Enhancing Your Bitlocker Protection

July 23, 2014

Scenario: Your Windows laptop has Bitlocker protection that prevents unencrypted access to the hard drive if the laptop was powered off.

There are three successful physical attacks:

  1. Seize the hardware while the user is logged in and Windows is not locked.
  2. Seize the hardware while the user is logged in and has locked Windows.
  3. Seize the hardware immediately after the laptop as powered off.

In the first attack the thief has access to the unencrypted information. This is to be expected.

In the second and third cases, you would expect the thief to be denied access to the encrypted information. Actually, the thief could obtain the encryption keys through a Direct Memory Access (DMA) attack (attack 2) or by reading DRAM before the bits decay and memory fades (attack 3). This last approach is referred to as a “Cold Boot Attack”.

iSECPartners has made You’ll Never Take Me Alive to mitigate DMA attacks. If Windows is locked and either the power cord or wired internet is disconnected, then the system goes into hibernation. A side effect of hibernation is removing the encryption keys from memory. If you were working off battery power with a wireless network connection, then YoNTMA does not mitigate your risk.


Securing a USB Drive

September 12, 2012

The problem: You want to transport information. A USB drive is a convenient solution, but comes with risks. There is always the risk that the drive could be misplaced or stolen. You need some way to encrypt the data so that your loss is limited to the drive, and the data on the drive does not fall into unscrupulous hands.

Solutions:

Dedicated secure drive and a strong password. By using a secure USB drive (and a strong password), the information on the lost or stolen secure USB drive is not disclosed. Avoid the older implementations, see Update Your Secure USB Drive.

  • SanDisk
  • Verbatim
  • Kingston
  • TAC Drive
  • IronKey
  • Imation secure USB drives
  • Kingston DataTraveler 4000-M, a managed version of their secure USB drive has been announced.  “Full device-state management for tight policy enforcement and lockdown of stolen/lost drives – without bricking; customization for easy asset tagging; and, full audit and backup/recovery for forensic analysis and compliance – including adherence to all data-at-rest regulations.”
  • Victorinox Secure Pro USB drive has been discontinued by the manufacturer. Return these devices for a refund.

Passthrough encryption device and strong password used with generic USB storage device.

  • The Enigma module is an inline USB encryption solution designed to provide real-time full disk encryption for any USB mass storage class (MSC) drive.

Dedicated secure drive with integrated keypad. A benefit of USB drives is their platform independence. If the USB drive requires a driver and a device with a keyboard, then you can’t plug it into your TV or Blu-Ray player. There are other dedicated secure drives with integrated keypads to enable the device to transport files to any device which accepts a USB drive.

Dedicated secure drive with integrated biometrics.

  • Apricorn Aegis Bio 3.0 USB 3.0 external drive safeguards data with secure fingerprint access and military grade 265-bit AES-XTS hardware encryption.

Ordinary USB drive with encryption software and strong password.

  • Ordinary USB drive and Bitlocker encryption.
  • Ordinary USB drive and TrueCrypt encryption. A copy of TrueCrypt Portable on the USB drive means you won’t need to install TrueCrypt on the host device to read the encrypted portion of the USB drive. (While use of TrueCrypt has been discouraged, it will still defeat almost any thief. See “Open Crypto Audit Project TrueCrypt Security Assessment” [pdf].)
  • Ordinary USB drive and Rohos Mini Drive or USB Safeguard. Both can reside upon the USB drive. Both offer a free version which encrypts up to 2 GB.

Challenges:

  • Password strength. Easily guessed passwords turn encryption into an ineffective control. How do you enforce a strong password policy?
  • Remote wipe. The goal of an encryption implementation is to make it take longer to crack than is practical. (Easily guessed passwords make cracking practical.) After a short number of attempts, the device should wipe itself.
  • Key management. Can keys for these encrypted devices be managed centrally? If they cannot, is the information on these devices managed in another fashion?
  • Maintenance. If these devices must be updated, what approaches are available?
  • Inventory. How will these devices be tracked? What are the costs of not tracking them?

When reviewing these challenges, remember the risk from lost, unencrypted data. You may choose to accept a less-than-perfect management solution to limit the risk of information disclosure.


Running RatProxy in a Windows and cygwin environment

September 12, 2012

RatProxy can be considered a specialized protocol analyzer for interpreting HTML transactions. Suppose there is a web transaction that you are curious about. For example, it seems to return user-created text to you, and you suspect that this may indicate a cross-site scripting (XSS) attack is possible.

Preparation:

  1. I found How to Setup RatProxy on Windows to be a useful resource for installing Cygwin and RatProxy on Windows.
  2. The Firefox addon Elite Proxy Switcher is more than sufficient to make changing proxy settings simple.
  3. The 7-zip archive utility is used by the batch file which follows. Neither the batch file nor the utility are required, but you may find them convenient.
  4. Add a batch file (preserve.bat) to the c:\cygwin\bin folder:

    @echo off
    if (%1)==() goto ERRPARM
    ren ..\ratproxy\report.html %1.*
    “C:\Program Files\7-Zip\7z.exe” a ..\ratproxy\%1.zip ..\ratproxy\*.trace ..\ratproxy\ratproxy.log
    del ..\ratproxy\*.trace
    goto EXIT
    :ERRPARM
    echo Name for report and zip file is required.
    :EXIT

With that preparation complete, and with Firefox ready to submit your interaction:

  1. Open a command shell (cmd.exe).
  2. Paste these two lines into the command window:

    cd C:\cygwin\ratproxy
    ratproxy.exe -v c:\cygwin\ratproxy -w ratproxy.log -p 8080 -lextifscijmXC

    This creates a web proxy on port 8080. The “-lextifscijmXC” options may not be appropriate for your testing; see the RatProxy documentation.

  3. Change your browser to use this proxy (localhost:8080).  Traffic that is passed through the browser will go through RatProxy.
  4. Your test traffic occurs here.
  5. In the command window (from step 2) press Ctrl+C to quit RatProxy.
  6. Undo the browser proxy changes (from step 3).
  7. Create the RatProxy report by pasting these four lines into the command window (from steps 2 and 5). This runs the report in a bash shell.

    C:\cygwin\Cygwin.bat
    cd /ratproxy
    ./ratproxy-report.sh ratproxy.log > report.html
    logout

    This will require another Enter.

    C:\cygwin\ratproxy\report.html,  C:\cygwin\ratproxy\ratproxy.log and one or more .trace files in the C:\cygwin\ratproxy\ folder will contain the results of your testing. These .trace files are not Wireshark-compatible, but they are interpreted network protocol analyzer results.

  8. Clean up. To associate the report.html file with the .trace files and to prepare for the next traffic capture, I added a batch file (preserve.bat, text ) to c:\cygwin\bin. In the command window (from steps 2, 5 and 7), enter

    preserve <project>

    where <project> is a term you choose to remember what you were testing.

    You will now have a <project>.html file and a <project>.zip file in C:\cygwin\ratproxy\. You can close the command window.

In the html file you will see each POST transaction followed by a  [view trace] hyperlink (such as c:\cygwin\ratproxy/506875b7-2ac4.trace). The hyperlink wasn’t working anyway, but it does indicate which of the .trace files to associate with this POST transaction.


Microsoft Attack Surface Analyzer Error Message

August 5, 2012

Q: I have “Microsoft .NET Framework 4 Client Profile” installed, but when installing Microsoft Attack Surface Analyzer I get the message:

You are attempting to install Attack Surface Analyzer on a system without .Net 4 or above.  If you continue with the installation, only the command-line executable asa.exe and the data collection components of Attack Surface Analyzer will be installed.  To continue with installation, click Next.  If you do not want to continue with installation, click Cancel.

A: Do you also show “Microsoft .NET Framework 4 Extended” installed? If not, then install it before installing Microsoft Attack Surface Analyzer. Alternately, the command-line executable asa.exe is not such a bad idea.


HBGary Compromise Debriefing

August 2, 2012

A web application SQL injection vulnerability disclosed accounts and passwords.

Mitigation: Test, sanitize input, use library routines instead of creating your own sanitization routines.

Passwords were encrypted with an MD5 hash and no salt. This enables unencrypted passwords to be determined offline, using rainbow tables.

Mitigation: MD5 is broken. Salt to make the use of precomputed password hashes (rainbow tables) impractical.

The accounts and passwords were used for initial access to a server.

Two-factor authentication would mitigate this.

A local vulnerability on the server enabled root access to the server.

Patch deployment would mitigate this.

The content management system password was the same as the email management service.

Do not reuse passwords.

Control of the email system enabled social engineering access to other vendors. You appear to be their trusted partner.


Metawebsites

July 19, 2012

Metawebsites would be web sites about web sites.

Note: In what follows, the example.com domain is used as an illustrative example (see RFC 2606).

General utility

Hurricane Electric’s BGP Toolkit offers insight into the structure of the internet.

Robtex Swiss Army Knife Internet Tool

http://www.robtex.com/dns/example.com.html#result

CentralOps.net features the Domain Dossier to investigate domains and IP addresses. Get one report with registrant information, DNS records, and more. Can also scan for FTP (21), SMTP (25), HTTP (80), POP3 (110)  and IMAP (143) services.

Cisco’s SenderBase.org provides a view into real-time threat intelligence across web and email. SenderBase is powered by Cisco Security Intelligence Operations (SIO), a cloud-based capability which analyzes over 100TB of daily security intelligence across over 1.6 million deployed Web, Email, Firewall and IPS appliances. SIO continuously evolves its defenses by looking across multiple security platforms with a global sensor network – brought together and analyzed in the cloud, then delivered back to Cisco customers every 3-5 minutes for protection that goes beyond blacklists and reputation. SIO’s intelligence in augmented by a network of traps, crawlers, third-party partnerships and threat research.

showsiteinfo.org Check links (out and in), speedtest, keywords, description

http://www.showsiteinfo.org/search?name=example.com

MxToolbox focuses on email-oriented DNS and network configuration information.

DNSqueries.com is a large collection of utilities (Domain Health Check, Ip Neighbors, Check IP on RBLs, Reverse lookup DNS, Perform DNS query, Dns Traversal, Get ip geo location, Server banner check, RegExp Tester, Encrypter, IPv4 converter, Http Headers, Ping tool, Traceroute utility, Googlebot Simulator, Check your SMTP server, Http Gzip Test, Keyword Density Analyzer, Whois Lookup, Live port scanner, and Mx Lookup). The Live port scanner is a noisy scanner (which crashed with a “512″ when I used it), but at least its not your IP address that will be blocked if someone notices the scan.

myip.ms Whois

dazzlepod.com Whois, Host Services (nmap query), Visual Traceroute

centralops.net/co Reverse DNS

VirusTotal Passive DNS https://www.virustotal.com/en/ip-address/xx.xx.xx.xx/information/

Farsight pDNS passive DNS

Site Dossier passive DNS http://www.sitedossier.com/ip/x.x.x.x

tcpiputils.com is another collection of utilities (DNS Lookup (root servers), Email Test, DNS Blackhole List, Ping, Domain Neighbors, MAC Address Lookup (vendor identification), W3C Validator, Geo Targeting SEO, Reverse TinyURL).

ipvoid.com DNS Blacklist (DNSBL) Lookup

nsZones.com offers a DYN Database IP Check http://www.nszones.com/dyn.ip?xx.xx.xx.xx as well as
Domain Name System Block List (DNSBL) services for the following zones:

  • bl.nszones.com combination of sbl.nszones.com and dyn.nszones.com in a single zone.
  • sbl.nszones.com (Open Relay, Hijacked PCs, Spam Source)
  • dyn.nszones.com (Dynamic, ADSL, Cable, no PTR Networks)
  • ubl.nszones.com (Domain Names, PTR of Dynamic Networks)

The Composite Blocking List (CBL) lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc.

gwebtools.com Whois, DNS Tools, Port Scanner, IP Subnet Calculator, Name Server Spy (what domains are hosted on a name server?), Domain Checker, SEO Tools, Bit Calculator (how many bits in a petabyte?), My IP

TechnicalInfo.net is a collection of passive information gathering tools, many of which fail by redirecting to swisscom. Includes some of the Sam Spade tools, which can tell you what others can easily learn about you. The Sam Spade tools look up DNS and domain information. The Sam Spade tools are frequently under revision, but one stable source is petri.co.il.

</xssed> provides examples of cross-site scripting (XSS) exploits that people have discovered and reported. Keep RSnakes’ XSS Cheat Sheet handy.

BFK DNS Logger As a service to CERTs and incident response teams, BFK uses passive DNS replication to collect public DNS data. Compared to the ordinary domain name system, this database adds further search capabilities.

Search Engine Optimization (SEO)

Expectations. It’s all about expectations. Getting a search engine to refer to your web site appropriately requires an understanding to what the search engine crawler does, what it expects to find, and how to address those expectations.

Alexa is the leading provider of free, global web metrics. SEO focused.

http://www.alexa.com/siteinfo/example.com

Google Analytics

siteshakedown.com aggregates from various sources to provide the site’s general company information, internet traffic rank, social popularity, twitter feeds, and more. SEO focused.

http://www.siteshakedown.com/q/www.example.com

SpyOnWeb.com Enter website url, ip address, google adsense or google analytics code and find out what resources belong to the same owner. SEO focused.

http://spyonweb.com/example.com

push2check.com aggregates various services. Many are SEO focused.

http://push2check.com/example.com

HubSpot’s Marketing Grader SEO focused.

Of particular interest are the HTML testing sites. Humans don’t notice a lot of HTML errors; search bots have been trained to correct and understand mistakes. Nonetheless, a valid HTML document has more chance of being correctly displayed in current browsers and updated browsers.

StatsCrop.com is a web service that lets you explore any website’s information and its history. Understand your website traffic or a competitor’s. SEO focused.

http://www.statscrop.com/www/example.com

Markosweb web site monitoring, SEO focused.

http://www.markosweb.com/www/example.com/

pandastats web site monitoring, SEO focused.

http://example.com.pandastats.net/

hostlogr web site monitoring, SEO focused.

http://example.com.hostlogr.com/

craftkeys web site monitoring, SEO focused.

http://craftkeys.com/site-info/example.com

pageglance web site monitoring, SEO focused.

http://www.pageglance.com/example.com

Reputation

webutation.net aggregates from various reputation rating sites.

http://www.webutation.net/go/review/example.com#

scamvoid.com also aggregates reputation information

http://scamvoid.com/check/example.com

urlvoid.com aggregates reputation information as well.

http://urlvoid.com/scan/example.com

ProjectHoneyPot Report Project Honey Pot is an open source initiative to track abuse, fraud, and other malicious behavior that occurs online. The Project tracks more than a million IP addresses engaged in suspicious behavior each day and reports on them through our website.

PhishTank.com is a collaborative clearing house for data and information about phishing on the Internet.

Web of Trust Unfortunately, no one checks to see what the community has reported in order to interpret the WoT score. They look no further than the raw score. The WoT raw score is largely useless; if it is low, then why? What is the complaint? Two “very poor” ratings can result in a poor reputation score. If it high, then why? Perhaps only one person bothered to rate it.

Malware reported

These are historical (not on-demand, “check now”) malware detection services.

Google’s Safe Browsing Diagnostic Tool reports if malware was detected while crawling and reports networks (ASNs).

http://www.google.com/safebrowsing/diagnostic?site=example.com

StopBadware.org reports if malware was reported. Does not do detection itself.

scumware.org Was any malware detected? Search by MD5, IP address, hostname or the beginnings of a URL. Add a URL to the list of URLs to crawl.

Malware URL checks sites using VirusTotal, Wepawet, Anubis and Threat Expert. Was any malware detected?

VirusTotal Was any malware detected? https://www.virustotal.com/en/ip-address/xxx.xxx.xxx.xxx/information/

Clean-MX Was any malware detected?

http://support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&domain=example.com

AVG Online Web Page Scanner Was any malware detected?

http://www.avgthreatlabs.com/sitereports/domain/example.com/domain-search-widget/www.avg.com.au

F-Secure Was any malware detected?

Norton Safe Web Was any malware detected?

http://safeweb.norton.com/report/show?url=example.com

Malware Domain List All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.

http://www.malwaredomainlist.com/mdl.php?search=example.com&colsearch=All&quantity=50

McAfee Site Advisor Any malware detected? Do any of the sites this site links to have malware?

http://www.siteadvisor.com/sites/example.com

McAfee TrustedSource Any malware detected? Do any of the sites it links to have malware? I do not see how the roles of Site Advisor and TrustedSource differ.

Trend Micro Web Reputation Any malware detected?

URL Blacklist Check blacklists.

URIBL Check blacklist.

Malware detection

Unmask Parasites Tests in real time for evidence that the web site has been hacked.

http://www.unmaskparasites.com/security-report/?page=http%3A//example.com

urlQuery.net is a (beta) service for detecting and analyzing web-based malware. It provides detailed information about the actions a browser takes while visiting a site and presents the information for further analysis. It uses Intrusion Detection Systems (IDSs) (Suricata with Emerging Threats and Snort with VRT), reports about the ASN, reviews the Java scripts, reports requests and responses.

hosts-file.net maintains net block lists and links to many web site information sources.

http://hosts-file.net/default.asp?s=example.com

Of particular interest is vURL Online. Quickly and safely dissect malicious or suspect websites.

http://vurldissect.co.uk/default.asp?url=http%3A%2F%2Fexample.com&btnvURL=Dissect&selUAStr=1&selServer=1&ref=&cbxLinks=on&cbxSource=on&cbxBlacklist=on

The following message from hpHOSTS (about the IP address not matching the PTR record) should not influence your decision to trust the website or ISP. Consult the IP reverse DNS feature of robtex.com or the Domain Dossier feature of CentralOps.net as a convenient mechanism to review DNS records. I find that the IP address often matches the PTR record, contrary to the message.

WARNING: The IP PTR associated with this record, does not resolve. This is considered very bad practice and contravines (sic) the RFC Standards. Most legit ISP’s will have their PTR’s resolve to an IP.


Cannot connect to iTunes Store

June 15, 2012

On your iPhone, the AppStore indicates that you have updates waiting. You choose to “Update All” (or choose a specific App and “Update”). You get the response “Cannot connect to iTunes Store”. You notice that other updates can be installed; only a specific update failed.

You are not going to be able to update the app. Uninstall and reinstall the app to get the update. Deleting the app will also delete all of its data.

If this fails:

  • Hard reset
  • (Settings, General, Reset) “Reset All Settings”

Follow

Get every new post delivered to your Inbox.