RSS

Category Archives: Security

Bring Your Own Device. Shudder.

It had to happen. Maybe they saw us secretly playing with (sorry, I mean testing) iPads in the IT department. Perhaps they saw the headlines that David Cameron plays a “scary, crazy” amount of time playing Fruit Ninja on his iPad. Whatever the reason, I was told yesterday that our Executive Committee wants us to recommend to them that they need some form of wireless tablet that they can connect to the corporate network to help boost productivity.

I couldn’t help but groan when I heard this. While I certainly think proper, secure Wifi access is something we should be thinking about (currently our wifi’s allow access to the Internet only – no corporate LAN access), I just know the CEO and co will be thinking that this is as simple as 1. purchase device and 2. connect to network. Unfortunately this way of doing things quickly leads to 3. clean up the malware infestation and 4. watch your data walk out of the door.

While the request specify mentions this Exec Committee, I see this as part of a growing trend towards Bring Your Own Device (BYOD) policies. Many users already use their own laptops at work rather than the Windows 7 desktop PC’s we supply, choosing to copy data between laptop and desktop via USB sticks (or simply keeping their data on their own laptop). For that reason, I think that this is a good opportunity to put forward recommendations for personal device usage that encompasses the whole organisation.

For me, there are two areas of concern. Firstly, we must ensure that personal devices cannot compromise the security of the corporate network by introducing malware. Whilst we cannot take responsibility for the state of a personal device (eg does it have antivirus enabled and up to date? Is it fully patched?) we must be able to prevent devices that are at risk from connecting to the network.

Secondly, we must be able to control (or at least, audit) what happens to corporate data. If Joe Bloggs is fired, we must be confident that he doesn’t walk out of the door with our customer database on his laptop. Unfortunately, given that many users already choose to use their own laptops for storing work, we are already falling behind with this. Equally unfortunately, this is as much an HR/management issue as it is a technological one. And our management are notoriously bad for giving in to user demands (we once implemented an endpoint policy using Safend software, all approved by the Executive Committee, only for it to be scrapped within an hour of being enabled due to a handful of users complaining that their own USB devices were being rejected. Despite the fact that we’d made the relevant people aware that this would happen, and had supplied approved USB devices to be used instead).

So this weekend, I shall be putting on my creative thinking cap and doing some research into how other companies are dealing with this. My first thoughts are perhaps to continue separating corporate and personal devices on different networks, and implementing a Windows 2008 Remote Desktop Services system on the corporate LAN to publish remote applications that users can use to work on corporate data, perhaps combined with a network quarantine solution to ensure that devices meet a minimal approved specification before being approved on the network. The advantage (or perhaps the disadvantage!) to RDS is that it could potentially be made available to the outside world, allowing users the freedom to work from anywhere.

 
Leave a comment

Posted by on May 26, 2012 in Computers, Security, Work

 

Postgrad News & Pineapple Goodness

So, I had my (in)formal postgrad interview with my employer this week where they set out what they expected from me as I start my MSc in Computer Security & Forensics early next year.

The interview went well, I think, but I can’t help but wish I could just do the MSc without my employers involvement (sadly though, I can’t afford the £14,000 or so that it’s going to cost so they kinda have me over a barrel). Being a technical guy who is happier probing our defences with tools like metasploit from the safety of a darkened server room than performing in front of crowds, the thought of having to give a formal lecture to my company fills me with terror. Hell, even the thought of doing lunch with the other postgrads on site makes me queasy. I totally understand why people doing similar MSc’s may want to get together, but my MSc is worlds apart from the life science degrees that they’re all doing. Ugh.

In other news, I ordered a Mk3 Pineapple from Hak5 last week, which I’m looking forward to getting my hands on. The Pineapple is essentially a device put together by Darren Kitchen and the Hak5 team to take advantage of a feature in most wifi devices that allows them to automatically reconnect to open Wifi networks that they’ve previously connected to, based on just the SSID of the network. The Pineapple is running Jasager (apparently German for “Yes man”), and when a wifi device starts up and sends out a probe asking if its wireless network is available, the Pineapple replies saying “Yep, I am that network”. The client then connects to the Pineapple without bothering to check if MAC address, Wifi channel or any other setting matches what was previously used by the real wifi network using that SSID, and that’s when the fun begins – at least, for the guy on the other end of the Pineapple :). I’m hoping to get time to sit down and really look at what this device does, how it all fits together, any additions I think I could make, as well as thinking about how best to defend against such a device from a corporate point of view. I shall post my findings back here later on once I’ve had a chance to play.

 
2 Comments

Posted by on December 1, 2011 in Security, Study

 

And today’s idiot award goes to…

And today’s idiot award goes to…Me.

One of my test networks experienced an Active Directory issue a few days ago which resulted in several computer accounts being reset, including the server which is running my development copy of MDT 2010. Since I couldn’t recall what I’d set the local admin password to, and wasn’t able to log in with a domain account, I resorted to my trusty and oh so simple Utilman.exe hack to get a shell on the server and reset my password. Essentially this involves replacing utilman.exe with cmd.exe so that you can press Ctrl+U at the logon screen to get a command prompt with System level privileges, allowing you full, unauthorized access to the box.

Unfortunately, I was having a numpty moment and ended up replacing cmd.exe with utilman.exe. I have just spent hours troubleshooting MDT 2010 wondering why it is suddenly unable to update my deployment share. And while cursing MDT, I was also idly wondering why the stupid “ease of access” center kept popping up. Hm, could it possibly be because MDT calls cmd.exe (or in this case utilman.exe pretending to be cmd.exe) to copy files around?!

In my defense…well…actually, I can’t think of a defense for this one. I shall just go and sit in the dunces corner for an hour!!

 
Leave a comment

Posted by on November 7, 2011 in Security, Work

 

PDFiD: Analyzing suspicious PDFs

As anyone who knows anything about IT security will tell you, PDF’s are increasingly being used as an attack vector to compromise computers. This is unfortunate because many users will have been educated that while files that end in .exe, .pif, .scr etc are evil, files that end in .pdf are generally safe to open. As we’re learning, this is not the case, and specially crafted PDF files can be used to cause just as much havoc as an exe or pif file.

It is also unfortunate that Adobe Reader, probably the most popular PDF reader out there, hasn’t really made it easy to manage updates in the past, especially in the corporate environment. This means there are many systems out there which are still running old, exploitable versions of the Reader. Come on Adobe, learn from Microsoft (now there’s something I didn’t think I ever say!)

Anyway, I recently had a user contact me saying she’d received a PDF from an email address that she was not familiar with. Amazingly, she hadn’t opened the attachment (which is most unlike our users, most will happily double click anything!) and asked if I could take a look. I’d recently come across a Python script called PDFiD which can be used to analyze PDF files for suspicious strings such as Javascript or Launch that can be used to run programs outside of the PDF reader.

PDFiD is simple to use, just run the script with the filename you wish to analyse as a parameter. The output is clear and concise and, while the author does admit there is the possibility of false positives, it is an exellent way to begin analyzing PDF’s that you don’t entirely trust.

I highly recommend any security conscious sysadmins add this tool to their toolkit, as the number of PDF exploits are likely to continue rising for the forseeable future. PDFiD can be downloaded from Didier Stevens website at http://blog.didierstevens.com/programs/pdf-tools.

Oh, and my users suspicious PDF? Turns out it was just another 419 spammer, this time putting his generous offer to make us all millionaires into a PDF attachment.

 
Leave a comment

Posted by on August 3, 2010 in Security

 

ClamAV 0.94: End of Life

The makers of ClamAV recently (well October 5th 2009, actually) announced that 0.94.x would no longer be supported from 15th April 2010.

All ClamAV releases older than 0.95 are affected by a bug in freshclam which prevents incremental updates from working with signatures longer than 980 bytes.
You can find more details on this issue on our bugzilla (see bug #1395)

This bug affects our ability to distribute complex signatures (e.g. logical signatures) with incremental updates.

So far we haven’t released any signatures which exceed this limit.
Before we do we want as many users as possible to upgrade to the latest version of ClamAV.

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year.

This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.

We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.

We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.

Thanks for your cooperation!

As well as the post on their site, they also sent out notifications to the ClamAV mailing list warning people of the approaching deadline. Even so, as I check my mailbox today, I see several emails from people complaining that the antivirus on their servers had suddenly stopped working and they’re no longer able to process email.

Now, I realize that the decision to remotely disable old versions of ClamAV was always going to be a hugely controversial one, and that causing mail servers around the world to intentionally break may  have have been a bit naughty. Who gives third party companies the right to decide what versions of software you run on your mail server, right?

Well, actually, I applaud the makers of ClamAV for this move. They must have known there would be people still using old versions who don’t read (or understand) the website and/or mailing lists, but were prepared to accept this negative publicity in order to give people the kick up the arse they need to upgrade from old versions which are known to be broken. It is widely known and accepted that old versions of antivirus software are less effective than their newer counterparts.

To all those red faced sysadmins saying that they weren’t informed about this  in advance: you are responsible for running your mail server. That includes putting yourself in the loop so that you’re aware of these sorts of issues/announcements. What did you expect, a representative of ClamAV to deliver you a hand written note? Perhaps you would prefer to continue running ineffectual versions of antivirus software, blissful in your ignorance.

I can happily report that we’ve been running 0.95.x for several weeks without any issues at all.

 
2 Comments

Posted by on April 16, 2010 in Security

 

MITM Made Easy with Metasploit

Very often, I will come across a nifty IT tool that I like the look of and want to test for myself. Unfortunately, my mental notes aren’t as sticky as they once were, and more often that not, I promptly forget all about said tool.

Today, however, I sat down and tested a couple of very useful man in the middle metasploit modules created by Robin of digininja.org fame.

These modules work on the premise that if you can get control of the sole DHCP server on the network, you can push out IP information containing compromised information. For example, you can tell workstations to use a DNS server that you control.

The first module, dhcp_exhaustion performs a DoS attack against the authoritative DHCP server by getting the server to allocate all remaining IP addresses to your computer. Once the legitimate DHCP server is exhausted, you can fire up your own DHCP server configured to give out evil information, such as setting the DNS server to the IP address of your computer running Metasploit.

The next stage of the attack is to run the dns_mitm module. This module reads a list of custom DNS entries from a standard text filewhich it returns to any client that asks. For example, your text file may include a line such as:

192.168.1.11  www.mywebbankingsite.org

Any client with IP info assigned by your DHCP server trying to go to http://www.mywebbankingsite.org will be taken to 192.168.1.11 which could be the IP address of a fake phishing website. By also giving the module the IP address of a legitimate DNS server, you can ensure that any DNS entries that aren’t explicitly listed in your text file are correctly resolved.

Think of networks under your control – how long would it before before you noticed that your DHCP server had stopped giving out address information, assuming someone else started running a DHCP server? How would you detect a MITM attack such as this? On my networks, I use various techniques such as port security on switches, egress filtering on firewalls etc, however, with a little bit of thought, most of these can be overcome by someone who knows what they’re doing.

You can find out more information about the two metaspoit modules over at the digininja website.

Disclaimer: Note that I am not an evil hacker and do not condone the use of such utilities for nefarious purposes. I am, however, a sysadmin that likes to know what security tools are available to help me secure my networks against such individuals.

 
Leave a comment

Posted by on March 12, 2010 in Security