do the following to display it:
   1. Click the Microsoft Office Button , and then click Excel Options.
   2. In the Popular category, under Top options for working with Excel, select the Show Developer tab in the Ribbon check box, and then click OK.
2. To set the security level temporarily to enable all macros, do the following:
   1. On the Developer tab, in the Code group, click Macro Security.
      
   2. Under Macro Settings, click Enable all macros (not recommended, potentially dangerous code can run), and then click OK.

    Note   To help prevent potentially dangerous code from running, we recommend that you return to any one of the settings that disable all macros after you finish working with macros. For more information about how to change the settings, see Change macro security settings in Excel.

Create a module named Network with the following text:

Option Explicit
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Sub GetIPs()
Dim address As String
Dim row As Integer
row = 2
address = Cells(row, 1)
Do Until Trim(address) = ""
Cells(row, 2) = PingAddress(address)
Cells(row, 3) = Now
row = row + 1
address = Cells(row, 1)
Sleep 2500
Loop
End Sub

Function PingAddress(strDomain As String) As String
Dim objShell As Object
Dim strText As String
Dim objExecObject As Object
Set objShell = CreateObject("WScript.Shell")
Dim objIP As clsIPResolve
Set objIP = New clsIPResolve
PingAddress = objIP.NameToAddress(strDomain)
If PingAddress = "" Then
  PingAddress = "Not found"
Else
  Set objExecObject = objShell.Exec("%comspec% /c ping -n 3 -w 1000 " & PingAddress)
  Do While Not objExecObject.StdOut.AtEndOfStream
  strText = objExecObject.StdOut.ReadAll()
  If InStr(strText, "unreachable") > 0 Then
    PingAddress = "Host unreachable"
  ElseIf InStr(strText, "Reply") > 0 Then
    Else
    PingAddress = "Not found"
  End If
  Loop
End If
Set objIP = Nothing
Set objExecObject = Nothing
Set objShell = Nothing
End Function

Function Address2Name(strDomain As String) As String
Dim objShell As Object
Dim strText As String
Dim objExecObject As Object
Set objShell = CreateObject("WScript.Shell")
Dim objIP As clsIPResolve
Set objIP = New clsIPResolve
Address2Name = objIP.AddressToName(strDomain)
If Address2Name = "" Then Address2Name = "No DNS available"
Set objIP = Nothing
Set objExecObject = Nothing
Set objShell = Nothing
End Function

Create a class module with the following text:

Option Explicit
Private mbInitialized As Boolean
Const WSADescription_Len = 256
Const WSASYS_Status_Len = 128
Const AF_INET = 4&

Private Type HOSTENT
hName As Long
hAliases As Long
hAddrType As Integer
hLength As Integer
hAddrList As Long
End Type

Private Type WSADATA
wversion As Integer
wHighVersion As Integer
szDescription(0 To WSADescription_Len) As Byte
szSystemStatus(0 To WSASYS_Status_Len) As Byte
iMaxSockets As Integer
iMaxUdpDg As Integer
lpszVendorInfo As Long
End Type

Private Declare Function WSAStartup _
Lib "wsock32" _
(ByVal VersionReq As Long, _
WSADataReturn As WSADATA) _
As Long

Private Declare Function WSACleanup _
Lib "wsock32" _
() _
As Long

Private Declare Function WSAGetLastError _
Lib "wsock32" _
() _
As Long

Private Declare Function gethostbyaddr _
Lib "wsock32" _
(addr As Long, _
addrLen As Long, _
addrType As Long) _
As Long

Private Declare Function gethostbyname _
Lib "wsock32" _
(ByVal hostname As String) _
As Long

Private Declare Sub RtlMoveMemory _
Lib "kernel32" _
(hpvDest As Any, _
ByVal hpvSource As Long, _
ByVal cbCopy As Long)

'checks if string is valid IP address
Private Function CheckIP(IPToCheck As String) As Boolean
Dim TempValues
Dim iLoop As Long
Dim TempByte As Byte
On Error GoTo CheckIPError
TempValues = Split(IPToCheck, ".")
If UBound(TempValues) < 3 Then
  Exit Function
End If
For iLoop = LBound(TempValues) To UBound(TempValues)
  TempByte = TempValues(iLoop)
Next iLoop
CheckIP = True
CheckIPError:
End Function

'converts IP address from string to sin_addr
Private Function MakeIP(strIP As String) As Long
Dim vTemp
Dim lngTemp As Long
Dim iLoop As Long
On Error GoTo MakeIPError
vTemp = Split(strIP, ".")
For iLoop = 0 To (UBound(vTemp) - 1)
  lngTemp = lngTemp + (vTemp(iLoop) * (256 ^ iLoop))
Next iLoop
If vTemp(UBound(vTemp)) < 128 Then
  lngTemp = lngTemp + (vTemp(UBound(vTemp)) * (256 ^ 3))
Else
  lngTemp = lngTemp + ((vTemp(UBound(vTemp)) - 256) * (256 ^ 3))
End If
MakeIP = lngTemp
MakeIPError:
End Function

'resolves IP address to host name
Private Function AddrToName(strAddr As String) As String
Dim heEntry As HOSTENT
Dim strHost As String * 255
Dim strTemp As String
Dim lngRet As Long
Dim lngIP As Long
On Error GoTo AddrToNameError
If CheckIP(strAddr) Then
  lngIP = MakeIP(strAddr)
  lngRet = gethostbyaddr(lngIP, 4, AF_INET)
  If lngRet = 0 Then
    Exit Function
  End If
  RtlMoveMemory heEntry, lngRet, Len(heEntry)
  RtlMoveMemory ByVal strHost, heEntry.hName, 255
  strTemp = TrimNull(strHost)
  AddrToName = strTemp
End If
AddrToNameError:
End Function

'resolves host name to IP address
Private Function NameToAddr(ByVal strHost As String)
Dim ip_list() As Byte
Dim heEntry As HOSTENT
Dim strIPAddr As String
Dim lp_HostEnt As Long
Dim lp_HostIP As Long
Dim iLoop As Integer
On Error GoTo NameToAddrError
lp_HostEnt = gethostbyname(strHost)
If lp_HostEnt = 0 Then
  Exit Function
End If
RtlMoveMemory heEntry, lp_HostEnt, LenB(heEntry)
RtlMoveMemory lp_HostIP, heEntry.hAddrList, 4
ReDim ip_list(1 To heEntry.hLength)
RtlMoveMemory ip_list(1), lp_HostIP, heEntry.hLength
For iLoop = 1 To heEntry.hLength
  strIPAddr = strIPAddr & ip_list(iLoop) & "."
Next
strIPAddr = Mid(strIPAddr, 1, Len(strIPAddr) - 1)
NameToAddr = strIPAddr
NameToAddrError:
End Function

Public Function AddressToName(strIP As String) As String
If mbInitialized Then
  AddressToName = AddrToName(strIP)
End If
End Function

Public Function NameToAddress(strName As String) As String
If mbInitialized Then
  NameToAddress = NameToAddr(strName)
End If
End Function

Private Function TrimNull(sTrim As String) As String
Dim iFind As Long
iFind = InStr(1, sTrim, Chr(0))
If iFind > 0 Then
  TrimNull = Left(sTrim, iFind - 1)
Else
  TrimNull = sTrim
End If
End Function

Private Sub Class_Initialize()
Dim wsa As WSADATA
mbInitialized = (WSAStartup(257, wsa) = 0)
End Sub

Private Sub Class_Terminate()
If mbInitialized Then
  WSACleanup
End If
End Sub

Report Product Safety Issues

SaferProducts.gov a service of the Consumer Products Safety Commission (CPSC).

DigiNotar Certificate Authority Breach

See the Fox-IT preliminary report for conditions which enabled the DigiNotar Certificate Authority (CA) to be breached. The breach enabled attackers to create their own digital certificates. Note that the role of a CA is to allow people and systems to have reason to trust that the destination referred to is who they say they are, or that software is created by who says they created it, or that the message is from who it says it is. The breach enabled the attackers to create their own certificates, which could not be trusted. Successful authentication does not confer trust.

Note that this example underscores the need to be able to revoke certificates and to remove CAs from trusted authorities. You cannot rely upon an operating system vendor or web browser vendor to address this maintenance for you (although you should expect them to provide a maintenance mechanism).

Conditions which enabled the breach:

The successful hack implies that the current network setup and / or procedures at DigiNotar are not sufficiently secure to prevent this kind of attack.

The most critical servers contain malicious software that can normally be detected by anti-virus software. The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.

The network has been severely breached. All CA servers were members of one Windows domain, which made it possible to access them all using one obtained user/password combination. The password was not very strong and could easily be brute-forced.

The software installed on the public web servers was outdated and not patched.

No antivirus protection was present on the investigated servers.

An intrusion prevention system is operational. It is not clear at the moment why it didn’t block some of the outside web server attacks. No secure central network logging is in place.

IPv6

Feature	Benefit	Challenge
Larger address space	IPv4 address space is nearly exhausted, while many more networks and devices (such as phones or IP-enabled mobile devices) will need to be connected to the Internet.	Tracking IPv6 addresses with a spreadsheet is as practical as tracking IPv4 addresses. The large number of devices concomitant with the large number of addresses may make a spreadsheet approach impractical. Determining the next available network will not be trivial.
Address families	Headers support extensions and options such as authentication and encapsulation
Extension Headers	Unicast, anycast and multicast capabilities
Jumbo frames	Enhanced streaming video capabilities
Neighborhood discovery	Find the closest instance of a resource
Path MTU discovery	In IPv6, path MTU discovery is delegated to the end points to increase efficiency and avoid IP fragmentation
Multicast improvements	Enhanced multicast support with vastly increased address space and more efficient mechanisms	Unlike IPv4, IPv6 networks are not limited by broadcast. IPv6 multicast allows for the creation of larger, flatter networks that will need to be managed and tracked differently than with IPv4.
IP mobility	Enhanced support for mobile IP addresses and IP-enabled mobile devices
Simplified routing	Simplified packet header and packet forwarding process for more efficient end-to-end routing
Quality of Service (QoS)	Flow labeling capability for QoS, to provide better voice over IP (VoIP), video and games.
Security	Extensions for authentication and security, and built-in IPsec mandatory for all IPv6 devicesIPv6 implements network-layer encryption and authentication via IPsec
Multiple IP protocols per client (IPv4 and IPv6)		During the transition from IPv4 to IPv6 organizations will need to manage “dual-stacked” IPv6 and IPv4 networks. A single client may have both an IPv4 and an IPv6 address associated with it.
Length of IPv6 addresses		IPv6 addresses are 128-bits long (four times longer than IPv4 addresses) and are represented in hexadecimal, a format that is not human-friendly. For IT staff and network administrators accustomed to managing and memorizing IP addresses, the length of IPv6 addresses will be a challenge.
Multiple IPv6 addresses per interface		Three to four IPv6 addresses may be required per IPv6 interface, not counting the multicast addresses.
Address assignment	Stateless auto-reconfiguration of hosts allows IPv6 host to configure automatically when connected to a routed IPv6 network.	There are no static IP address assignments with IPv6. An IP Address Management (IPAM) product becomes essential.

See also: IPv6: The Next Generation Internet

Remote Access To Mac

Caution, Mac users:: “gotomypc” does not notify the user when someone else is connected to the computer remotely. (“logmein” does.)

Also, check the system preferences for Apple’s Mobile Me setting for “Back To My Mac.” This option controls who has remote desktop into the Mac. Check the logs under either/system/Library/Logs or ~/library/logs.
Read the rest of this entry »

Books

Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners by Jason Andress and Steve Winterfeld

The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice by Jason Andress

Thor’s Microsoft Security Bible: A Collection of Practical Security Techniques by Timothy “Thor” Mullen

Windows Sysinternals Administrator’s Reference by Mark Russinovich and Aaron Margosis

Microsoft Log Parser Toolkit: A complete toolkit for Microsoft’s undocumented log analysis tool by Gabriele Giuseppini, Mark Burnett, Jeremy Faircloth, and Dave Kleiman

The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Syngress Basics Series) by Patrick Engebretson

Low Tech Hacking: Street Smarts for Security Professionals by Jack Wiles, Terry Gudaitis, Jennifer Jabbusch, Russ Rogers and Sean Lowther

Penetration Tester’s Open Source Toolkit, Third Edition by Jeremy Faircloth

Digital Forensics with Open Source Tools  by Cory Altheide and Harlan Carvey

Coding for Penetration Testers: Building Better Tools by Jason Andress and Ryan Linn

Metasploit: The Penetration Tester’s Guide by David Kennedy

BackTrack 4: Assuring Security by Penetration Testing by Shakeel Ali

BackTrack 5 Wireless Penetration Testing Beginner’s Guide by Vivek Ramachandran (Oct 9, 2011)

The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons

Digital Forensics for Legal Professionals: Understanding Digital Evidence From The Warrant To The Courtroom by Larry Daniel and Lars Daniel

Computer Forensics: Incident Response Essentials by Warren G. Kruse and Jay G. Heiser

Computer Forensics Jumpstart by Michael Solomon, Neil Broom and Diane Barrett

iPhone and iOS Forensics: Investigation, Analysis and Mobile Security for Apple iPhone, iPad and iOS Devices by Andrew Hoog and Katie Strzempka

Windows Forensic Analysis DVD Toolkit, Second Edition by Harlan Carvey

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry by Harlan Carvey

Windows 7 Inside Out, Deluxe Edition by Ed Bott, Carl Siechert and Craig Stinson

Hardening Cisco Routers (O’Reilly Networking) by Thomas Akin

Network Security First-Step (2nd Edition) by Thomas M. Thomas and Donald Stoddard

CCNP Security Secure 642-637 Official Cert Guide by Sean Wilkins and Trey Smith

Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code by Michael Ligh, Steven Adair, Blake Hartstein, and Matthew Richard

Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide by Laura Chappell

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning by Gordon “Fyodor” Lyon

IP Address Management (IPAM)

In its simplest form, IP address management could be assigned, fixed, static IP addresses. You must address adds, deletes and changes of IP addresses. You must be aware of retired devices and recycle their IP addresses. You must be aware of the changes necessary when moving a device from one network to another. This is IP address management, and home or small office environments need no additional mechanized management.

A larger environment will find that an additional investment in DHCP will allows you to manage IP addresses and configuration settings more efficiently.  DHCP will perform IP address assignment and permits static assignment while enabling dynamic assignment.

An even larger environment of multiple DHCP servers and many networks will find an additional investment in an IP Address Management system worthwhile.

Key IPAM capabilities for IPv6 include:

• End-to-end IPv6 Address Management including routing prefixes for global unicast, subnet ID’s and interface ID’s
• IPv6 DNS management – including AAAA and the IPv6.ARPA reverse space
• IPv6 DHCP management – stateless option support (through discovery) for address assignment
• IPv6 network discovery to inventory your IPv4 and IPv6 networks and resources
• Parallel management of IPv6, IPv4 and dual-stacked networks and devices

Infoblox offers a free product. InfobloxIP address management freeware includes the Infoblox IP address manager, Smart Folders, Network Map (with subnet management) and IPv6 capabilities.

See also: IPControl from Diamond IP Technologies, Proteus from BlueCat Networks