Black Fist Security

Rails authentication using Devise and devise_ldap_authenticatable

2011-12-27T13:30:00.000-08:00

About a week ago I posted about my attempts to integrate Rails applications with Active Directory. I have successfully rolled my own authentication using net/ldap, but I want to use a gem so that there will be more than just me using it and fixing it up.

Last week I was successful getting Devise and Omniauth-ldap to work together to integrate with Active Directory, but I decided that the solution was not enterprise-ready because there is currently no way to override the login page and make it look like the rest of my application.

Now I think I have the solution, and it was a little bit easier too. Devise + devise_ldap_authenticatable. Here is the walkthrough for what worked for me.

Adding your Gems
For this project I am going to add the following lines to my gemfile:

gem "nifty-generators", :git => 'https://github.com/ryanb/nifty-generators.git'
gem 'devise'
gem 'devise_ldap_authenticatable', :git => 'git://github.com/cschiewek/devise_ldap_authenticatable.git'
gem 'annotate', :git => 'git://github.com/ctran/annotate_models.git'

The annotate gem and the nifty-generators gem aren't necessary, but I like to use them. Nifty-generators will make the flash notices that you'll need later on in the project so you might consider using it if you're just following along. Now run bundle to get everything set up.

Setting up nifty-generators

There are a couple steps that I'm going to go through to set up nifty-generators which are optional if you decide that you don't mind having your rails project look ugly.

rails generate nifty:config
rails generate nifty:layout
rails generate nifty:scaffold Change title:string description:string
cp public/stylesheets/application.css app/assets/stylesheets/nifty.css
rm public/index.html
cat app/views/layouts/application.html.erb | sed \
's/javascript_include_tag :defaults/javascript_include_tag "application"/' \
> /tmp/what.txt
cp /tmp/what.txt app/views/layouts/application.html.erb
rake db:migrate

Also, make sure you edit config/routes.rb and add a path to root:

root :to => 'changes#index'

At this point you should have a working application that will allow you to create, edit, and delete changes. It should look nice and neat. Make sure that you have the ability to delete objects, and if you do not check the line in app/views/layouts/application.html.erb to make sure that javascript_include_tag is including "application" not :defaults. A tell-tale sign that javascript is the source of your delete problem is that when you try to delete a change you're not even given the "are you sure" prompt.

Configuring devise for user management
Now we need to create a model for our users, and we'll call that model User. We will use devise because then we'll have all of the helpers created for things like checking if the current user is authenticated. This part is amazingly simple.

rails generate devise:install
rails generate devise User
rake db:migrate

Bam! That's it. Now you have a user model with all kinds of neat options. If you didn't want to perform Active Directory authentication you would be almost done now with just some work to customize the views.

Setting up devise_ldap_authenticatable
First we need to generate the devise_ldap_authenticatable installation.

rails generate devise_ldap_authenticatable:install

There are options that you can set, but I don't need them. The gem assumes that your user model is called User which mine is.

Now we need to set the LDAP parameters used to connect to Active Directory. This is kept config/ldap.yml.

development:
  host: domaincontroller.domain.com 
  port: 389 
  attribute: sAMAccountName 
  base: dc=domain,dc=com
  admin_user: cn=admin,dc=test,dc=com
  admin_password: admin_password
  ssl: false
  # <<: *AUTHORIZATIONS

The most important thing here is that you set the attribute to sAMAccountName and that you have the full DN and password of your binding user. There are options here to force certain group membership or make sure that certain attributes are set, but I haven't played with that yet. Right now, anybody that is a member of the domain is able to log into my app.

The last thing we need to do is make some edits to config/initializers/devise.rb which has some new options that were added by the devise_ldap_authenticatable installer. This is why my configuration looks like:

  # ==> LDAP Configuration 
  config.ldap_logger = true
  config.ldap_create_user = true 
  # config.ldap_update_password = true
  config.ldap_config = "#{Rails.root}/config/ldap.yml"
  config.ldap_check_group_membership = false
  config.ldap_check_attributes = false
  config.ldap_use_admin_to_bind = true 
  # config.ldap_ad_group_check = false

Look a little further in the document to find these lines and change them to match mine:

config.authentication_keys = [ :username ]
config.case_insensitive_keys = [ :email, :username ]

Changes to the user model
We want to keep track of some Active Directory attributes, so we need to make a few changes to our user model. Let's add a firstname, lastname, username, and displayname field.

rails generate migration add_fields_to_users firstname:string lastname:string username:string displayname:string
rake db:migrate

This is when I like to use annotate so that I can keep track of what I've done to my models. Anyway, lets take a look at the app/models/user.rb file. We need to update our attributes accessible, and add some methods to pull in Active Directory attributes and save them with our user.

attr_accessible :username, :email, :password, :password_confirmation, :remember_me, :firstname, :lastname, :displayname

  before_save :get_ldap_lastname, :get_ldap_firstname, :get_ldap_displayname, :get_ldap_email

  def get_ldap_lastname
      Rails::logger.info("### Getting the users last name")
      tempname = Devise::LdapAdapter.get_ldap_param(self.username,"sn")
      puts "\tLDAP returned lastname of " + tempname
      self.lastname = tempname
  end 

  def get_ldap_firstname
      Rails::logger.info("### Getting the users first name")
      tempname = Devise::LdapAdapter.get_ldap_param(self.username,"givenname")
      puts "\tLDAP returned firstname of " + tempname
      self.firstname = tempname
  end 

  def get_ldap_displayname
      Rails::logger.info("### Getting the users display name")
      tempname = Devise::LdapAdapter.get_ldap_param(self.username,"displayname")
      self.displayname = tempname
  end 

  def get_ldap_email
      Rails::logger.info("### Getting the users email address")
      tempmail = Devise::LdapAdapter.get_ldap_param(self.username,"mail")
      self.email = tempmail
  end

Changes to the views
The final change is to make sure that our view is going to reflect whether or not a user is logged in and provide some basic information about the logged in user. I added this right under the title in app/views/changes/index.html.erb

<% if user_signed_in? %>
    Welcome <%= current_user.firstname %>, you last logged on <%= current_user.last_sign_in_at %> from <%= current_user.last_sign_in_ip %>


<% else %>
    <%= link_to "login", new_user_session_path %>
<% end %>

We also need to make a critical change to the login form. Right now it is still asking for an email address and it wont let you get away with typing a username into the email field. So we need to have devise show us our view so that we can edit it.
rails generate devise:views
Now edit app/views/devise/sessions/new.html.erb. Change the email label to say username and change the email_field to text_field.

Also, if you want to have the user redirect to your root path, then you need to add something like this to config/routes.rb

match '/changes' => 'changes#index', :as => 'user_root'

Rails authentication using devise and omniauth-ldap

2011-12-20T15:06:00.000-08:00

Recently I've been doing some development in Ruby on Rails and I wanted to be able to have users log into the application using Active Directory credentials and I wanted some user information to persist in a database so that I could make objects belong_to a User. In this case the application is for IT Change Management so I have two models, User and Change. User has_many changes and Change belongs_to user. I started to code something up myself, but then I thought I would take some time to figure out how to do it using some of the gems out there that make life simple. So I wanted to combine devise with omniauth-ldap. It took me a while to get it all working, and so I want to document my process for everyone (especially me) to come back and reference. So here is my walkthrough of creating a very simple application using devise and omniauth-ldap for user management.

Adding your gems
For this project I am going to add the following lines to my gemfile:

gem "nifty-generators", :git => 'https://github.com/ryanb/nifty-generators.git'
gem 'devise', :git => 'https://github.com/plataformatec/devise.git'
gem 'omniauth-ldap', :git => 'https://github.com/intridea/omniauth-ldap.git'
gem 'annotate', :git => 'git://github.com/ctran/annotate_models.git'

Setting up nifty-generators

There are a couple steps that I'm going to go through to set up nifty-generators which are optional if you decide that you don't mind having your rails project look ugly.

rails generate nifty:config
rails generate nifty:layout
rails generate nifty:scaffold Change title:string description:string
cp public/stylesheets/application.css app/assets/stylesheets/nifty.css
rm public/index.html
cat app/views/layouts/application.html.erb | sed \
's/javascript_include_tag :defaults/javascript_include_tag "application"/' \
> /tmp/what.txt
cp /tmp/what.txt app/views/layouts/application.html.erb

Also, make sure you edit config/routes.rb and add a path to root:

root :to => 'changes#index'

At this point you should have a working application that will allow you to create, edit, and delete changes. It should look nice and neat. Make sure that you have the ability to delete objects, and if you do not check the line in app/views/layouts/application.html.erb to make sure that javascript_include_tag is including "application" not :defaults. A tell-tale sign that javascript is the source of your delete problem is that when you try to delete a change you're not even given the "are you sure" prompt.

You have probably also seen some devise warnings popping up when you run some of these commands. Don't worry, we're going to take care of that in the next section.

Configuring devise for user management
Now we need to create a model for our users, and we'll call that model User. We will use devise because then we'll have all of the helpers created for things like checking if the current user is authenticated. This part is amazingly simple.

rails generate devise:install
rails generate devise User
rake db:migrate

Bam! That's it. Now you have a user model with all kinds of neat options. If you didn't want to perform Active Directory authentication you would be almost done now with just some work to customize the views. Now we're going to start on the stuff that took me the longest.

Integrating omniauth-ldap into devise
There are two things that really caused me a lot of headache and once I learned them this whole process went a lot faster. The first thing you should know is that omniauth-ldap does not use the credentials that the user enters to bind to LDAP. So unless your Active Directory is configured to allow anonymous LDAP then you're going to need to provide credentials for binding. I wasn't doing that and I couldn't figure out why I kept getting LDAP errors. The second thing that is useful to know is that the configuration for omniauth-ldap is done in the devise initialization file: config/initializers/devise.rb. If you go to the github site for omniauth-ldap, Ping (the author) has some instructions and a sample application (look in the wiki for the sample application). In that sample application, the omniauth-ldap configuration is in a file called config/initializers/omniauth.rb. In our application, we're going to ignore that and instead put that into config/initializers/devise.rb. Look for the string config.omniauth and include this in the configuration right after the comments:

config.omniauth :ldap, :host => 'YOUR_LDAP_SERVER,
      :base => 'THE_BASE_WHERE_YOU_SEARCH_FOR_USERS',
      :uid => 'sAMAccountName',
      :port => 389,
      :method => :plain,
      :bind_dn => THE_FULL_DN_OF_THE_USER_YOU_WILL_BIND_WITH',
      :password => 'THE_PASSWORD_OF_THE_BIND_USER'

You'll probably need to get most of this information from an Active Directory administrator. I don't advise using your own DN and password because then every time you change your password the application will break. I would suggest running rails server right now just to make sure that you didn't enter anything that will cause the application to fail.

Setting up your views
In my view, I want to do something really simple. If a user is logged in, I want to welcome them and provide a logout link. If a user is not logged in, I want to present a login link. So I'm going to go into app/views/changes/index.html.erb and add this right under the title:

<% if user_signed_in? %>
    Welcome <%= current_user.email %> (<%= link_to "logout", destroy_user_session_path,  :method => :delete %>)
<% else %>
    Nobody logged in.  <%= link_to "log in here", user_omniauth_authorize_path(:ldap) %>
<% end %>

Those routes to destroy_user_session_path and user_omniauth_authorize_path are all generated by devise and didn't take any additional work on my part.

We also need to make a change to our user model that was generated by devise. If you look in app/model/users.rb you'll see a line with some devise configuration that makes this user model :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, and :validatable. To this list we need to add :omniauthable. If you're seeing an error about user_omniauth_authorize_path not being defined it is because you didn't add :omniauthable to the user model.

At this point your application should run and you should be able to click those links. You'll be taken to an ugly looking log in screen. Log in isn't going to work yet because we haven't wired up the callback. Here are a couple tests you can run to make sure that everything is right so far. 1. Try to log in with valid credentials. You'll be directed to a sign in page and see an error message that you couldn't log in because of an LDAP error. 2. Try to log in with invalid credentials. This time you'll be redirected to the same page, but you'll have an error message about invalid credentials.

More changes to the User model
In my case I want to retain some information about the user that is returned from LDAP so that I can have associations between changes and users. So we need to generate a migration to add a few database fields to our User table. Run this command:

rails generate migration AddColumnsToUsers firstname:string lastname:string displayname:string username:string

That should generate a migration for you that looks like this:

If you want to make sure that your username is also unique, you should add add_index :users, :username, :unique => true to the migration. I also want to make sure that the username is not blank. Now run rake db:migrate to add those fields to your table. Then we need to edit the file app/models/user.rb to make those fields useful. First, we need to add our new columns to the attributes_accessible line in the model.

attr_accessible :firstname, :lastname, :displayname, :username, :email, :password, :password_confirmation, :remember_me

In my application, we are not going to set the users password, we're going to depend on Active Directory to do the authentication. But I don't like the idea of removing the validation from devise and I don't want to have user accounts with no password in the database. So I'm going to create a method that I can use to set a random password for each user. I'm using the self.method notation to make this a class method rather than an instance method.

def self.generate_random_password
Digest::SHA1.hexdigest(Time.now.to_s)
end

Wiring up the callback

The next thing we need to do is tell devise what controller to use for the omniauth callback. We're going to do this in our routes file, so edit config/routes.rb and find the line that reads devise_for :users and change it to read:

devise_for :users, :controllers => { :omniauth_callbacks => "users/omniauth_callbacks" }

That tells devise that when we get an answer back from ldap, we should look in app/controllers/users/omniauth_callbacks. If we were using omniauth without devise, the user would log in by visiting /auth/ldap. What we've done here is make use of the integration between devise and omniauth. So users will visit /users/auth/ldap. We also need to specify what controller is going to handle the callback. Without devise we do the same thing by adding a line like this to config/routes:

match "/auth/:provider/callback" => "users/omniauth_callbacks#create"

When you successfully authenticate to LDAP you'll get back a big bundle of information about the user. We're going to use that information to either log in an existing user or create a new user and log that user in. The code for this is going to be located in the omniauth_callbacks file which does not exist right now. We need to create the file and add a method called ldap to handle the way LDAP results are returned. This ldap method is going to check if there is an existing user and log that person in, otherwise create a new user. Here is the code for that file:

class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController


    def ldap
        # We only find ourselves here if the authentication to LDAP was successful.
        ldap_return = request.env["omniauth.auth"]["extra"]["raw_info"]
        firstname = ldap_return.givenname[0].to_s
        lastname = ldap_return.sn[0].to_s
        displayname = ldap_return.displayname[0].to_s
        username = ldap_return.sAMAccountName[0].to_s
        email = ldap_return.proxyaddresses[0][5..-1].to_s

        if @user = User.find_by_username(username)
            sign_in_and_redirect @user
        else
            @user = User.create(:firstname => firstname,
                                :lastname => lastname,
                                :displayname => displayname,
                                :username => username,
                                :email => email,
                                :password => User.generate_random_password)
            sign_in_and_redirect @user
        end
    end
end

This information could use a bit of explaining. The results from LDAP are put into an environment variable called omniauth.auth, which is in a format called omniauth.auth format. If we were using something like Facebook or Twitter for our authenticator omniauth could probably figure out things like the username and this code wouldn't be as ugly. But the data we need is in an a hash called raw_info, which itself is a hash within a hash within a hash. Each of the return values that we need are in an array, so my firstname is in an array which is why I have to put the [0] after ldap_return.givenname. Don't worry too much about the email line, in your organization you probably will be able to use ldap_return.email. In my case, the email address that I want an application to use is different than what is stored in that value, so I am grabbing an address from a different part of the response and stripping off the SMTP: that appears at the begining.

What's next?
We have a working application that can authenticate users via Active Directory. There are a few loose ends that I would like to clean up, but this is as far as I was able to get. For example, if a user's authentication fails he is redirected to a sign up page that I don't want them to see. However, I wasn't able to figure out how to change the application routing to make them redirect to the sign in page instead. Also, the login page is not customizable at all. That really doesn't work for an enterprise environment which is where you're most likely to see Active Directory integration. It looks unprofessional when your user gets redirected to a login page that looks nothing like the rest of your site.

So while this will work for back end stuff or personal stuff that you aren't going to expose to the end users it isn't going to meet your needs right now for enterprise applications. If you want Active Directory integration that looks professional you're stuck with rolling your own for now.

I hope someone proves me wrong in the comments. I really wanted this to work.

Stats for risk modeling: The Uniform Distribution

2011-11-10T06:55:00.001-08:00

This blog entry originally appeared on the Society of Information Risk Analysts web page on November 3, 2011: http://societyinforisk.org/content/stats-risk-modeling-uniform-distribution

Next up in my series on distributions, I'd like to talk about the Uniform distribution. Uniform is quickly becoming my favorite distribution because it is really easy to understand and it helps us to avoid a common mistake in risk modeling; namely that we tend to underestimate the likelihood of the extremes. If you remember back to my previous post on the Normal distribution you will recall that once you get three standard deviations away from the mean you are getting into frequencies that are pretty low. In fact, in a perfect normal distribution it would take 10,000 loss events to find 15 losses that were greater than 3 times the standard deviation.

Uniform distribution makes a great "safety" distribution. Maybe you're pretty confident that some random variable can be represented by a normal distribution, and if that is the case then use it. That's what it's there for. But what if your random variable is bimodal, meaning that has ups and downs and no single most likely value? What if you think that values at the far end of the distribution likely occur more often than what the Normal distribution allows? Uniform distribution never lets me underestimate my tails (unless my random variable is a strange U shaped phenomenon) and it never makes me ignore one mode in favor of another.

SOME BACKGROUND: Distributions can be discreet or continuous. Discrete distributions have clear values with nothing in between. In the two pictures above, the distribution on top is continuous, and the bottom is discrete. A fair six-sided die is a good example of a discrete uniform distribution. It has 6 and only 6 possible outcomes. If I used a continuous uniform distribution to represent that variable I might get values like 4.5. One of the "rules" of modeling risk in Monte Carlo simulations is that each value in each iteration has to be possible. No gibberish in the model. So having a variable that tells you (with great frequency) that you rolled 3.291 is bad. Built into Excel you have the RANDBETWEEN function which will give you a discrete uniform distribution of random numbers. If you're using the FAIR Lite tool, you can get a nearly uniform distribution by setting the confidence of an estimate to very low and putting the most likely value right between the minimum and the maximum. It's not exactly uniform, but probably close enough.

WHEN TO USE IT: Use the uniform distribution when you have a good idea about the upper and lower bound of your variable, but you are uncertain about the shape.

WHAT MAKES IT COOL: It's easy to understand. You can explain this distribution to even the most statistically challenged of executives. And thanks to the Central Limit Theorem when you combine several uniform distributions you'll get a normal distribution which will satisfy the people that want nice graphs and tighter estimates of the most likely value.

WHEN TO AVOID IT: You should absolutely avoid this distribution if you have any evidence that the variable you're representing is U-shaped, in other words the values at the extreme are more likely than values in the middle. Other than that, this is a great distribution if you want to be open to possibilities and are willing to admit that you don't know a whole lot.

EXTRA CREDIT: U-shaped distributions are most often seen where there is cyclic data. For example, if you were molding the the snowfall in a given month and your X axis starts with January and ends with December then you would likely see more snowfall on the two ends and less in the middle. Can you think of any variables in information security that might follow a U-shaped distribution?

Stats for risk modeling: The Normal Distribution

2011-11-07T09:22:00.000-08:00

This blog entry was originally posted on the Society of Information Risk Analysts web page on November 1, 2011: http://societyinforisk.org/content/stats-risk-modeling-normal-distribution

A few months ago I did a presentation at the Twin Cities Information Risk Round Table (TCIRRT) about basic statistical distributions that you might use in your risk models. The presentation proved to be rather popular and so I thought maybe I should write a series of blog posts to review the material that I covered in that presentation.

I was a little torn over whether to start with a normal distribution or a uniform distribution and ultimately just decided to pick one. So I’m going to talk about the normal distribution in this post.

SOME BACKGROUND: Distributions are all about the area under a curve. That’s why calculus is so important to statistics. We use distributions to represent random variables that we encounter in our risk models. These are the unknowns, like how much is a loss event going to cost us. I have included here a picture of a normal distribution with a mean of 50 and a standard deviation of 15. In the picture the total area under the curve (which is all the blue stuff) adds up to 1. That is going to be the case for every distribution that you look at. The whole curve represents every possible outcome for a random variable, and the cumulative probability of every possible outcome is 1.

I have highlighted the area between 35 and 50 on this curve, and you might notice at the top that this accounts for 34.1% of the area under the curve. If this distribution was an accurate representation of a random variable, I could say that 34.1% of the time I should see a value that falls between 35 and 50.

WHEN TO USE IT: It seems to me that there are 3 tests you can use to decide if the normal distribution is the right distribution to represent your random variable.

You have an average value that you can calculate or reasonably estimate. If you were using FAIR for your risk modeling, this would be your “most likely” value.
The “shape” of the random variable is nearly symmetric. It can be skewed a bit in one direction or another, but it should not be extreme.
There is a low probability of getting a value at the far left or far right of your distribution. In other words, it’s bell shaped.

WHAT MAKES IT COOL: The normal distribution is cool because of the 68-95-99 rule. A normal distribution has two parameters, the mean and the standard deviation. You could think of standard deviation as how fat or skinny the distribution appears. I mentioned earlier that this picture has a mean of 50 and a standard deviation of 15. If you were to go from 50 to 35, you have moved 1 standard deviation away from the mean. If you take the values from 35 to 65, you have 1 standard deviation in either direction. And that should cover 68% of the area under the curve. So in a normal distribution, 68% of the values are within one standard deviation in either direction from the mean. If you move two standard deviations in either direction you have 95% of the area, and three will get you 99% of the area. So if you can calculate or reasonably estimate the mean and standard deviation of a random variable, you will know that 99% of your values should be greater than the mean minus (standard deviation * 3) and smaller than the mean plus (standard deviation * 3).

WHEN TO AVOID IT: It should be obvious that if your random variable doesn’t pass the three tests I wrote up there then you should avoid using the normal distribution. The main reason outside of failing the 3 tests that you should avoid it is that the normal distribution is continuous and boundless. Continuous means that ANY value between two points is possible. So my random variable could be assigned a value of 35.000654780. I might just round that to two decimal places and call it a dollar value, but you should be aware that these values are possible. Also, it will return values that extend beyond that 99% mark. For example, let’s say that your mean is 30 and your standard deviation is 10. You should know that 3 times out of 1000 your random number generator will give you a value that is less than zero. If that is not possible in real life then you need to consider another distribution.

Aggregating Risk Scenarios: put away the calculator.

2011-11-01T07:31:00.000-07:00

This post appeared on the Society of Information Risk Analysts blog on October 20, 2011.

The other day I was thinking about how one might go about expressing the aggregate information risk of an organization. Lately I find myself favoring a balanced scorecard approach to expressing risk, but even after breaking risk scenarios into several groups, you still need to aggregate them in some way. So how would one go about expressing the combined distribution of loss from several loss risk scenarios?

Let's make up a story to illustrate. Lets say that you are going to go to your favorite amusement park in Minnesota. Your mom is going to her favorite amusement park in California and your dear sweet grandmother is going to her favorite amusement park in Florida. Each of you is going to bring $100 with you. You all have an equal risk of being robbed, but your mother and grandmother are so paranoid that they wont go unless you promise to reimburse them for any robbery they suffer. If any of you are robbed you know that the robber will get at least $1 and no more than $100. So you could express each risk scenario as a uniform distribution with a minimum of $1 and a maximum of $100. But what is your total risk exposure?

Your total risk exposure is $300 because you have three risks with a maximum loss of $100. But we usually do not want to express what is possible, we want to express what is probable. You might want to express risk out to the 95th percentile or the 99th percentile. The total exposure number is actually quite rare. How rare? There is a 1% chance that one of you will be robbed for $100. Since these events are independent, the probability of two of you being robbed for $100 is 1% of 1% or .01%. The probability of all three of you being robbed for $100 is .0001% or once every million trips to the amusement park. And even that is assuming that all three of you will certainly be robbed!

The same effect happens on the minimum side of the aggregate risk distribution for the same reason. I ran a monte carlo simulation with these three scenarios with 5000 samples. Even after 5000 samples I couldn't get a minimum value less than 11. In fact, only 10% of the simulations had less than $85 for the aggregate loss. What you're seeing here is the Central Limit Theorem at work. When we combine three uniform distributions, we get a result that starts to look more like a normal distribution. The graphic here shows the outcome of adding these three loss distributions together. The effect becomes even more pronounced when the distributions aren't uniform. If we had used a Pert distribution to describe each of the losses with a most likely loss of $30 then the effect is even greater. I never saw a loss less than $22 or more than $228. If you wanted to have enough cash to cover your losses for 95% of the trips to the amusement park, I would only need to have $164.

So if you're going to be aggregating the loss from several risk simulations then the tool of choice is not a calculator, but another simulation. The aggregate risk becomes a simulation where each of the inputs is the output of a risk scenario. That way you can more accurately express what is probable rather than what is possible.

Creating a cheap progressive pin lock set

2011-10-04T11:07:00.000-07:00

The other day I gave a presentation to a group of information security students about why they should care about lock picking and how lock picking works. I wanted to have some hands on material that they could try to pick, but I didn't want to spend a bunch of money buying a progressive pin lock kit. After all, I don't talk about this very often and I don't need much experience picking a two or three pin lock. But, if you've got some tools in your garage (or in my case a friend that has tools) you can make your own progressive pin kit on the cheap.

Step one: go out and buy a set of the cheapest locks you can get your hands on. You're going to grind them up and destroy them so don't buy expensive locks. Also, this is for practicing simple stuff so you don't want things to get too complicated. You can buy a set of locks that are keyed alike, but it isn't important since you're going to be picking the locks, not using the key. There is a non-zero probability that you will really screw up the first one you try so you might consider planning for that in advance.

Step two: Take an angle grinder to the bumps on the bottom of a lock near the keyway. These are the pins that basically hold the whole lock together. Here is an action shot of my friend Jeremy grinding down the pins. Try to be careful that you don't damage the keyway itself.

When you've ground those pins off, you'll probably have to do some work to get the bottom plate off of the lock. After all, it is designed to not be broken into. We had to take a chisel and beat at the bottom layer of steel to get it to come off.

When you're done, the actual pin assembly should slide out, and you're looking at the inside of the lock where the shackle release is. You could unlock the lock with a screwdriver right now.

Here are some optional steps for cleaning things up a bit. You might want to take a file to the sharp edges that are left of the pins you ground off. Those are sharp and they could hurt you. You might also want to drill the holes a bit bigger on the bottom plate that you took off in case you want to put it back on. Hammer that sucker flat again too since it probably got a bit beat up when you were removing it.

OK, now for the pins. There are two approaches you could take here: the easy inflexible way or the hard flexible way. We chose the easy way. Put your key into the lock mechanism, and turn it 180 degrees. In our case, the key pins fell out through holes in the bottom of the lock assembly. So if you want to have a two pin lock, cover up two of the holes and dump the key pins from the other two holes. Then turn the lock back to the upright position. This will cause the driver pins to fall into the spot that the key pins were in. Now turn the lock 180 degrees again and the driver pins will fall out. After that, put the key in the upright position, and use a tool to sneak the springs out of the lock mechanism. It's easy, but you can't easily rekey or change the configuration of the lock.

The harder way is to drill out the top of the lock mechanism. You should see four small holes at the top of the lock if you have a four pin lock. Drill those holes bigger and you'll be able to take out the spring, driver pin, and key pin. Then you can rekey to your hearts content and then use some black electricians tape to hold the pins in when you're done. What if you don't know any black electricians? Use some other kind of tape. Now put the whole lock back together if you want or just pick away at the small lock assembly that was inside the padlock.

Fun fact: hard to believe, but the cheapest lock I could find had three spool pins and only one regular driver pin in it.

Quote of the day

2011-09-22T12:28:00.000-07:00

I don't normally do Quote of the Day posts because I think that pretty much amounts to taking someone Else's information and regurgitating it on your own blog. That's part of the reason why my blog is so rarely updated. I like to populate my blog with either original ideas or information that was hard to come by on the Internet before I found it.

That said, I was reading a paper from the Society of Actuaries on Modern Operational Risk and there was a statement that really jumped out at me. "... the top few losses from a relevant 200 company-year data set is much more valuable than even a million hard data points from one institution collected over a five year period." That really jumped out at me because in my own treatment of risk management I have been known to favor the idea that my organization needed to collect data points and use that to create distributions. But as the document points out, if the events that we are trying to model are independent, then ten years of data from 20 companies is roughly equivalent to 200 years of data from a single company.

I don't know if I am ready to accept that one year of data from 200 companies is of equal value, but the paper I'm reading hasn't made that assertion either. Here is the paper if you feel like reading it. I am really enjoying it so far.
www.soa.org/files/pdf/research-new-approach.pdf

What is the Deadly Whisper?

2011-07-26T09:17:00.000-07:00

I've got something going on at work today, a phenomenon which I've seen several times in my IT career. Up until now I don't know of any name that has been given to it, so I am going to name it right now. I call it, the Deadly Whisper.

The Deadly Whisper is when you have a computer problem manifesting on a small but significant number of machines. During the troubleshooting process, somebody says "Maybe it's {product} that's causing the problem." That initial whisper leads to more people saying it and eventually most people in the office are convinced that {product} is the cause of the problem. Mind you, there is very little evidence to support this, and there may even be evidence to the contrary. However, the system administrator is stuck trying to prove that {product} is not the cause of the problem. Any evidence that {product} is not the cause is explained away as insignificant, but any insignificant evidence that {product} is the cause is consider unassailable proof.

Another password dump from a big site

2011-06-13T08:16:00.001-07:00

I saw in the news this morning that lulsec had posted online about 26,000 passwords from a few porn sites. Article here.

We have seen large dumps of passwords from sites before, and I've blogged about password audits that I've done (with permission) to gauge the effectiveness of a password policy change. And what we've seen is pretty much the same thing from every dump. Thousands of crappy passwords, very low use of multiple character sets, short passwords, etc.

But I have noticed that in all of these password dumps (except mine) we don't get any data about how many passwords were not breakable. How likely is it that we're only seeing the passwords that fall to a dictionary attack? I guess I wonder if we're dragging the bottom of the ocean and concluding that the ocean is made up entirely of muck.

nbnspoof.py on BackTrack 4 R2

2011-03-31T12:56:00.001-07:00

This morning I ran into a little bit of trouble when I decided that I wanted to play around with NetBIOS Name Service Spoofing on BackTrack. I wanted to use the tool nbnspoof.py, but found that it was not included with the BackTrack distribution.

So the first thing I needed to do was download the software, which was pretty simple. You can find the link here.

I ran into two problems when I tried to run it. The first was an input error. No matter what I typed at the command line, it would display the usage() message and exit. I had to dive into the source code a bit, but I figured out that the regular expression that you send it needs to be included in quotes.

The second problem I needed a little extra help with. After I figured out how to make the program accept my input, it would error out with: NameError: global name 'sniff' is not defined

I tried many tricks to figure this one out, but ultimately my man @timmedin hooked me up with the fix. I needed to change line 17 of the script from
from scapy import *
to
from scapy.all import *

That's it. Then it worked as expected. Thanks for the help, Tim.

An easier way for Full Disk Encryption Boot CD

2010-11-30T12:40:00.001-08:00

Easily the most popular entry on this blog is how to create a boot CD that can read a hard drive that has been encrypted with Pointsec or FDE. Let me take a minute to refresh you of how that is done.

First, we install PE Builder on a working machine.
Then we grab the Pointsec Filter driver and put it into the plugin folder.
Next we have to stop some Pointsec services on a machine that is running Pointsec and working. From there we can grab a copy of a file call prot_2k.sys. Put that file into one of the plugin folders. Now you're ready to boot your CD. Then, you boot the non-working machine to the hard drive, rather than the CD and press CTRL+F10 at the logon screen to redirect into your boot disk. Congratulations, you've created a CD that will work with just that one version of Pointsec.

Thank goodness the bad old days are behind us. Several versions ago, Check Point released the Dynamic Mount Utility and now the process of making a boot CD couldn't be (much) easier. DMU is included with the installation media in the form of a zip file. The zip file contains two folders. So all you need to do is install Bart PE Builder, and copy those two folders into the plugin directory. Point Bart at your Windows XP disk and create your iso. That's it. Best of all, your new boot CD will work with any version of Pointsec or FDE (at the time of this writing). So you don't have to keep a CD for each version of the software that is floating around your organization.

Booting the CD also got quite a bit easier. Remember I said that you used to boot to the hard drive when you wanted to use a CD? Counter intuitive, right? Now you boot from the CD. When Bart comes up you can open the file management utility, but you'll notice that you can't read the C drive, you just know that it is there. But if you click on Go and look in programs, you'll find a new program for reading the Check Point encrypted drive. Run that program and authenticate with valid credentials. Now close that application and go back to the file management utility. Voila! You can now read the contents of the drive.

Here is a video of me making a boot CD using this method. I also wanted to make a video of me using it in the Bart environment, but alas the Bart disk doesn't have drivers that can see my virtual hard drive on my virtual machine. Anyone know what plugin to add? I'm using Virtualbox here if that helps.

http://screencast.com/t/CxasDOAW

What I don't like about ALE

2010-10-11T19:35:00.000-07:00

OK, first of all I'm not going to talk about the classic CISSP ALE formula in this post. You know the one, ALE = SLE x ARO. What I am talking about is expressing any loss (regardless of the formula used to derive it) as an annualized value.

One thing that is nice about ALE is that it gives you a way to compare and track the amount of overall risk that your organization is facing. If your ALE is too high, then you can work to get it down below your risk tolerance.

But ALE has a tendency to be reported as if it was the bill for each year. Your ALE is $1.8 million per year, but we know that your actual losses might be zero this year. And again the next year. And then you can get hit with about $7 million in losses. It would be one thing if these companies were actually going to save $1.8 million each year in an account to deal with these issues, but I doubt that is the case. It's kind of like paying your taxes as a lump sum rather than a little bit out of 26 paychecks.

So let's all make sure that when we're talking about ALE what we're really talking about is a metric for expressing overall risk and not the expected losses for the year.

The Black Fist was here!

2010-09-14T14:31:00.000-07:00

Just something funny I saw that was related to my nickname...

My first risk model

2010-09-08T13:50:00.000-07:00

Hee Hee Hee!

I am so happy because my boss bought me a new toy and I got a chance to use it this week. I have been pestering him to purchase me a copy of @RISK, a monte carlo tool for Excel, so that I could add more quantitative estimates into my risk analysis. And not long after buying the product something came up that required a risk analysis. So of course it fell to me to produce one. Time to see what this program can do.

Our Exchange administrator would like to install Service Pack 1 on our Exchange 2010 environment and he would like to do it sooner rather than later. We're in a change freeze right now, but this has some really cool features and there is a lot of hope in the air that it will fix some bugs that have been nagging us for a while. The big boss is skittish about making a significant change to our most visible service in the first month of the new school year and would like an estimate of what could go wrong.

So this is the basic methodology I am using to develop my risk analysis.

Identify potential risks.
Create estimates of the likelihood of each risk being realized and the impact that it will have. Use expert opinions in this part and any secondary research that you can get your hands on. Decide on the probability density function for each unknown and correlate wherever it makes sense.
Run the Monte Carlo simulation.

However, since I'm a good disciple of Douglas Hubbard, and I've read The Failure of Risk Management I added a few extra steps.

Document the predictions made and compare to real life if possible. Adjust and use these numbers in other forecasts.
Put the model out there on the Internet for other people to tear apart because "All models are wrong, some models are useful" (George Box)

Identify potential Risk

I talked with the Exchange administrator and some other system admins and we identified this list of things that were reasonably possible.

Complete failure of multiple Client Access Servers (CAS) causes performance problems for the end users.
Misconfiguration of CAS servers causes minor problems with mail flow or intermittent user access problems.
Complete failure of multiple database servers causes some users mailboxes to be unavailable.
Failure of a single database server causes minor performance problems for some users.
Corruption of a database causes the service to be unavailable for some number of users.
Project could introduce new bugs that break interoperability with existing services
Project could introduce changes to the user interface that frustrate users and results in increased calls to the help desk
Project could introduce new features that users want to know more about resulting in increased calls to the help desk.

Create estimates of likelihood and impact

I'm using @RISK 5.5 for this part, and it makes things pretty slick in this department. Let's look at one of the risks identified, that multiple CAS servers could completely fail causing performance problems. In our case we have four of these servers, and each one absorbs between 10% and 30% of the client load. Our Exchange administrator feels that taking less than a 25% performance hit will not be noticed by the users.

Our Exchange administrator feels that there is a 1% chance that a server will completely fail after the service pack is installed. I doubled that number because I have read a lot of the research about how overconfident people are. This is the first variable in the model: how likely is a server to fail. So I set up my spreadsheet with four rows (one for each server) and a column with a binomial distribution that would return zero all but 2% of the time. Next up was the impact that each would have on performance. We decided that the impact was no less than 10%, no more than 30% and probably 25%. So I used a pert distribution, which is a form of a normal distribution. It looks like this...

One of the most powerful features of @RISK is the ability to correlate variables. I said that there was a 2% chance that a server will fail. But what if the first server fails, is it likely that there is only a 2% chance that the next server will fail? So I put a .75 correlation on these variables. Meaning that if one of the servers fail, the others are much more likely to also fail.

Run the Simulation

Here are a couple images of the spreadsheet setup. The zeros in the first picture are where the random variables get calculated. The second picture shows what the distributions look like.

So the model will calculate a random value within that pert distribution for each server on each iteration. Then to get the total downtime that we actually realized, I multiplied the impactby the one or zero returned from the binomial distribution. If the server didn't go down, then there was no impact. The total impact was summed up and the simulation was ran.

As you can see, in 92% of the simulations there was no impact on performance at all. In 96.9% of the simulations the impact was less than the 25% which our Exchange administrator said would be unnoticed by the user.

Follow up

This was the first serious risk model I've created, so I expect it to be rife with problems, but I'm still kind of proud of it. I don't want this blog post to go on forever so I wont go into the details of all the other risks that were modeled, but I might write some follow up entries. I'd love to get some ideas on how to improve my risk model and how to identify additional risks that need to be taken into consideration, so feel free to drop in some comments.

I Love Boobies and Information Security

2010-08-25T06:39:00.000-07:00

If you work in Information Security, or any form of security for that matter, you're probably used to noticing things. Maybe we just pay a little more attention to the details around us. And if you're working on a college campus, maybe you've noticed the number of people wearing bracelets that say "I love boobies" or "I heart boobies."

Turns out that it is part of a breast cancer awareness campaign and it seems to be quite effective. How effective? So much so that one day while working up in my office I saw three customers in a row come in with the bracelet on. It seemed so rare to me that I asked one of them why there were so many people with the bracelet on. Interestingly, she didn't know of any organized campaign to get people to wear the bracelets and didn't realize that so many people were.

So I decided I should take a moment to figure out how many of our female students on campus are wearing these bracelets. Male students are kind of irrelevant because breast cancer isn't a major concern for them and they probably love boobies for reasons not associated with cancer. So I wanted to know what percentage of female students on campus are wearing this particular kind of bracelet.

This is where reading Douglas Hubbard's book on How to Measure Anything comes in handy. There are some people who would instantly tell me that I wont know unless I take a census of the female students on campus or at least survey about 1000 of them. But since I've read Hubbard's book I know that I don't need as much information or precision as my gut first tells me. I also know that the best way to go measure something is to go out and do it.

So I walked out the door of my building and counted 30 female students at random as I walked from one building to another. If I was able to get close enough to a woman to observe both of her wrists then she was counted, otherwise not. Out of 30, I saw one girl wearing such a bracelet. This very simple observation is enough to tell me that I can be 90% confident that the percentage of female students on campus wearing such a bracelet is between 8% and one one-thousanth of a percent (one observation divided by 7817 female students). I actually decided that I wanted to have more precision so I made a few more observations whenever I had to walk from one building to another.
So there you have it. With a few really simple observations my uncertainty about the number of female students with this bracelet on has been reduced and I can express the measurement as a number. If someone were to ask me, I could say that between one and five percent of the female students on my campus are wearing the bracelet. If the people behind the bracelet were hoping to have ten percent of college girls wearing them then without spending any money or any tremendous amount of time I could tell them that it is unlikely that they met their goal. If the goal was 3% I could tell them that they are close but that additional study is necessary to get a better answer.

So what does this have to with Information Security? Mostly it's just a demonstration that it isn't hard to measure things when you deconstruct the problem and measure it. If we wanted to measure the effectiveness of the I heart boobies bracelets, we have to deconstruct it to find out what the observable characteristics are. In this case, number of students wearing the bracelet. So what if you wanted to measure the effectiveness of your information security awareness program?

First, you have to deconstruct it down to the observable characteristics. If you want to know whether it worked or not, what might you see? One idea that jumps into my head is the number of unattended workstations left unlocked might go down. Sweet. I can observe that, and using the same technique that I used to measure boobie lovers on campus I can get an idea of what percentage of office computers are left unlocked. Or you could send a phishing email to several randomly selected people and count how many answer it. Take before and after measurements and see if there is a noticeable improvement in the numbers.

So what can boobies tell us about Information Security? You can have a lot of fun looking at and measuring things you cant touch.

Change Management Metrics

2010-08-19T12:28:00.000-07:00

What are some good Change Management metrics, and what kind of stats should we be keeping about the changes that go on in our organizations? Now I understand that most of my brothers and sisters in higher ed IT don't have any change management process to speak of so this question may be moot. But this is a question that also extends outside of higher ed and affects anyone that has a change management process in place. I am going to make two bold statements right now without any evidence to back them up.
1. You don't know how effective something is unless you can measure it.
2. Most (more than 50%) of organizations with change management processes are not attempting to measure its effectiveness.

So what are some of the metrics we could be using to measure the effectiveness of our change management processes? One metric that I have introduced to our change tickets is dysfunction. For each change that comes through I look for whether or not the change is dysfunctional and in what way. Here are the classifications of dysfunctional change that I use.

1. Not dysfunctional. We would like for almost all of our changes to have this classification.

2. Acceptable dysfunction (legitimate emergency change). We know that sometimes emergencies come up and while we want to keep them few and far between, we have to accept that they happen.

3. Non-emergency reported after the fact. This actually comprises about a third of the changes that I see in my organization. In this case an administrator makes a change to some system and doesn't bother telling anyone. Then at the next CM meeting he says "Oh yeah, I did this other thing last week. Make sure that gets into the bulletin."

4. Zero or short notice. After all, you can't really plan for a change if it's going to happen tomorrow. Other people definitely can't prepare for your change if you're only telling them now about something you're going to do in five minutes. This might make up about a third of the changes that I see in my organization.

5. Overly wide date range. This is probably another 25% of the changes that I see. An administrator says that he has to make updates to the VmWare Tools software on our virtual servers and he's going to do that sometime next week. If this change causes a negative interaction we wont be able to pinpoint it right away since we only have a vague idea when this is going to happen at all.

6. Inaccurate description of change. I'm going to reboot the firewall. And by reboot the firewall I mean update the firmware and clean up the rule set a bit.

There are some others that I haven't added but probably should be classes of dysfunctional change such as the hidden change where an administrator changes a service and never tells anyone until something goes wrong and then owns up to it. It is similar to an after the fact change but is more severe since someone else had to discover it first. Another one that is worth keeping track of is changes that were done late. The whole point of putting a change on the calendar is so that everyone will know why things went to hell. So if you make your change two days later it is the same as doing the change and not telling anyone. Nobody will suspect that your change is to blame when we all think that it went off without a hitch two days ago.

Why track these levels of dysfunction? Because I think you can use the ratio of dysfunctional changes to not dysfunctional changes as a way of comparing CM's effectiveness from one quarter to the next or from one organization to the next. This is also a way of measuring the overall maturity of an organizations CM process and possibly even the IT department as a whole. If an organization has 10% dysfunctional changes compared to another org that has 80% dysfunctional changes then I think we could agree that organization one has a more effective CM process.

What else do I like to record? I like to make people enter how much risk they place on each change they are proposing and how much impact the risk will cause. I don't have this in place yet, but I'd like to be able to track how many of our changes go sour and what the impact was. That way I can look back over a years worth of data and find out how accurate our guesses are. When we say that a change is low risk, how often do we end up with a negative interaction? 20% ? 25%? What does it say when only 10% of our high risk changes go badly but 25% of our low risk changes have issues? How often do we have major outages when we estimated a low risk? These numbers also reveal quite a bit about the effectiveness of our change management program. One of the reasons we have change management is so that our managers can assess the risks involved in the work we're doing and hopefully approve only the changes with a reasonable risk/rewards ratio. But if we're over confident in our risk or impact estimates then our managers can't make well informed decisions. So we need to know if this is a problem for us.

I am not mean enough to do this, but I'd like to use these numbers to put a credit rating on system administrators so that when somebody proposes doing something I can get an idea of how much I need to scrutinize the proposal. What do you know, that's actually managing changes rather than just keeping a log and asking people to report them. If you're not taking these steps then you're probably in the business of change notification rather than change management. I'm not looking down on you, I'm right there with you...for now.

So what are some other metrics for measuring the effectiveness of change management?

Writing down passwords - yes I am OK with that

2010-07-13T13:29:00.000-07:00

The other day I read this article on Threatpost.com:
http://threatpost.com/en_us/blogs/why-you-should-write-down-your-passwords-070610

The article is making the case that in these times people have so many passwords that we can't reasonably expect them to remember them all. It also makes that case that malware is so pervasive that we can't expect passwords to be secure even in password management software like Keepass.

There are things that I like about this article, and things that I don't like about it. The main thing I don't like is that there are a lot of statistics thrown about without a whiff of citation. On the other hand, the advise is sound, and something I have been recommending as one way of remembering passwords.

Yes, I agree that we're probably safer if people can just remember their password, and that's why I advocate that users select pass phrases that are easy to remember, but difficult to crack. for a while my password was 'My password is awesome!' Tell me that you can't remember that. But some people just aren't going to do that, so the next best alternative is to write it down.

See, to me, it seems that it doesn't matter so much if you write down your password. What matters is where you keep it. Working in higher ed, you have to be pragmatic and realistic in the advise that you provide and the audience you're dealing with. Let's face it, PhD's are really well educated in a single topic and seem unable to learn anything else. So trying to teach them to remember all their passwords is a fool's errand. Shame seems to work much more effectively. So try shaming them into realizing that they're not the first person to think of hiding their password under their mouse pad.

What I tell people is that if you keep your password in your wallet, then someone would have to steal your wallet to get your password. You're very likely to realize that your wallet is missing shortly after it disappears. You're very unlikely to notice if I lift up your keyboard and copy down your password. It also seems unlikely that I can steal your wallet, write down your password, and return your wallet. Possible yes; but unlikely.

This is an actual photo from my office by the way. No, it's not my machine.

SCCM: Advertise Task Sequence without notifying users

2010-07-09T06:42:00.000-07:00

Hey, I love professors as much as the next Information Security guy working for a University, but sometimes they do silly things. When we first started using Microsoft System Center Configuration Manager (SCCM) to manage our machines we encountered one of those silly things. We had created an Operating System Deployment (OSD) task sequence and advertised it to a collection of computers. When the advertisement went out, a small bubble notification showed up on people's computer telling them that software was available. One of our professors clicked on that and saw our OSD task sequence. The professor then proceeded to ignore all the warnings about lost data and ran the task sequence. He was shocked when his computer rebooted itself and reinstalled everything.

Our response to this was to turn off program notification across the board to make sure this didn't happen again. That of course created other problems when we actually WANTED to notify users about programs or restart options.

But now after scouring the Internet, a solution has presented itself. And since it took me more than 15 minutes to find it, I feel obligated to put the answer on my blog for others to see. So here is how you can advertise a task sequence to all your computers without bubbles showing up and without risk of the users running the task sequence from Run Advertised Programs.

Step 1, create your task sequence and save it. Then right-click on the task sequence and go to Properties. On the advanced tab, select the options so that the task sequence can only run on some flavor of operating system that you're not planning to deploy. Since we only use task sequences to push Windows 7 and Windows XP, I selected Windows Server 2003 64 bit.

Step 2, advertise your task sequence to collections that are full of end user workstations. The machines will get the advertisement and reject it because they aren't running Windows Server 2003 64 bit.

The magic that makes this work is that when you use PXE to boot your machines or if you use boot media to start your task sequence, it ignores the operating system settings that we did in step one. Thus you can pxe boot a machine and see the OSD task sequences, but you don't have to worry about end users accidentally running one of them from Run Advertised Programs.

Book Review - The Failure of Risk Management

2010-06-28T14:35:00.001-07:00

Today I finished reading The Failure of Risk Management by Douglas Hubbard (ISBN:978-0-470-38795-5). The book comes in at 259 pages plus an appendix. Overall I found it to be an excellent read.

I should start by saying that I have been a disciple of Hubbard since reading his other book, How to Measure Anything (ISBN: 978-0470110126). In that book Hubbard talks about the variety of things that we just can't measure and then talks about how to measure them. There are a couple of themes that need to be taken away from that book, most important of which is that a measurement is ANYTHING that reduces your uncertainty about something. When you measure length with a ruler you learn that the length of an item is really close to 4 and 3/16 inches, but you could always be more precise. Usually you don't need to. The problem that most of us face when measuring immeasurables is that we can't wrap our heads around the idea that we don't need the same level of precision as we get from a ruler or thermometer.

The Failure of Risk Management takes many of the concepts from How to Measure Anything and applies them to Risk Management. One nice aspect of the book is that it doesn't focus on financial risk or information security risk, or product failure risk. It's just risk, across the board. There is a lot of repeated information in the two books, but I think that How to Measure Anything is more of a practical guide while Failure of Risk Management is more of an explanation of why we should do the stuff he talks about in How to Measure Anything.

The two books are very good companions to each other and I would recommend that security managers should read them both if you really want to see our profession become more than soothsaying and water witching. I think if you're dealing with someone who does not yet believe that Risk Management needs to be quantitative and backed up by experiments and scientific skepticism then they should start with the Failure of Risk Management. On the other hand, if you think we should become more quantitative but think it's too hard then you should start with How to Measure Anything. That will make the challenge seem less difficult. Follow up with the Failure of Risk Management to learn why the way we're currently doing things (heat maps, low/med/high charts) are flawed.

Just like the other book, the Failure of Risk Management throws just enough math at you to be interesting without making you feel like you're sinking. I'll be honest, if you try to read this in two or three long sittings you'll probably become fatigued by some of the math. Take it slowly, especially near the end of the book unless you're already pretty strong with statistics. Having said that, anyone that can follow college algebra should be able to keep up with the most difficult parts of the book. Don't be afraid, jump in.

I enjoyed the book, I give it five stars.

2010-06-10T06:46:00.000-07:00

I was watching Robot Chicken the other night and I saw this clip. I thought it was pretty funny, but the ending (1:19) really reminded me of several groups in IT Security.

Those people at the end could be security auditors who are unreasonable about compensating controls.

Those people at the end could be people that adhere to checklist security.

Those people at the end could be the doom and gloom types that wont accept any level of risk and demand ever-more-elaborate ways to stop even the strangest of attacks.

Regardless of who you think they are, enjoy 1 minute and 22 seconds of bathroom humor.

OGEC Governance Risk and Compliance

2010-06-09T07:11:00.000-07:00

I was at the Twin Cities Information Risk Round Table meeting this morning in St. Paul, MN. Rick Ensenbach was there talking bout OGEC Governance, Risk & Compliance. I'm not going to get into a discussion about the philosophy of GRC, but there were a couple thing that stuck out in the discussion. Rick at one point mentioned that this is such a broad, business focused philosophy that it needs to be driven from the top down. The other thing that jumped up at me was that there is heavy emphasis on collaboration and communication.

Well my organization doesn't do collaboration and communication. We create kingdoms and defend them heavily and we don't like to take the risk that other people will get the glory for even a portion of our work. We also have a top that will not mandate anything. So if we don't have collaboration and we don't have top-down management, then is OGEC GRC a poor choice for my organization? Furthermore, is there any Risk Management framework that can operate without support of C-Level executives?

I hate Microsoft Event Logs!

2010-03-15T11:43:00.001-07:00

I have written some impressive python scripts in my day, but if I ever get this one figured out I will be the king of scripting. Possibly even the king of all things Microsoft. I'm trying to generate a simple report of failed logon attempts by source so that I hopefully detect when someone is trying to break into something using a dictionary attack. It is difficult to defend something when you cant detect attacks.

So this should be pretty straightforward, but it turns out that it isn't. I looked up the event code for failed logon attempts: 529. OK, so now I just search for all the 529 events in the log files. Wow, there are a lot. But since I like to test things out a bit before I get too far into a project, I ran over to a workstation and tried to log in with a fake user account. That should generate a 529 error, right?

server.domain.com MSWinEventLog 0 Security 40398013 Mon Mar 15 13:19:27 2010 672 Security SYSTEM User Failure Audit SERVER Account Logon Authentication Ticket Request: User Name: Bigpooper Supplied Realm Name: DOMAIN User ID: - Service Name: krbtgt/DOMAIN Service ID: - Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: - Pre-Authentication Type: - Client Address: workstation_ip Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: 40383305

Weird. I'm getting a 672 error instead of a 529. According to this document If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672. So the code 672 indicates that Bigpooper logged on successfully, but the message in the event log indicates that he did not. And error 529 is nowhere to be found. Which begs the question, what do all the 529 errors in my log files really mean then? I did some reading and saw that 529 errors might mean that someone tried to log into the local workstation improperly. Still despite my best efforts, I have not been able to force a 529 error.

Obviously I need to keep track of both of these error codes. The thing that is irritating me is that it seems like there are dozens of different codes for failed logon attempts. Sometimes a single event will result in multiple entries with different codes. Other times an event is pretty straightforward.

Anyway, there is a lot of guidance out there on how to audit failed logon events out there on the Internet. It pays to take a moment to test out the information that you're given before you write scripts that report incorrect or incomplete information to you. After all, the only thing worse that no information is incorrect information.

Happy Ides of March

2010-03-15T10:31:00.000-07:00

Couldn't help but laugh at this card

Password cracking revisited

2010-03-07T13:27:00.000-08:00

About a year and a half ago my organization was looking at implementing a new password standard. At the time our password rules only required that user's password needed to be at least six characters long. Passwords were good for almost a year and there were no rules against re-using the password. The proposed standard would impose new hardships on our users but would also hopefully make our passwords more resistent to guessing and hacking. We had decided on a standard that required passwords to be at least eight characters long and required some combination of mix case, numbers, and symbols.

To test the new standard out, I took a sample of our passwords and analyzed the resistence of the sample when faced with a simple dictionary attack, an attack with some mutation, and a rainbow table attack. I covered my results here and here.

Well the months have gone by since we implemented the standard in January of 2009 and I decided that it was time to take another sample of our user's passwords and see if our new standard has created a noticable difference in our password strength. I had hoped to do this monthly and chart the trendline, but life got in the way of plans. I followed the same procedure that I outlined in the blog posts above to get a statistically significant sample that would give me a 3% margin of error and a 95% confidence interval.

I started with a simple wordlist attack using basic mutation. I used Cain & Abel to perform the attack and I used a John the Ripper word list called "all." For the mutation, I used the default settings in Cain & Abel. I was able to analyze the sample in about 15 minutes with this approach. In 2008 this technique revealed 313 of the 1027 hashes in the password sample, or about 30% (714). Now only 139 of the 1027 samples passwords were broken with this technique. We can report this as a 24% improvement in password strength or a 55% reduction in badness. Obviously I am pretty happy about this, and I think this really demonstrates that our new standard has resulted in higher-quality passwords.

Now I decided to run my anonymized sample through Ophcrack. With Ophcrack the complexity of your password matters less than it does in a dictionary attack. It only took ophcrack 2 mins and 23 seconds to crack as many passwords in the sample as Cain & Abel did. At the 30 minute mark 59% of the passwords in the sample had been broken. At the 60 minute mark 68% had fallen. When it was all said and done, 712 of the 1027 passwords had been cracked, or just over 69%. In 2008 when we did this analysis over 80% of the passwords fell to this kind of attack. If you remember, each of our samples has a margin of error of 3% so it is possible that there wasn't much of a change in the effectiveness of rainbow tables on our password database.

Still, for an outside attacker trying to gain access to user accounts, a password attacking tool might be the weapon of choice. So I feel good having improved things a bit. Now I can enjoy my weekend.

The Google Suckage Ratio

2010-02-22T08:25:00.000-08:00

Sometimes we security people find ourselves in the uncomfortable position of having to buy software, services, or hardware to enhance our security. And in many cases we really don't know a whole lot about the vendors that we have to purchase from. Let's say, for example, that we need to purchase some vulnerability management software. There are some big names out there, like Nessus, Qualys, and nCircle but how do you choose which one to purchase.

I'm not going to go through the whole purchasing decision process. I would hope that part of your selection process involves developing a matrix of qualifications, assigning a weight to those qualifications, and assigning a score to each vendor. You should also put in some guidelines for each qualification so that multiple reviewers will give come up with roughly the same answers for the same product (inter-rater reliability).

One of the things that you might want to consider when you're making the decision is how favorably the company is viewed by others. After all, if the general consensus is that a company sucks, then you probably don't want to invest a big hunk of money with them. But how do you go about doing that? You can talk to a few friends of yours, but you're taking an awfully small sample to base your opinion on. You can also talk to references provided by the company, but there is going to be a high degree of selection bias in that approach. The approach I would like to consider is the Google Suckage Ratio.

It's dead simple the calculate the Google Suckage Ratio. Simply go to Google and type in a company name, like nCircle and look at how many results you get back. Now type the company name followed by "sucks." Take the total number of company sucks results and divide by the total number of company results and you get a Suckage ratio. You may be tempted to put the whole thing in double quotes, but I have found that you can get a staggeringly low number of hits. Instead we're going to look for the company name surrounded by a negative adjective.

Company	Company Sucks	Company mentions	Suckage
nCirlce	26,700	189,000	14%
Nessus	156,000	921000	17%
Qualys	20,100	226,000	9%

There are a couple more considerations we should make so that our measurement is more reliable. When we do these searches, we should exclude the names of the other vendors that we're considering. After all, it may be a discussion board where people agree that nCircle is awesome and that Nessus sucks. So I ran the searches again with exclusion. Here is a sample search string: Nessus -Qualys -nCircle. I have also found that if you reverse the order of the excluded terms you can get a different number of hits.

One question that was brought up when I was discussing this with some co-workers was whether or not we need to consider every negative adjective out there. Do I also need to search for 'Nessus Blows' and 'Nessus really sucks'? I decided that the answer is no because I'm really trying to compare these companies to each other using the same measurement tool. In other words, I'm not saying that 9% of Qualys users are unhappy, I'm saying that the ratio of bad press to total press is higher for Nessus, about 50% higher (9 divided by 17). In theory, if we added in company name blows then we would still see about the same ratio between Qualys and Nessus.

Now I'm not saying that I endorse this method yet, only that I am intrigued by the idea. I would love to know if this is pure crap that I am suggesting here. I would also like to point out that I am not the first person to suggest doing this, but I don't know who is. One of the things that gives it credibility is the fact that Google has indexed so much of the Internet. When you dip into Google you're taking a very wide sample of the Internet.

*nix command of the day

2010-02-03T18:55:00.001-08:00

I'm going to do a series of blog posts on some basic security tools and how to use them in your environment. The school that I work for is going to be fielding a team in the Collegiate Cyber Defense Competition and I am very excited to be acting as an advisor to the team. So I thought I would put together a few tutorials, today is going to be the *nix command of the day, lsof. I also decided to put this on my blog because I don't believe in witholding information (even if it means that other CCDC teams might read this).

OK, so why do I think that any linux admin should know about lsof? Well the fact is you can't deter things that you can't detect, and lsof is an excellent tool for trying to detect weird network traffic, and possibly any malware that might be on your machine. This is also a valuable part of profiling your machine so you can write rules on your firewall to block unwanted traffic.

lsof stands for "List open files." Remember, on *nix, everything is a file, including network ports. Let's just dive in by opening up a command prompt and typing lsof. You might need to run this as root or use sudo to get some results. For this first run, let's pipe the output into head so we can see the begining.

OK, so in this photo you can see that the col

umns list the command and the process ID that has each file open. If you didn't pipe the output into head, you would see pages and pages of output listing everything that was open on your machine. Let's process that a bit with grep to find network connections. Don't forget the sudo or you wont see all of the output! sudo lsof | grep TCP
So looking at this output you can see that there is a process called dropbox that is listening on port 17500. That same process has some connections that are in a CLOSE_WAIT state. We wont get into what that means right now, except to say that it shows that at one time my machine had a connection to those IP addresses. You can also see that I have one connection that is established, which means that it is going on right now. There is also a process called cups that is listening for connections on the ipp port.

The listening port is what we're interested in. We want to know everything that is listening on the network, so that we can write appropriate Access Control Lists and possibly hunt down any rogue listeners. So let's run lsof again and grep for LISTEN.

As you can see, there are only two services listening for connections. Now to demonstrate, let's create a rogue listener and see the difference. I'm going to run this command in another terminal window: nc -l 9000. Then I'll run my lsof again. I'm going to spice up this command a bit so you can see the headers too.

Based on the information that you've got here, you should be able to figure out what services are running each of the connections. If there are any that you can't identify, then it may be an indication of malware that you need to investigate further.

How to identify Exchange 2010 Outlook Web Access logins from IIS logs

2010-01-17T08:44:00.000-08:00

Summary:

look for POST events in the IIS logs going to /owa/auth.owa

Make sure you've configured your web server and firewall to log to a logging server. Incident response begins long before the incident.

Even denied traffic on your firewall's external interface can be interesting.

I had an interesting bit of detective work a while back that I thought I would share with you. I had to sanitize the crap out of this story but hopefully it proves to be a good exercise in forensic work and scientific discovery.

Recently I was asked to look into a situation where some poor organization had been victimized over the web. Someone had visited their website and made threatening statements on an anonymous discussion form and they wanted to know if I could learn anything about the person who made the threats.

The first step in this (and probably any investigation) is to have a chat with your legal folks to make sure that it is OK to proceed. The person who made the threat was at a form that doesn't ask for a name so we need to ensure that there is no problem with trying to undo the anonymity. In this case the legal folks said we could go ahead because of the nature of the threat.

OK, so now we need more information about the source, and the first place I wanted to look was in the web logs. We know what time the posting was made and we know what page it was on so it was pretty easy to find the source IP address. This is where it really proves true that the first step in incident response happens long before the incident occurs. This organization has a process for saving web logs and a procedure that dictates how long the log files have to be saved. Going to the web logs, I ran a simple grep to find every IP address that had visited the victimized page: grep victim weblogfile.txt. I got back 42 results, and this is the relevant one...

192.168.1.1 - - [12/Jan/2010:23:26:09 -0600] "POST /security/victimizedpage.php
HTTP/1.1" 200 8106 "http://www.domain.com/security/victimizedpage.php"
"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
InfoPath.2)"

So now we know that we're looking for 192.168.1.1. Obviously I've cleaned up the log files a bit, in truth it was some IP address out on the Internet somewhere. Next up I looked for other activity from that IP address. I also weeded out some of the stuff I wasn't interested in because it was making the results too cluttered to understand: grep 192.168.1.1 weblogfile.txt grep -v .css grep -v .png grep -v .jpg

There were a couple interesting things I saw here. For one, the person that posted the threat had been visiting the organizations web page all day long. This wasn't just a quick visit, drop off a threatening message, and leave. The person had been on the main page for a while, then over to Human Resources and a few other spots on the website. This happened several times throughout the day, but the threat wasn't dropped off until 11:26pm. The other thing that was interesting about the output was that the person had stopped by the Outlook Web Access page a few times. Make a note to check on OWA logins.

This organization also configures their Cisco firewall to log web activity. I decided that it would be worthwhile to check that out as well. Looking through the Cisco logs I saw a lot of activity from that machine to servers that are not open to the public. The results were again interesting.

This snippet (which is repeated often) shows that the machine had been trying to connect to the ldap port on all of the organizations domain controllers, which are not open through the firewall:

Jan 12 00:03:21 fw.domain.com %ASA-4-106023: Deny udp src
outside:192.168.1.1/62539 dst inside:172.16.52.10/389 by access-group "110"
[0x0, 0x0]
Jan 12 00:03:21 fw.domain.com %ASA-4-106023: Deny udp src
outside:192.168.1.1/62544 dst inside:172.16.52.109/389 by access-group "110"
[0x0, 0x0]
Jan 12 00:03:21 fw.domain.com %ASA-4-106023: Deny udp src
outside:192.168.1.1/62545 dst inside:172.16.52.108/389 by access-group "110"
[0x0, 0x0]
Jan 12 00:03:22 fw.domain.com %ASA-4-106023: Deny udp src
outside:192.168.1.1/62546 dst inside:172.16.52.1/389 by access-group "110" [0x0,
0x0]

Examining the logs further show that the person had many denied connections to internal services, but there doesn't seem to be any evidence of a port scan going on. It is possible that we could be dealing with a rather advanced attacker that was able to learn quite a bit about the internal network. However, it seems more possible that this computer may be a member of the organization's domain and have some hard coded values. Let's check out those Outlook Web Access logs.

The logs for Outlook Web Access are just the IIS logs, but since you have to authenticate to use OWA, the username sometimes appears in the logs for files that are in the secure area. It seems that the most reliable way to find login events is to search for POST events to /owa/auth.owa. Here is my example: unzip -c Exchange\ Logs.zip grep '192.168.1.1 ' grep -e '^2010-01-12' grep 'POST /owa/auth.owa'

There are a couple things you want to watch out for when you run these greps. First of all, when you're chaining grep statements together like this you want to make sure that you put the most restrictive grep first. The grep that will produce the fewest results should go first because then there is less work for your other grep statements. That's why the IP address is the first thing we're grepping for. Next, if you have a source IP address with a small number in the last octet, make sure you include a space after it or write a regular expression. Without it I would see results from 192.168.1.1, and also .12, .13, 101, etc. Here is a sampling of what I got:

2010-01-12 04:46:59 134.29.1.200 POST /owa/auth.owa - 443 user1 24.197.202.23
Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2)
2010-01-12 06:06:21 134.29.1.200 POST /owa/auth.owa - 443 user23
24.197.202.23
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0;+SLCC1;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.04506;+Tablet+PC+2.0;+InfoPath.2)

Two user names appeared, user1 and user23. I talked to the HR department and found out that there was a reasonable explanation for why these two users might have the same IP address. So we're in good shape, we now have two people of interest that we should interview to know more. But we can take it a step further. Check out the user-agent string that user1's browser sent and compare that to the user-agent string that was used to make the treat in the first place. It seems that they match! So between these two users, I think we are more interested in user1 than user23.

I has a sad...

2009-12-29T09:24:00.001-08:00

Today I had to update the code on my beloved Sidewinder firewall, and with the new revision of code came rebranding. Now it doesn't even look like a Sidewinder anymore. It just looks as bland as the new name. "Secure Firewall." Meh.

Time-based alerts for snort

2009-12-28T06:32:00.000-08:00

Snort is a very powerful intrusion detection system, and I've learned that when you combine it with a little kung fu you can do amazing things with it. You can write incredibly granular alerts that will catch almost anything while minimizing false positives. However, there is one thing missing in the alerting functionality and that is the ability to specify that some alerts only fire at certain time.

For example, let's say that you maintain a customer portal for your supply customers to order new shipments of some product. You can expect that you will have customers hitting this page and trying to log during normal business hours so you probably wouldn't want to alert on that. However, the same kind of traffic happening at 11:30 at night might seem suspicious. At that time, events that might not be terribly interesting (like five failed logon attempts) suddenly become much hotter.

So how can we get time based alerts in snort? Well there are two ways that I can think of and hopefully someone can think of a few more. The first is the less-than-elegant solution. You can write a script that adds a few rule lines to your local.rules file at certain times of the day and sends a kill -1 to your snort process so that it will reprocess it's rules files. The advantage of using this process is that it is the simplest way of doing it. One way of doing it would be to have two different versions of your local.rules file. Then write a cron job that switches the two files and sends the kill -1 to the snort process. The disadvantage to this process is that it isn't very flexible. Let's say you want to ignore web activity between 8am and 5pm. Well that is pretty easy using this approach. But let's also say that on a different system you want to ignore activity from a block of IP addresses during a different time period. Now you would need to have three and possibly four versions of your local.rules file and your cron job would start to get pretty complicated. You would also need to make sure that you keep your script updated with the process ID that snort is running under. If you restart the service for some reason you're going to need to update your scripts. So I didn't like this approach.

Here is what I ended up doing to get these time-based alerts. I'll describe it in a nutshell, and then go into the detailed process. First, I set up a named pipe in the log directory that snort writes to. Then I created another type of rule called OddHours and told snort to write the alert for these rules into the named pipe I created. Then I wrote a python script that monitors the named pipe and takes an action whenever a new alert is found. It checks the day of the week and the time of day and then makes a decision to either send me an email or do nothing. Last step was to write the snort rules that I was looking for.

OK, so first is the named pipe. I have a lot of difficulty explaining what a named pipe is, but basically it is a way of sending the output from one program into another. For you command line linux types you probably do this all the time, like when you pipe the output of ps into grep to find your snort process ID.

ps aux | grep snort

That | symbol is doing the same thing as our named pipe, but it doesn't have a name and it isn't persistent on the file system the way our named pipe is. So let's create it:

mkfifo oddhours.csv

Now the custom alerts. In the snort.conf file that comes with snort, you can do a search for redalert and find an example of doing this. The custom alert is just a way of telling snort that for some alerts you want to react differently that you usually do. So I added this in underneath the redalert example:
ruletype oddhours

{
type alert
output alert_csv: oddhours.csv timestamp,sig_id,msg,proto,src,dst,dstport
}

So now if snort sees traffic that matches a rule that is written to use this custom ruletype it will send the time of thealert, the signature ID, the message, protocol, source and destination information into our named pipe.

This would be a bad time to restart snort if you're following along with me. The thing about named pipes is that you must have both ends of the pipe wired up for them to work. In the next step we'll create a script that "listens" to the pipe but if you don't have that script running when you start snort, then snort will sit there and wait for the script to start.

OK, let's dig into that python script. This is pretty easy. Just read a line of text from the named pipe and check what time it is. Right now the script is just writing to a log file, but I've put in the logic to send the email message that I ultimately want to receive.


import time
import smtplib
from email.mime.text import MIMEText
import logging

#######################
# Here is the logging setup stuff
#######################
LOG_FILENAME = '/home/kevin/oddoutput.txt'
logging.basicConfig(filename=LOG_FILENAME, level=logging.INFO)
#######################
# Here is the SMTP setup stuff
#######################
smtpServer = 'smtp.domain.edu'
smtpFrom = 'email.address@domain.edu'
smtpTo = 'email.address@domain.edu'

#######################
# Here i a function for sending alert emails
#######################
def SendAlertEmail(inMessage):
    logging.debug('\tSending Email alert')
    msg = 'Snort has detected activity at an unusual hour.\n'
    msg += inMessage
    msg = MIMEText(msg)
    msg['Subject'] = 'Activity at an unusual time'
    msg['From'] = smtpFrom
    msg['To'] = smtpTo

    s = smtplib.SMTP(smtpServer)
    s.sendmail(smtpFrom, smtpTo, msg.as_string())
    s.quit
    logging.debug('\tMessage sent.')


infile = open('/home/kevin/snort/logs/oddhours.csv','r')
while True:
    data = infile.readline()
    if data:
        logging.info('Line of data received.')
        logging.debug('\tChecking if it is Saturday.')
        if time.strftime( '%a' ) == 'Sat':
            logging.critical('\t\tIt\'s Saturday!  ALERT ALERT')
            logging.critical('\t\t'+data)
            #SendAlertEmail(data)
            continue
        else:
            logging.debug('\t\tNope. It\'s '+time.strftime('%a'))
        logging.debug('\tChecking if it is Sunday.')
        if time.strftime( '%a' ) == 'Sun':
            logging.critical('\t\tIt\'s Sunday!  ALERT ALERT')
            logging.critical('\t\t'+data)
            #SendAlertEmail(data)
            continue
        else:
            logging.debug('\t\tNope.It\'s '+time.strftime('%a'))
        logging.debug('\tChecking if it is early in the morning.')
        if int(time.strftime( '%H' )) <= 7:
            logging.critical('\t\tIt\'s Early.  ALERT ALERT')
            logging.critical('\t\t'+data)
            #SendAlertEmail(data)
            continue
        logging.debug('\tChecking if it is late in the day.')
        if int(time.strftime( '%H' )) >= 17:
            logging.critical('\t\tIt\'s Late.  ALERT ALERT')
            logging.critical('\t\t'+data)
            #SendAlertEmail(data)
            continue
        logging.debug('\tPassed all tests.')
        logging.debug('\t'+data)

OK. Last thing we need to do is write some rules that make use of our custom ruletype. In this example, I want to see web surfing that happens on Saturday or Sunday or outside of the normal work day. So my rule is going to look for anything on my home_net that is going to port 80 or 443 with the Syn flag set. Keep in mind that I wouldn't do this on a production system unless you want a lot of email or you're sure that this doesn't happen. I'm using this example because it fires a lot of alerts and lets you check right away if your rule is working.

oddhours tcp $HOME_NET any -> any 80 (msg:"Surfing at an odd hour."; flags:S; sid:2009122301; rev:1;)
oddhours tcp $HOME_NET any -> any 443 (msg:"Surfing at an odd hour."; flags:S; sid:2009122302; rev:1;)

OK. Now we're ready to fire the whole thing off. First, start up the python script and set it to run in the background: python oddhours.py &

Then fire up snort and start watching the output file. You can change the logging level so that you can get more or less information from the script if you want to do some troubleshooting.

Later on down the road, you can create functions for each sid that you want to monitor. When a line of data comes in you can pass control over to the function that you've written for that sid. That way you can have different time-based rules for each sid. It would also be pretty easy to expand the script so that you could send email alerts to different people based on the sid.

And hey, if you know a better way to do this then please hook me up with the answer. I'll gladly post it on my blog and give you all the credit.

Don't cry over spilled COFEE

2009-11-12T07:42:00.000-08:00

This morning I was looking at my Information Technology daily news feed from Infragard, which is supposed to be sensitive information but only ever contains links to public web sites and a brief discussion of the link. Anyway, in this morning's edition there was some discussion about Microsoft's COFEE being leaked into the wild and a link to this article:http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221600872. Generally there seems to be terror surrounding the release of this tool. Here are the two money quotes:

"the danger is that a detection tool will be written for COFEE so that the bad guys can cover their tracks."

and

"One researcher who got a copy of COFEE online says bad guys could abuse the tool by taking one of its Dynamic Link Libraries (DLL) and loading it into a compromised machine’s memory, where it then dumps stored clear-text passwords to a file."

I believe these feelings are being expressed by people who probably don't know much of the fundamentals of forensics or information security. I could see this being very disturbing news for a law enforcemet agent that doesn't know anything other than "insert this magic USB stick into a computer and magic happens and you get the stuff you need."

Sure, somebody could write a rootkit that watches for COFEE and starts trashing evidence, and it probably will happen before too long. So what? Many of us use DD to image the memory on a computer and the same threat has existed for us, and we're not freaking out about it. If malware writers started to do that, they would just end up on the same hamster wheel that anti-virus writers are on. Today your malware can detect COFEE so we pack the code differently. Now your malware has to detect two signatures for COFEE. And so on, and so on, and so on.
And so I find myself in agreement with Microsoft's Richard Boscovich, an attorney in the Internet Safety Enforcement Team.

"we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to 'build around' to be a significant concern..."

Unfortunately, that quote didn't make it into the Infragard summary of the article, which is too bad because I think that is the money quote. Here is the next best quote from the article:

"COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals -- its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field."

The second quote from above is what really steamed my broccoli; the one about dumping clear text passwords by loadingg a DLL into memory. Obviously there are the security problems about any program that is keeping passwords in clear text, and users should be purging themselves of such software. Mainly thought, I feel like that functionality is actually exploiting a vulnerability in Microsoft's code and should be patched. Seriously, if such functionality exists (and I'm not positive that it does) this should be considered a major security flaw. Unfortunately I can't give you an educated opinion on this because I'm not a law enforcement agent and so I can't see the secret program. Here is a decent write up of what it can do: http://praetorianprefect.com/archives/2009/11/more-cofee-please-on-second-thought/

Verdict: everybody chill out. No big deal. Nothing to see here. Move on.

Snort alert_unixsock

2009-10-29T14:18:00.000-07:00

In my last post, I talked about a program and named pipe I put together so that I could get email alerts when snort detected certain events. I am a little surprised that this functionality isn't built into the software already and I'm a little surprised that there isn't a built in way to send alert output to a program. In other words, not having to have a process running all the time watching a named pipe, but that gets run by snort when certain alerts fire.

Anyway, I wanted to talk about a failure I had with snort because I hope that someone will read this and either learn from my troubleshooting process or provide me with some info on what I did wrong. I want to talk about sending alerts to a unix socket.

When you run snort, you specify a log directory that you want snort to send logs to using the -l option at the command line. When you turn on alert_unixsock snort will send alerts to a socket called snort_alert in your log directory. You can turn on sockets by adding the line "output alert_unixsock" to your snort.conf file. I used it within a custom ruletype.

But before you do that, you need to create the socket. Snort will not do it for you. So using my favorite programming language, I whipped up something to create the socket, listen for connections, and print anything that it receives. I borrowed heavily from the python.org web site for this code.


#! /usr/bin/env python
import os
import socket

s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)

try:
    os.remove("/home/kevin/snort/logs/snort_alert")
except OSError:
    pass

s.bind("/home/kevin/snort/logs/snort_alert")
s.listen(3)
while True:
    conn, addr = s.accept()
    datain = conn.recv(1024)
    print(datain)
conn.close()

So I fired up this script which creates the listener, and then I fired up snort. I wrote up a rule that would fire almost constantly and I waited for something to be written to my screen by the socket reader. But I got nothing. Flabbergasted, I did a "tail -f /home/kevin/snort/logs/alert" and watched my constantly running alert fire off constantly. So I know that the rule I wrote is good, and I know that snort is doing something.

So the next logical thing to check was the program itself. I couldn't find anything that would act as a socket sniffer, which is what I would have liked to have done. So instead, I wrote up this script that would connect to the socket and send some data over.


#! /usr/bin/env python

import socket

s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
s.connect('/home/kevin/snort/logs/snort_alert')

s.send('Test message.')
s.close()

With my listener running, I fired up my sending program a couple times and sure enouh, my listener wrote "Test message" to standard output every time. So I know that my listener is good. It seems like snort isn't sending data to the socket. I checked, and double-checked, and triple-checked the syntax of the command in snort.conf, but there really isn't anything to it. I even delved into the murky world of strace to see what was going on.

access("/home/kevin/snort/logs/snort_alert", W_OK) = 0

Unless I'm mistaken, the zero at the end means that snort was able to write to the socket, in other words there were no permission problems. So I'm really at a loss. Does anyone have any ideas as to what I might be missing?

Snort Email Alerts

2009-10-29T11:54:00.000-07:00

I have a situation going on where I needed to watch for certain traffic matching a particular set of rules and of course the first thing that came to mind was to use snort. Snort allows me to write up very customizable rules so I knew I would have no problem detecting any of the problem traffic. In this particular case, I wanted to know if any SYN packets were being sent to a workstation. So the rule was pretty easy to write.

alert tcp any any -> $HOME_NET (msg:"Connection established to monitored machine"; flags:S; sid:20091029; rev:1;)

But I really didn't want to have to search through the logs looking for this kind of thing. After all, it might be months before I see the particular traffic that I'm looking for, so I decided that I wanted snort to email me if it say anything interesting. I don't, however, want for snort to email me about every alert that it sees because it tends to be a bit chatty at my site.

The way we get snort to treat alerts differently is to create a ruletype for the special rules. To do this, I went into my snort.conf file (usually located in /etc/snort/) and added the following lines:
ruletype emailalert

{
type alert
output alert_csv: csvlog default
}

Then I changed my rule above so that instead of being an alert, it was an emailalert:

emailalert tcp any any -> $HOME_NET (msg:"Connection established to monitored machine"; flags:S; sid:20091029; rev:1;)

So what we've done is told snort that if it sees any traffic matching my rule it should write something in csv form to a file called csvlog in whatever logging folder you're using. The reason I chose csv form is because everything gets written to a single line and I wont have to figure out down the road how to guess how many lines are in an alert message. Also, you can break the message down and only email the parts of the alert that you're interested in.

So what we could do is write a program that will read the file output and keep checking every few minutes to see if anything new has been added and then send an email alert. That would work, but you wouldn't really get real-time alerts. You would also have to put in code to find the end of the file and back off one line and keep track of what is new in the file. It all sounds messy. Instead, I used a named pipe. Snort is going to write to a file in its log directory called csvlog, so I change directory to /var/log/snort and used the following command to create a named pipe: mkfifo csvlog. Now all I have to do is write a program that will connect to the pipe and read a line from it. I don't have to deal with any of the other crap that I talked about above, and I can easily get real-time alerts. As usual, I went to my favorite programming language, python.


#! /usr/bin/env python

import smtplib
from email.mime.text import MIMEText

###################
# Here is the SMTP setup stuff
###################
smtpServer = "smtp.server.com"
smtpFrom = "nospam@blackfistsecurity.com"
smtpTo = "nospam@blackfistsecurity.com"

###################
# Here is a function for sending alert emails
###################
def SendAlertEmail(inMessage):
   msg = 'Snort has detected an emailalert\n'
   msg += inMessage
   msg = MIMEText(msg)
   msg['Subject'] = 'Emailalert from snort'
   msg['From'] = smtpFrom
   msg['To'] = smtpTo

   s =smtplib.SMTP(smtpServer)
   s.sendmail(smtpFrom,smtpTo,msg.as_string())
   s.quit


###################
# Main program loop.  Watch the named pipe and if
# anything shows up, email it using the function above
##################
infile = open('/var/log/snort/csvlog','r')
while True:
   data = infile.readline()
   if data:
       SendAlertEmail(data)

The easy way to test this is to telnet to a port that you know is open on one of the monitored machines. If an email message pops up in your inbox, then you know you're golden. But what if you're looking at a machine that normally doesn't have any open ports? What if you're specifically looking for an instance where a rogue listener opens up? The rule I wrote will detect that, but how do you test it?

Easy. Just change the rule we wrote so that the flags we're looking for are just SYN packets rather than SYN-ACK packets. (flags:SA; becomes flags:S;). Send a kill -1 to the process that is running snort so that you're rule set will reload. Then telnet to any port on the machine and you should see an email message get sent. Do not nmap the machine (like I did) or you will suffer a flood of email messages that will make you want to cry! Don't forget to set the rule back to what it was and send another kill -1 to the snort process either.

Full Disk Encryption: Cannot install due to previous installation.

2009-10-27T12:36:00.000-07:00

Well I finally got the licensing issues that I was having with Check Point worked out, and I finally got some of that "time" stuff that I hear other people have, so I got back to work on testing and configuring Check Point Full Disk Encryption R72. Sure enough, I didn't get too far into the process before I had some kind of problem, but I was able to figure out the solution and now I'm sharing it with you.

So first off, how did I create the problem? Well I installed the R72 software on my Windows 7 computer and everything loaded properly. After rebooting, I opened the Management Console created a set and installation profile so that I could get started on remote installation. Then I uninstalled the software from my computer and rebooted. The problem showed up when I tried to install the software a second time, this time using the installation profile. The Wizard came up and said that the installation was halted before the software could be installed. Then I looked around and found a log file named after the FQDN of my machine. The log file was located on the server where I was trying to install the software from. I looked in the log file and it told me that I cannot upgrade my machine from Pointsec version 4/5.

Well I know that I didn't have Pointsec for PC version 4 or 5 on my computer ever, so I thought this might be something buggy. The first thing I tried doing was modifying the precheck.txt file that is in the folder with the installation MSI. I changed line five so that it read IgnoreOldInstallation=Yes. I admit, this is not something I would feel comfortable with in production, but I thought I was just doing this to make my computer work. However, another crack at the installation got me the same error. I changed my precheck.txt back to the way it was and started looking for something else.

I thought there must be something in the registry that was not properly removed after I uninstalled Full Disk Encryption. So I searched the Registry for "Check Point" and "CheckPoint" but found nothing. Finally I looked in the tools folder that came with the FDE software and saw a program called CPClean.exe. In a nutshell, you use this program to forcibly remove all of the Pointsec/FDE components that are on your computer. This is suicidal if your disk is encrypted, but mine was not. I ran the program, rebooted and tried the installation again. It was successful this time.

So keep in mind that if you remove Full Disk Encryption from a machine where you might wish to reinstall later, you may have to use CPClean to completely remove components and have a successful 2nd installation.

Sharp rise in copyright complaints from a single violation

2009-09-09T12:51:00.000-07:00

OK, I try to not be a conspiracy theorist kind of guy, but I also have very little trust in the RIAA or the MPAA. After all, if they had their way I would never have a backup copy of any of the music that I buy and I wouldn't be able to watch movies or listen to digital music on my linux machine. I will admit that this is far fetched, but I also wouldn't put it past them.

Back in November of 2008 the RIAA managed to convince the legislature and governor of Tennessee to sign into a law a bill that requires Tennessee state Universities to filter file sharing traffic if they receive more than 50 DMCA complaints in a year. You can read about it here and here. Shockingly, around the same time that the law was getting passed, the number of DMCA complaints that my university received jumped tremendously. For all of 2008 up to August we received 3 DMCA complaints. Then in the fall semester (right around the time this bill was becoming law in Tennessee) we got 13. We also got about 13 for the spring semester of 2009.

I assumed that they were stepping up the search for infringers so they could meet their 50 DMCA notices in Tennessee and also start putting pressure on other states to do the same thing. However, they may not have been impressed with the numbers they're putting up because now I'm starting to see an unusual number of DMCA complaints for the same infringement.

During a period of time ranging from September 2 to September 4th a student shared a movie illegally over bittorrent. This week the DMCA takedown requests came in and right now I'm up to five complaints and counting for this single violation. I wonder if I were in Tennessee if I would be 10% closer to having to spend money of Internet filtering software or if they would decide to count this as one infraction. My guess is that they will choose the first option. I would normally discount this kind of behavior because I assume that a computer looks for this stuff and it isn't smart enough to know that it has reported the same file sharing activity five times. But this is the RIAA we're talking about, and it has never happened before. So I'm not so quick to give the benefit of doubt. I wonder what other universities are seeing.

Time to start getting ready for R72

2009-09-04T13:48:00.001-07:00

Did you know that Microsoft is releasing a new operating system soon? In fact, many of us in the IT industry are already using the new operating system and it is a big improvement over Vista. I think the word will get out soon that Windows 7 is a big improvement over Vista and we will see a lot of older machines that have XP on them get traded in for shiny new Windows 7 machines.

This creates a problem for those of us in charge of putting disk encryption on these machines. The version of Pointsec that my brothers and sisters working for the State of Minnesota is using is not compatible with Windows 7. So we're probably going to be pushed towards using the 7.0 code line. The official name for the product is (as of right now) Check Point Endpoint Security Full Disk Encryption R72 (CPESFDER72). Holy crap even the acronym is too long!

R72 brings some interesting new features to the table that I'm really excited about trying out. I have been delayed in that because there were some problems with support getting renewed. Now I have the software and a semi-working license file and I want to get into it. I'll keep the blog posted on what I'm having to do that is different.

The most exicting new feature for me is that you can transfer log files, recovery files, update profiles over http or https now instead of requiring a connection to a file server. This is really big, especially for computers that leave campus for long periods of time and users that don't jump onto VPN very much. Now we can open up a rather safe firewall port and regain control over our remote machines. Sweet.

On the other hand, you also have to set up a license server. So far it doesn't seem very difficult, but it seems kind of crappy to have a whole server devoted to licensing for a single product. One irritant is that the licensing server doesn't seem to fit the needs of any of the other endpoint security proucts. The one I set up wouldn't accept my license for Media Encryption with Port Protection for example. But I'm just starting to play with this stuff so I might be wrong. I hope I'm wrong. I'll keep you posted.

I should probably just embrace it

2009-08-25T13:15:00.000-07:00

So I was looking at my video page on YouTube today and I noticed that even thought I am the only source out there for free tutorials on Pointsec, and even though there are a couple state governments that use Pointsec for their disk encrypting needs my ukulele videos are getting more views.

I can't believe there are that many people out there that love ukulele as much as I do. So what started out as a joke has become bigger than the Pointsec videos which prompted me to create a YouTube account in the first place. Cool, huh?

Pointsec for PC: Not working on Windows 7 yet

2009-07-29T09:36:00.000-07:00

Just in case you haven't started your Windows 7 testing or you haven't gotten around to testing your Pointsec software on Windows 7, I thought I would tell you that it doesn't work right now. For the record, the release notes do not say that Windows 7 is supported or working, but sometimes things work even if the release notes say they wont. So I thought I would give it a try. Nope.

I have tested the installation of Pointsec for PC 6.3.1 HFA7 (the latest version as of July 1, 2009) on Windows 7 Ultimate build 7100. The installer appears to work fine and even says that the installation completed successfully. However after the reboot the Pre-Boot Environment code is not written to the Volume Boot Record and Windows starts normally. You will then get an error message indicating that the installation failed.

I don't know when Windows 7 support will show up in Pointsec, but I would imaging that it will not come before the final release of Windows 7. I also don't know if Check Point plans to put Windows 7 support in the Pointsec for PC 6.3 line of software or if this is going to be the software that pushes everyone onto Endpoint Security R7.x. I will update if I find out about any changes in Windows 7 support.

Pointsec for PC: No waiting for recovery files

2009-07-22T09:04:00.000-07:00

Here is a trick you might find useful once in a while: forcing the computer to write its recovery file now instead of later.

Every once in a while I get my hands on a computer that has Pointsec installed, but is not encrypted. The most common reason why a machine doesn't encrypt is that the recovery file hasn't been written. This usually happens on computers where the user is almost never on site or the user is not logging in with their regular user account. For whatever reason the computer might not have access to write the file.

Today I got in just such a machine. The user had too many failed logon attempts and the computer rebooted into the Pre-Boot Environment. I got the machine, but I didn't plug it into the network because both of my network ports were in use. So I authenticated in the Pre-Boot environment and clicked the enable WIL check box because I have set the 'Display Enable WIL' option in the system settings of my machine. Windows booted.

Remember that WIL doesn't actually get turned back on until someone logs into Windows. Since I had never logged into this computer before, and since I wasn't connected to our wired network, I logged on with a local administrator password. So now WIL was re-enabled, but I checked and the computer was 0% encrypted. I looked at the local event database and saw that the process of writing the recovery file had failed.

It had also failed just now when I logged in. I wasn't connected to any network. I wanted to get this computer fixed up quickly. I could connect to our wireless network, but then I would still have to wait for Pointsec to take another shot at writing the recovery file. Luckily for me there is a way to force Pointsec to write it now instead of waiting up to 30 minutes for it to happen on its own. Navigate to C:\Program Files\Pointsec\Pointsec PC and double click on CreRec.exe. You will see no output showing that anything happened, but the recovery file will be written. You can go to the network share and confirm that it is written. I have found that the encryption process will begin about five minutes after the recovery file has been written.

One thing that irritates me is that I don't see any new event written in the local event database. But the file was written and the encryption process did begin. So you can use this trick to jumpstart the process a bit. I always like to wait until I see the encryption process hit 1 or 2 percent before I shut down and deliver to the customer regardless of whether I use this trick, or just let it happen naturally.

Sometimes a burden is worth it.

2009-07-09T05:52:00.000-07:00

I just read this legal opinion from Voom about a recent Supreme Court decision. http://www.prweb.com/releases/Justice_Scalia/cybercrime/prweb2620114.htm This quote sums up article fairly well.

In a U.S. Supreme Court ruling handed down last month in the case of Melendez-Diaz v. Massachusetts, the Court held that "certificates" of forensic findings were admitted in error. In a controversial 5 to 4 vote that reversed the judgment of the Massachusetts Appeals Court, the Supreme Court held that admission of notarized forensic analysts' reports violated the defendant's 6th Amendment right to confront witnesses against him under the Confrontation Clause. In the absence of live testimony by forensic analysts, such evidence was precluded.

The Voom analysis indicates that there is a likelihood that this decision will add an undue burden to forensic analysts around the country. The ruling was not limited to "conventional" forensics like what you see on CSI either, it also includes digital forensics. So it is possible that whenever a lab produces a report of its findings, an analyst may have to show up in court to defend it. I would like to go on record saying that I support this decision, and I think that in the long run it may work to REDUCE burden on forensic workers.

A while back I was commenting on whether people should sue PCI QSA's that report incorrect findings, and I said that I think that is a good thing too. The reason is because it protects the integrity of our field. If a QSA has subpar practices they would hopefully be sued out of business and the whole field would be better off. If QSAs ever gained a repution for being expensive people that you can pay to say anything then you would have a couple bad things happen. First a "race to the bottom" with other people coming in and agreeing to say anything for a little less than the last new entry in the QSA field. Followed up quickly with PCI moving away from QSAs in favor of some other group that doesn't have a bad reputation. So while it is burdensome for QSAs to face litigation over their decisions, it is less burdensome than going through a few years of declining profits followed by searching for a new job.

Some of these principles apply in the case of digital forensic work too. I don't think there is anyone in the digital forensics field that would argue with me when I say that the integrity of the profession and the public perception of that integrity is one of the top five most important things to the continued success of the field. How do you gain integrity? By withstanding scrutiny time and time again. Now as it stands today, there isn't a great deal of competition in the digital forensics field. It would be difficult to call up the FBI lab at Quantico, Virginia and pressure them to find evidence that supports your case with the threat that you'll take your business elsewhere. There aren't many other places that you can take your case, but that is quickly changing as the availability of education increases and demand continues to stay high. If we were to bless all of our forensic professionals with the ability to write a report and not have to face cross examination then you would invite less honest people into the field, and eventually for a price you could get someone to say anything. Finally we would reach a place where prosecutors and defendants each show up to court with their notarized certificates from the lab of their choice and both would be worthless. Even if the prosecutor got his certificate from an honest lab, it would be cancelled out by the dishonest report issued by some other lab. The way we deal with that now is through cross examination and if this Supreme Court decision had gone the other way we might have lost that valuable check on our field. And before we get to that place we have people that will be sent to jail because of a report from someone that doesn't have to come to court and face cross examination.

Does this decision add more work for forensics professionals? Yes it does, but probably not as much as you might think at first glance. Quantico deals with a million cases every year, but the vast majority of them do not make it to trial because of plea bargaining. Most of the time, the crime lab will submit a written report and that will be presented to the defense and they will say "let's make a deal." Sure, if even 10% of those cases go to trial you end up with 500 employees having to deal with 100,000 trials. But I think it is less burdensome than allowing the integrity of the profession to rot and then having to deal with the consequences of that. Also, by placing more work on our forensic professionals we will increase demand for more of them, which will lead to higher salaries and more job security. That is also good for the field.

So maybe I'm wrong about this, but I'm not terribly upset with the Supreme Courts decision. If you think I'm wrong, feel free to leave a comment and set me straight.

Pointsec Video Tutorial: Remote Help

2009-07-07T12:10:00.000-07:00

Encryption as a tool to deny access to information

2009-07-02T08:45:00.000-07:00

Yesterday I blogged about the minor break in AES and what effect this would have on encryption products like Check Point Full Disk Encryption (formerly known as Pointsec). In short, there is not practical effect and the product is still effective at protecting your data.

One of the things I talked about yesterday was that the purpose of encryption is not to protect some piece of information forever. That would likely be impossible as our computer power grows in strenth. Eventually the processes of simply trying every possible key combination will become trivial enough that an sufficiently old algorithm will no longer be effective. Instead, I said that one of the aims of encryption is to deny access to information until that information is no longer useful.

A stunning example is illustrated in this article I read today from the Wall Street Journal: http://online.wsj.com/article/SB124648494429082661.html

To summarize, a friend of Thomas Jefferson once sent him a letter with an encrypted block of text in it. I should point out that this friend was a professional in the field of cryptology as it existed in the early 1800's. The really interesting thing is that the encrypted block of text, which was encrypted without the aid of computers obviously, stoood up to professional examination for 206 years. The code was broken in 2007, but the article is from today. So even though the algorithm was successfully broken, it still served its primary purpose which was to deny access to the plaintext until that plaintext was no longer useful to the attacker.

New Attack on AES, is Pointsec broken?

2009-07-01T14:07:00.000-07:00

Like many people in the security world, I keep a close eye on Bruce Schneier's blog. Today I was a little scared when I read about a new attack on AES that has theoretically broken the cipher. You can read Schneier's comments on it here: http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html

The reason that this freaked me out at first is because the default encryption algorithm used by Check Point Full Disk Encryption (formerly known as Pointsec). Much of my personal data is protected by Check Point FDE and I don't want to see it exposed. The good news is that while this may fit the dictionary definition of a break, it is far from the end of the world.

The freakout comes from the difference between what a cryptologist calls a broken algorithm and what broken algorithm means to a typicaly person on the street. When you tell me that AES is broken, I think that it has been made completely worthless (or nearly worthless as is the case with DES). However, cryptologists have a much different definition. For them, a break means that someone found a way to get at the plaintext data in a more efficient way than simply trying all of the possible code combinations that exist. In this case, they found a way to reduce the number of possible code combinations from 2 to 119th power down to 2 to the 110th power.

So basically, AES is still very much alive and kicking. It is very unlikely that anyone is going to be able to exhaustively search through 2 to the 110th power code combinations and still derive value from your data. This is one of the points that I try to stress in my Full Disk Encryption classes, though. No encryption algorithm is perfect and able to remain eternally unbreakable. The power of encryption is to deny access to information for such a long period of time that the information is no longer valuable. For example it is worthless for the enemy to learn about tomorrows battle plan 35 years from now. The flip side of that coin is that if someone could theoretically gather enough computing resources to break your encryption in a short amount of time (say one week for example) the cost would exceed the value of the information. In other words, I would not spend tens of billions of dollars to break your encryption so that I could get your credit card number that has a limit of $5,000.

So if Check Point Full Disk Encryption broken? Well, maybe in a theoretical sense, but absolutely not in a practical sense.

Friday Diversion: What's the deal with Jammie Thomas?

2009-06-19T09:04:00.000-07:00

I am embarrassed to say that I live in the state where a jury decided that Jammie Thomas should pay the RIAA $1.9 million for sharing 24 songs on the Internet.

Putting that in perspective, the jury has awarded $80,000 in damages per song.

According to wikipedia, there were 5 billion songs shared on the Internet in 2006. If we accept that the jury's verdict is fair, that means that the record companies lost out on $400 trillion dollars. $400,000,000,000,000.00. The current Gross Domestic product of the United States is about $14 trillion dollars. The gross domestic product of the world is about $60 trillion dollars.

The median household income in the United States in 2007 was about $50,000. If Jammie Thomas earnes that she would have to give all of her earnings (pre-tax) to the RIAA for the next 37.8 years. This is assuming there is no interest applied to the unpaid balance. At 3% interest, her salary will never cover the interest earned in a year.

If a typical CD costs $12 then you can purchase 158,333 CDs with this award.

Based on a sample size calculator, we can be 95% certain that at least 93.37% of the residents in Hennepin County are absolutely ridiculous.

Open Source Application Layer Firewall part 5

2009-06-17T12:30:00.000-07:00

Continuing with our discussion of setting up a home-grown application layer firewall. So far we have set up an insecure application that needs protection. Then we configured our server to act as a router. Then we set up stateful packet inspection using PF, and turned it into a proxy firewall using Apache. Now I'd like to talk about how you can really look deep into the application traffic to stop unauthorized activity at a much higher level than what is possible with a stateful inspection firewall.

Now that we have a proxy firewall, we want to set up Apache mod_security to look deep into our http requests and identify malicious traffic. We're going to use packages to install mod_security, so the first thing we should do is set up our package path. I'm going to use the main OpenBSD distribution site for this, but you should probably choose a mirror that is closer to you. First we want to set up the environment variable:

# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386

You can also add this to your .profile file so that you will have that set up every time the machine boots.


PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386
export PKG_PATH

Now we can search the package list for mod_security.


# pkg_info -Q modsecurity
modsecurity-apache-1.9.3p2

And then install it:


# pkg_add modsecurity-apache-1.9.3p2
modsecurity-apache-1.9.3p2: complete                                   
--- modsecurity-apache-1.9.3p2 -------------------
To finish the install of modsecurity-apache-1.9.3p2, you need
to enable the module using the following command

/usr/local/sbin/mod_security-enable

The manual is found at /usr/local/share/doc/mod_security.

If you already have Apache running on your machine,
you should not use "apachectl restart" - instead,
you should fully stop and then start the server.
#
# /usr/local/sbin/mod_security-enable                                    
Enabling  module...
[activating module `security' in /var/www/conf/httpd.conf]
cp /usr/local/lib/mod_security.so /usr/lib/apache/modules/mod_security.so
chmod 755 /usr/lib/apache/modules/mod_security.so
cp /var/www/conf/httpd.conf /var/www/conf/httpd.conf.bak
cp /var/www/conf/httpd.conf.new /var/www/conf/httpd.conf
rm /var/www/conf/httpd.conf.new

Let's follow the directions and shut down the httpd server:

# apachectl stop
/usr/sbin/apachectl stop: httpd stopped

Now take a moment to examine our httpd.conf file. You will notice that one line has been added to the configuration by the mod_security-enable script

# diff httpd.conf httpd.conf.bak
274d273
LoadModule security_module    /usr/lib/apache/modules/mod_security.so #

Now that we have mod_security set up in Apache, let's do something with it. I'm going to put together a basic set of options, and put in one single filter that will block any requests going to my server that have the word "kevin" in them. Open up /var/www/conf/httpd.conf and enter this into one of the VirtualHosts that we created earlier.

 SecFilterEngine on
   SecFilterCheckURLEncoding On
   SecFilterScanPOST On
   SecAuditEngine On
   SecAuditLog /var/www/logs/audit_security.log
   SecFilterDefaultAction "deny,log,status:500"
   SecFilter "kevin"

The indenting is not necessary, but it makes it look good and helps to identify all of the mod_security related stuff in this virtual host. You can also put configuration directives like this in the global configuration rather than within a single VirtualHost. However, if you're going to have multiple servers behind this firewall, you may find that you need different rules for each one, so I'm going to do it this way. Restart httpd to make the changes take effect.

Now let's test it. I'm going to go to my web application and enter the following:
Firstname: Shamus
Lastname: McFinnigan
Card: some number
I hit submit and the application works as expected. Then I tried the same thing but with the first name kevin instead. Mod_security blocked the request, and gave me an http 500 error. Mod_security is working. Congratulations, you now have a firewall that is doing layer 7 inspection of your traffic before it hits the server. You have an application layer firewall.

The rule set that we've built in here doesn't really do much for us, unless we want to discriminate against the Kevin's of the world. But what if we were using this to protect some appliance and we didn't know whether or not the coders had put proper input validation into their form fields? Well one thing we could do is use our proxy server to look at the requests that go by and find out what variable names are in use, and then write filter rules. For example, I know that my crappy application should only accept First and Last names that are alphabetical characters and no more than 12 characters in length. I also know that credit card numbers should only contain digits and dashes and that there should be four digits followed by a dash. So I can take out my SecFilter Kevin line and replace it with this:

SecFilterSelective "ARG_Fname" !^([A-Z]|[a-z]){1,12}$
SecFilterSelective "ARG_Lname" !^([A-Z]|[a-z]){1,12}$
SecFilterSelective "ARG_Ccard" !^([0-9]{4}-){3}[0-9]{4}$

So from the first name variable we're going to filter anything that does not match our regular expression (!). The regular expression indicates that we want to start with the first character of the variable (^) and that it should be an uppercase or lowercase letter ([A-Z]|[a-z]). That should occur at least one time but no more than 12 times {1,12} and then there should be nothing else $.

So now, regardless of how crappy the application behind the firewall is, it is protected pretty well. Sure it's not going to be bullet proof, but adding in this kind of input validation will add a lot of strength to your application security. Try doing this with a Cisco ASA box.

Check out the rules at http://www.gotroot.com/downloads/ftp/mod_security/rules.conf for more ways to strengthen your box. I suggest adding these in one at a time and making sure that your apache process doesn't crap rather than putting in the whole wad. Also, ff making up your own rules seems difficult, try out this online rule creator! http://jcksn.com/tools/modsecurity/

What about the core rule set?
Yeah, that would be pretty cool, wouldn't it? Well it's not going to happen anytime soon, at least not the way I've set things up here. One of the things I've tried to do in this setup is leverage the work of other people that are smarter than me to make a good firewall. One of the big points is using the chrooted Apache software that comes with OpenBSD. In order to use th mod_security core rule set, you have to be running Apache2. The core rule set depends on a newer version of mod_security, and that version depends on Apache2. Installing Apache2 on OpenBSD is pretty easy, but it isn't chrooted which means you have to do all that work yourself. I'd like to start working on another version of this that uses a chrooted Apache2, but first I need to figure out how to do that and keep it secure.

Friday Diversion: here be chunks

2009-06-05T13:40:00.000-07:00

Quick note: I had nothing to do with this. I'm just reporting on it.

There is a reason why I love working at a University, and why I feel that the one I work for is the finest educational institution in the Midwest. The answer is the people. I want to share something odd I found today on campus.

I had just gone to the restroom and I was walking back along a different route than I had taken to get to the restroom. Along the way, I encountered a group of chairs in the library in an unusual place with a piece of paper on the floor between them. Here is a photo of the chairs:

As I leaned in to examine the piece of paper, the unmistakable smell of vomit struck me in the nose. Then I was able to read the piece of paper. Here is a photo:
The text reads: "Dar, here be chunks." Notice the marks where some unidentified fluid has started to seep through the page. From what I can surmise, someone vomited in the library. Then, instead of cleaning it up, this person arranged chairs around the vomit to warn others not to step there. Then this person took the time to color print a warning page in pirate speak complete with old english font and pirate logo to place on top of the vomit.

Only in my work place.

Pointsec for PC: Failed to load osdgina.dll

2009-06-05T08:36:00.000-07:00

I ran into a problem today that I hadn't seen yet and I'd like to share it with you. I was asked to uninstall Pointsec from a laptop that had been encrypted when it wasn't supposed to be. Obviously this is a rare occurrence, but it was proper so I went ahead and removed Pointsec. After the reboot, I couldn't log into Windows. Instead of the normal log in screen, I had an error message.

The logon user interface DLL osdgina.dll failed to load.
Contact your system administrator to replace the DLL 
or restore the original dll.

OK, this was a new one for me. I started by doing some digging on what osdgina.dll is. As soon as I knew what osdgina.dll is, I knew what the problem was. We use Microsoft System Center (formerly SMS) to image our workstations, and Pointsec is installed as part of the imaging process. When a computer is being imaged by SCCM, the normal gina (msgina.dll) is replaced with osdgina.dll. In this case, OSD stands for Operating System Deployment. The osdgina.dll makes it so that the computer can boot up and finish the imaging tasks without having users on the system. You could think of it like single user mode in UNIX. When Pointsec installs, it first backs up the registry setting for the current GINA, which is normally msgina.dll, but since it is in the OSD environment, the value is osdgina.dll. Then Pointsec installs and changes the active GINA to pssogina.dll.

Everything works fine and life goes on. But when I uninstalled Pointsec from this machine, the uninstaller removed pssogina.dll and replaced the registry entry that pointed to osdgina.dll (which is no longer present on the machine). When the computer rebooted it looked for osdgina.dll and couldn't find it, thus the error message.

The Fix:

Now that I knew what the problem was, I knew how to fix it. I took out my trusty BartPE disk and booted the computer using that. Once I was in the Bart environment, I fired up regedit.exe. When regedit comes up, you're looking at the registry for the Bart environment, not the registry on the hard drive. To edit the hard drives registry, you have to import a hive and point it at the hard drives registry file. The registry entry for the GINA is in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. So in regedit, I selected the HKEY_USER folder and clicked File -> Load Hive. Then I pointed regedit to the file c:\windows\system32\config\software. That file is the HKLM\Software tree of the registry. It asked me to give that a name, and of course I chose BlackFist.

So then I navigated to HKEY_User\BlackFist\Microsoft\Windows NT\CurrentVersion\Winlogon and sure enough, the value of the GinaDLL entry was osdgina.dll. I changed this back to msgina.dll and rebooted.

Success. I hope this helps if there is anyone else out there that is using Microsoft System Center to image their computers and install Pointsec. I know that I can't be the only one.

Pointsec Video Tutorial: Creating an installation profile

2009-06-03T19:03:00.001-07:00

In today's video, I'll show you how to create an installation profile based on the local computer's settings.

Is Suing a QSA the right thing to do?

2009-06-03T14:24:00.001-07:00

I just got done reading a blog entry over at Preachsecurity about Merrick Bank suing the PCI QSA that found CardSystems Solutions to be PCI compliant before they were hacked. The QSA in question here is Savvis. You can read the entry here if you want more background: http://preachsecurity.blogspot.com/2009/06/dangerous-times-for-pci-regulations.html

The question raised by the blog entry is whether or not QSAs should be open to lawsuits when they miss material findings that result in breaches down the road. The author concludes that he isn't sure how he feels on the topic, so I decided to write this up and share my opinion even though he didn't ask for it.

I have decided, based on the little information that I have, that QSAs should be open to lawsuits when they miss material findings. The main reason for this is based on the accounting profession and the auditing of financial statements.

In a nutshell, I believe that IT auditors need to develop the same reputation for honesty and integrity as financial auditors once held. In order to achieve that reputation it is important that auditors be held to extremely high standards, and that includes taking the heat when they miss material findings about a clients security posture.

Opening up QSAs for litigation will force them to be more diligent in their search for material findings so that they will face fewer lawsuits. That will benefit everyone that depends on their audit reports, and it will benefit the customers of companies that are being audited. In time, QSAs that have poor processes will be sued out of business and we'll be left with companies that will gain a reputation for being thorough and accountable for their findings. Arthur Anderson, the auditor that signed off on Enron's books is currently facing over 100 civil suits and the damage to their reputation is so bad that they basically have no business. That was a good thing! We need to make sure that kind of accountability is present in IT auditing as well.

If, on the other hand, we decide to let the auditors get off when they miss material findings, then I feel it is less likely that we will ever have great faith in IT auditors. IT auditors will never have anything to lose if they miss something. They may even be more willing to write a more favorable report in exchange for some bribe, such as consulting income in the future.

So that, in a nutshell, is my argument in favor of suing Savvis. I will agree that CardSystems Solutions should probably also be sued, but that doesn't really do anything for Savvis. I feel bad throwing other IT people under the bus, but this is the kind of blood that will have to be shed for IT auditors to establish a bulletproof reputation.
EDIT: One thing I would like to add is that I think the damages awarded when a QSA is sued should not be so excessive that a single incident would put that QSA out of business. Everyone screws up sometime. I would like to see the awards at a level where QSAs that have real problems would not be able to pay the damages being awarded for multiple suits and would go out of business. Only in cases where there is great deception (like Arthur Anderson) should the damages from a single incident drive a QSA out of business.

Open Source Application Layer Firewall part 4

2009-06-02T11:22:00.000-07:00

Picking up where we left off on this whole firewall thing, let's get into the Apache config. In part 1 we talked about why we need an application layer firewall and how it is more secure than a stateful inspection firewall. In part 2 we set up our server that needs protecting, and in part 3 we created a basic stateful inspection firewall to protect our application. The stateful firewall isn't allowing any traffic into our server though. Now we're going to open a hole to the server that needs protecting and use the proxy services built into OpenBSD to create a proxy firewall.

One of the most beautiful things about using OpenBSD for our firewall OS is that it comes already setup with Apache in a chroot jail. That means that if an attacker were somehow able to compromise the httpd process that person will not own the whole firewall. It can be very difficult to set up Apache in a chroot jail, and it can be difficult to work with Apache once it is in the chroot jail. The good news is that OpenBSD has done a lot of the work for us.

The first thing we need to do is set up our SSL keys for this server. I'm going to follow the same instructions I did in part 2 to create a self signed ssl certificate, and I'm going to name the certificate after the public IP address that I want clients to connect to.

Now we have to edit the configuration file for our chrooted apache installation, which is in /var/www/conf/httpd.conf. The file is broken into several sections:
Section 1 - Global environment.
Uncomment line 273: LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
Section 2 - Main Server Configuration
Comment out line 310: #Port 80.

The first change was necessary so that our proxy server stuff would work. I commented out line 310 because we're going to use listen statements later in the configuration file to control which port the servers are running on. Most of the work is going to happen in section 3, Virtual Hosts.
Section 3 - Virtual Hosts
At the start of this section there are some comments. Immediatly after those comments I put in the two virtual hosts that I want to set up on this box. One will accept unencrypted communication on port 80 and proxy them to our server. The configuration for that looks like this:

<virtualhost 111.11.11.111:80>
   ProxyRequests off
   ProxyPass / http://192.168.1.10/
   proxyPassReverse / http://192.168.1.10/
</virtualhost>

The second virtual host listens on port 443 and proxies traffic to the same server on an encrypted channel

<virtualhost 111.11.11.111:443>
   SSLEngine on
         SSLCertificateFile /etc/ssl/111.11.11.111.crt
         SSLCertificateKeyFile /etc/ssl/private/111.11.11.111.key
         ProxyRequests off
         ProxyPass / https://192.168.1.10/
         ProxyPassReverse / https://192.168.1.10/
</virtualhost>

After I put those lines in, I deleted everything in the section on SSL Virtual Host Context (which started on line 1013), but kept the SSL Global Context Section (which started on line 954).

The SSL Global Context, and the stuff in Sections 1 and 2 give us pretty safe configuration templates for our server to run with. Then we removed the default virtual hosts that come in the file (the ones that listen on all ip addresses) and replaced them with two specific virtual hosts. Each one listens on a specific port on a specific IP address. That way if you need to have services for more than one back-end server, you can easily cut and paste the configuration that you have for this one. Now let's test and see if our configuration file passes the smell test.
# apachectl configtest.

If we don't get any errors, then we can start up our httpd server with SSL support. It's pretty easy to do.
# apachectl startssl (or you can use # httpd -DSSL)

Now if that started properly, we should set up our server so that it will start up every time it boots up. Go ahead and edit /etc/rc.conf and change the line that read httpd_flags=NO to read httpd_flags="-DSSL"

It isn't quite working yet, though. Sure we have a listening process on port 80 and 443 that will forward traffic to our back end server, but we're getting blocked at layers 3 and 4. We need to open up this traffic in pf. So add this to the bottom of your /etc/pf.conf file


# This rule allows http(s) in to our server
pass in log on $ext_if proto tcp from any to 111.11.11.111 port 80
pass in log on $ext_if proto tcp from any to 111.11.11.111 port 443

Then reset your pf rules with this:
# pfctl -F rules -f /etc/pf.conf

Now direct your browser to the external address that you're listening on and see if you get the web page being served up by your back end server. If so, then congratulations, you now have a Proxy Firewall.

In the next entry we'll talk about mod_security and how you can turn your proxy firewall into an honest to goodness Application Layer Firewall.

Thwarting phishing on the cheap

2009-05-26T13:21:00.001-07:00

If you've been following my blog then you know that phishing has been a real problem at my organization. Users are falling for phishing messages no matter how poorly written they are and we've suffered way too many intrusions because of it. Even though I fear that it is largely impractical, I feel like I have to do something to stem the tide. Since this is unquestionably the largest source of intrusions into our network, even an inefficient method of catching these might be better than nothing.

So the first question is: how can I prevent the phishing messages from getting to my users? That would be the most effective way to combat this. But we've got two Barracuda Spam firewalls already working on this problem. It is unlikely that I'm going to do a better job of blocking the phish messages on the way in. So I decided to focus on messages on the way out.

Here is what I'm trying out right now. This is far from a perfect solution and it is also not the finished poduct. This is my first toe in the water to using Snort to try and detect the responses to phishing messages.

First, I made a new ruletype called phishinghole. This is in my /etc/snort/snort.conf file.


ruletype phishinghole
# The phishinghole rule type gathers up any alerts that could
# be responses to phishing messages and keeps the tcpdumps
# in one easy to read file
{
  type alert
  output alert_full: alert
  output alert_syslog: LOG_LOCAL4 LOG_ALERT
  output log_tcpdump: phishinghole.pcap
}

So when I write up a rule that uses this alert type, an event will be written to the normal alert file, it will also go to our syslog servers, and the packet itself will be written to a file called phishinghole.pcap. That way, when I want to inspect today's catch, I don't have to go through a huge packet capture file looking for just the packets that interest me.

I also want to be able to classify these events properly, so I added this one line to my classification.config file:

config classification: phishing-response,Possible Response to phishing message,5

Next up, I need to write some rules. I'm going to look for any traffic coming from my network and going to some other network on port 25. That's email. I'm going to use my new phishinghole ruletype, and I want to log the message that this might be the response to a phishing email:

phishinghole tcp $HOME_NET any -> !$HOME_NET 25 (msg:"Possible Phishing Response";

Next we need to define the content that we're going to look for. When I first started doing this, I came up with three regular expressions to look for possible permutations of password, username, and email. However, I decided that I didn't want to take the performance hit of running three regular expression searches against every single packet that leaves the organization. I decided instead to look for the word password and if that matches, then run the other two regular expressions. That should trim down the number of packets I have to look at.

content:"password"; nocase;

Now the magic is in the regular expressions. This is the Perl Compatible Regular Expression I'm using to search for username. This will match regardless of case and whether the word is broken in two with a space or a dash "user name" or "user-name" or "User Name" etc. The second regular expression looks for the word email in a similar fashion.

pcre:"/user[\-|\s]?name/i"; pcre:"/e?[\-|\s]?mail/i";

I still need to review these messages manually to see if someone really did respond to a phishing message or just told the guy to go to hell. So I want to gather a few extra packets to get as much context as reasonably possible. This next part of the rule tells snort to record three additional packets in the conversation.

tag:session,3,packets;

I also want to make sure my rules are classified properly. I want these events to bubble up to the top of my priority stack, so I put this into the rule:

classtype:phishing-response;

and I ended the rule with a sid (todays date and a revision number)

sid:20090525; rev:1;)

I repeated the process for three more reasonable permutations of the word password. I figure that a phisher cant get too crazy with the spelling or capitalization or the message will lose credibility. Here are the finished rules that I came up with.

blockquote>
phishinghole tcp $HOME_NET any -> !$HOME_NET 25 (msg:"Possible phishing response"; content:"password"; pcre:"/user[\-|\s]?name/i"; pcre:"/e?[\-|\s]?mail/i"; nocase; tag:session,3,packets; classtype:phishing-response; sid:20090525; rev:1;)

phishinghole tcp $HOME_NET any -> !$HOME_NET 25 (msg:"Possible phishing response"; content:"pass word"; pcre:"/user[\-|\s]?name/i"; pcre:"/e?[\-|\s]?mail/i"; nocase; tag:session,3,packets; classtype:phishing-response; sid:20090525; rev:2;)

phishinghole tcp $HOME_NET any -> !$HOME_NET 25 (msg:"Possible phishing response"; content:"pass-word"; pcre:"/user[\-|\s]?name/i"; pcre:"/e?[\-|\s]?mail/i"; nocase; tag:session,3,packets; classtype:phishing-response; sid:20090525; rev:3;)

Now for the analysis
Since these are .pcap files, it's tempting to open up wireshark and get started at peeking through them. That's what I did and it works just fine. However, after a couple of days I realized that I was getting way too many false positives, and I needed a new way to separate the wheat from the chaff. Since the only thing in the .pcaps are email snippets, that means that all of the data I need to sift through is going to be in plain text. So I ran the strings command against the pcaps just to make sure that I would get a dump of all text in the file. Then I talked to our system administrators to find out if I could get a plain text feed of active user accounts on the domain. Now I can do something like this to find out if I need to look at the file in more detail:

strings phishinghole.pcap | grep -f listofusernames

If I get any hits then I know I have an email that has the word username, password, email and a valid user name on our network in it. Even if that is a false positive, that is worth investigating. It's also pretty easy to find the username in the .pcap file when you know what username you're looking for so then you can see the message in context.

I'm going to let this run for a few more days and see if I'm satisfied with it. If I think I've got a winner here, I'll automate the process further.

Pointsec Video: Configuration Sets

2009-05-20T22:31:00.000-07:00

It's been a while since I put up a Video Tutorial, so here I am to rectify that problem. We're going to start getting into remote management of our Pointsec clients and before we can do any of that, we have to create a configuration set. This video will get you started. I'll be putting up another video in the next couple days to pick up with installation profiles.

Testing out the rule of five

2009-05-18T14:27:00.000-07:00

A while back I read the book "How to Measure Anything" by Douglas Hubbaard. In a nutshell, I thought the book was great, and it has a lot of simplifying assumptions in it that you can use when you're trying to measure something intangible, like Information Security.

There is one thing that I have had a little trouble accepting though, and that is the rule of five that he describes in one of the chapters. It says that if you were to randomly sample five people in a population for some value (such as how many hours of sleep you got last night) there is about a 93% chance that the median value for the whole population will fall between the largest number you get from your sample and the smallest that you get from your sample.

If I remember correctly, it all starts with the premise that if you sample two people there is a 50% chance that the range of their two numbers will not include the median. Add a third person and there is another 50% chance. .5 x .5 = .25 so now there is only a 25% chance that the median does not fall in that range. A fourth person means we multiply .25 by .5 and get .125. Finally the fifth person brings us to a probability of .0625 that the median is not included in our range. So I've always had a little trouble with the first statement, that there is a 50% chance that the first two numbers will include the median. I looked around the Internet and I haven't been able to find any other confirmation of the rule of five, except for other people citing Hubbard. So I decided I would try a couple simple tests to see if this would work for me in theory.

The first test was to see if I could reproduce the 50% chance of picking two numbers that include the median. I opened up my spreadsheet program and in the A column I put in this formula: =RANDBETWEEN(1,1000). I copied that down 1000 rows to get 1000 random numbers between 1 and 1000. This was my reference column. I copied the values and pasted them into column B and then deleted column A. That way the values wont keep changing every time I do some math on the page - if you're keeping track at home that means that a list of static numbers is now in column A. Then I put that same formula into columns B and C. This simulates the process of picking two numbers from the whole population.

If you're really paying attention, you will notice that I didn't actually chose two values from the sample, I generated two more random numbers. So this isn't exactly the same, but I'm just trying to do a "back of the envelope" test here, and the values are probably close enough to some other random number. In other words, I recognize that this isn't perfect, but it is close enough for my purposes. In column D I just put in one formula: =MEDIAN(a1:a1000). And it gave me the median value of my list of random numbers. In column E I put in this formula: =MAX(b1,c1). In column F I put in this formula: =MIN(b1,c1). So now I know that column E has the upper bound of my range and column F has the lower bound.

In column G I put in this formula: =IF(E1>=D$1,"1","0"), and in column H I put in =IF(D$1>=F1,"1","0"). So if the range includes the median, I will have a 1 in column G and H. In column I put =G1+H1. Copy these formulas all the way down and column I will have a 2 in it every time the range includes the median. BTW, if there is an easier way to do this I would love to hear about it. The last step was in cell J1 where I put =COUNTIF(I1:I1000,"=2"). If there is really a 50% chance then this should be pretty close to 500. What was my final number? I have to admit I was surprised get 520. Not bad. Not proof, mind you, but definitely something to lend credence to the rule of five.

For my next experiment, I decided to get a little more fancy. I whipped up the following python script. In a nutshell, it creates a population of 1000 random numbers. Then on it creates 500 independent random samples and checks to see if the median of the population falls within each sample and prints out the percentage of successes. I ran this bad boy and got 96.2%. So after all of this, I have to say I'm feeling pretty good about the rule of five, even if I can't find any independent verification of it.

from __future__ import division
import random

def intherange(median, sample):
  sample.sort()
  if sample[4] >= median:
    if sample[0] <= median:
      return 1
  return 0

population = []
sample = []

# create a list of 1001 random numbers
for i in range(1,1002):
  population.append(random.randint(1,1000))

# sort the sample and get the median
# dont forget to offset by one or you'll get one number above
# the median.
population.sort()
median = population[500]

# Let's take 500 samples and see what we get each time.
sum = 0
for i in range(1,501):
  sample = random.sample(population,5)
  sum += intherange(median, sample)

print sum/500

Beta, it's not just for fraternity names

2009-05-18T05:09:00.000-07:00

Last week at Secure360 I gave a talk on using monte carlo simulations to deal with unknowns in the calculation of Annualized Loss Expectancy (ALE). For those of you that need a refresher, the idea behind ALE is that you figure out how much an asset is worth (Asset Value or AV), and you figure out how badly an event would hurt that asset (Exposure Factor or EF). Then you multiply those by how often it happens (Annual Rate of Occurrence or ARO) to get the Annualized Loss Expectancy (ALE).

In my talk I mentioned using Monte Carlo simulations and why I like them. You see, I am of the belief that you can't nail any of those numbers (AV, EF, ARO) down precisely so you need to work out a reasonable range or even a slightly unreasonable range as long as you err towards inclusion. By erring toward inclusion, I mean your range would be unrealistically wide rather than narrow. Once you have your ranges you can whip up an excel spreadsheet that picks a random number between each of your ranges and spits out the ALE. Repeat this over 5,000 to 10,000 rows and you've got your simulation. But a good Monte Carlo simulation is more nuanced than that.

If you just pick a random number between each of your ranges, and there is no skewing of the numbers then after you've done this about 10,000 times you're going to get an average that is shockingly close to what you get if you just take the middle number of each range and multiply. That is the law of large numbers in action. What really makes your monte carlo simulations more accurate is that they also take into consideration the shape of your variables. I'd like to talk about a couple of shapes, and my new favorite formula to use in monte carlo simulations.

For the most part, I have always stuck with two basic shapes, the uniform distribution and the normal distribution. Uniform distribution is where there is an equally likely chance of any number in the range being the "true" value of the real thing being simulated. I typically use this on asset value by utilizing the RANDBETWEEN() function. I know that the asset value falls between x and y and there is an equal chance of any one of those numbers being accurate. I typically use the normal distribution in cases where I have an average and a reasonable guess about the standard deviation. For example, if I know that 75% of my users have experienced some phenomena give or take 8% then I will use a normal curve that would spike at 75% and taper off dramatically so that there are almost no values below 67% or above 83%.

But as I have continued to refine my practice of monte carlo simulations, it occurred to me that I need more shapes. There are variables that don't fit neatly into one of these two shapes, and that is where the beta distribution (http://en.wikipedia.org/wiki/Beta_distribution) comes in. Beta is able to reproduce a wide variety of shapes that may be more appropriate for your variables. Let me give you an example.

Let's say one of the threats to your asset is power outage. One thing you need to know is how often you're going to deal with a power outage in your data center. Going back over the historical statistics that you've kept, and talking to your server and network people you've all agreed that there will probably be 3 power outages in the data center this year because your maintenance people suck and they are always making changes without telling anyone. Everyone also agrees that there could be more power outages, but that the odds of having more outages go down quickly as the number increases. This isn't something that is shaped like a normal curve, this is more of a straight line that is high on the left side and moves down as you go right. Sure you can punish your data and force it into a normal curve, but instead lets try out our new beta distribution and see if we like that shape better. In my spreadsheet, under annual rate of occurrence for power outage, I put in =INT(BETAINV(RAND(),1,5,3,8)) and copied that down 500 rows. Out of the 500 rows, it returned 3 outages per year 347 times, 4 outages 127 times, and 5 outages just 31 times.

I'll let you look at wikipedia to see how the first two numbers (a and b) affect the shape of the distribution. In a nutshell, if a is bigger than b then the distribution trends upwards. If b is bigger than a, then the distribution trends downwards. The difference between a and b is how dramatic that trend is. If b is much larger than a you get a very L shaped graph where the numbers drop off quickly. If a=1 and b=2 you get a straight line that trends downward. The last two numbers in the formula are a bottom and top boundary to put on the distribution. In my formula above, I say that there will always be at least 3 and never 8 or more. So if I wanted a straight line reflecting outages of 3 to 8 times per year, then I could use this formula =INT(BETAINV(RAND(),1,2,3,9)). When I ran that 500 times I got 3 outages 163 times, 4 outages 137 times, 5 = 95, 6 = 66, 7 = 38, and 8 outages 12 times. In other words, there is only a 1.6% chance that we'll have 8 power outages in one year, but there is a 60% chance that we'll have 3 or 4 outages.

Play around with some of the other shapes that you can make with your beta distribution. I just created a spreadsheet where I could play with the a, b, xlow, and xhigh numbers and see how it charts. I will be honest and tell you that I don't yet know how to calculate what a and b should be in my beta distribution, but I am still really happy because if I can make a distribution that more closely approximates what I expect to see in the real world then my simulations will return better data. This is one of those areas where we can make our range estimate tighter without spending additional money on research, so even if it isn't exact, it is still good news. I hope you are able to find value from this as well.

Open Source Application Layer Firewall part 3

2009-05-14T07:37:00.000-07:00

Now that the excitement of Secure360 has died down and we've shrugged off the effects of a phishing attack I finally have some time to work on the last few investigations that popped up recently and add another blog posting on my homebrew, open source application layer firewall.

In part 1 we talked about why an Application Layer firewall was necessary and why it was more secure than a simple Stateful Inspection Firewall. In part 2, we started setting up our lab environment by creating a web server with a simple (and insecure) php application that will need protecting. Here in part 3, we will begin creating our Application Layer firewall.

I'm not going to spend any time talking about the hardware that you want to use for something like this. It is largely dependent on your environment and what you're trying to do. It also isn't something that I am an expert on. There is a great write up here on selecting hardware for high network performance. I suggest you read that before you put something into production. What I will tell you is that for my example, I will be using a virtual machine with two NICs. One of them will be connected to a public network that people can access, and the other is connected to a private network and can only talk to the web server we created in part 2.

So the first step is to install OpenBSD on our firewall. Could I use linux? Of course I could, but OpenBSD has an excellent reputation for being proactively secure and auditing the crap out of their code. OpenBSD also comes with Apache already set up in a very secure chroot environment that we'll be taking advantage of. Even if you don't agree that OpenBSD is more secure than your linux flavor of choice, you will probably agree that running Apache in a chroot environment is more secure than not. And you will probably agree that setting up Aapche in a chroot environment is not trivial, so OpenBSD is the easiest choice as well. However, if I should find myself overflowing with some of that "time" stuff that I hear other people have, I might start documenting how to do this in linux as well.

I don't want to spend a great deal of time talking about the initial installation of the Operating System either. It is pretty easy to set up if you just follow the defaults. I use the whole disk for my operating system, and in this case I put everything in one partition. If I were doing this in production I might decide that I wanted /var to be in a separate partition so that I wouldn't have to worry about my machine crashing if log files fill up the whole hard drive. We wont have any users storing their crap on this server, so we don't really need to have /home or /usr on their own partitions. Also remember that in most cases you want to use the generic kernel, not the multiprocessor kernel.

Once the operating system is installed, follow these directions to get connected to an anonymous CVS server, and download the patch branch (# cd /usr; cvs checkout -P -rOPENBSD_4_4 src). Then follow these directions to compile and update your server. You are now patched and following stable.

Alright. You've got a patched server with two NICs, one of which is on your public network so clients can reach it, and the other is on the private network with our application server. Now we can start tuning this as a firewall.

For the rest of this HOWTO I'm going to try to work my way up the ISO model from layer to layer. We've just taken care of layers 1 and 2 by setting up our machines. Next we need to allow layer 3 routing. This is only marginally necessary. Since we are going to have proxy servers acting as go betweens, the operating system doesn't really need to route traffic. However, you never know when there is going to be some silly application that we wont be able to proxy and you'll have to route. So it's best to just do this now and never worry about it again.
Turn on IP forwarding:
# sysctl net.inet.ip.forwarding=1

Next, edit /etc/sysctl.conf and set net.inet.ip.forwarding=1 so that it will be set for you every time this machine boots. Congratulations, you now have a router!

Next up, let's work our way through some layer 3 and layer 4 technology, the pf firewall. Pf is a packet filter firewall that supports stateful packet inspection, NAT, and a whole host of other good stuff. It has built in support for anti-spoofing and scrubbing packets as they come in. It is every bit as capable as any other stateful inspection firewall. We're going to use PF to block most of the crap that will hit this firewall. I'm going to start with a very restrictive firewall rule set that only allows ping and ssh into the firewall. Edit /etc/pf.conf to read like this. Substitute your external interface for vic0.

ext_if="vic0"

# It is a good idea to not process stuff on loopback
set skip on lo

# Let's scrub our incoming traffic
scrub in

# The default deny rule
block in log on $ext_if
block out log on $ext_if

# This rule allows icmp echo in
pass in inet proto icmp all icmp-type echoreq

# This rule allows ssh in
pass in log on $ext_if proto tcp from any to 134.29.32.68 port 22

The rule set scrubs incoming traffic and blocks everything going in and out. I was once chastised on the OpenBSD mailing list for forgetting that pf processes rules from the top down and runs the last rule to match the traffic. That's why our default deny needs to come first. The other two rules, the ones that allow ssh and icmp have an implicit "keep state" on the end of them. That's why we don't need to create a rule that allows the return traffic out. Now we can turn on pf by typing
# pfctl -e
You will also want pf to turn on when the firewall is booted so make sure you edit /etc/rc.conf and set pf=YES and pf_rules=/etc/pf.conf.

Now use pfctl to check the rules that are running and make sure everything looks right.

# pfctl -s rules
scrub in all fragment reassemble
block drop in log on vic0 all
block drop out log on vic0 all
pass in inet proto icmp all icmp-type echoreq keep state
pass in log on vic0 inet proto tcp from any to 134.29.32.68 port = ssh flags S/SA keep state

Congratulations, you now have a stateful inspection firewall that doesn't allow anything to pass through to the private interface, but will let you ping and ssh into it.

If you're ready, you can move on to Part 4 now.

Secure360 2009 is upon us!

2009-05-11T23:40:00.000-07:00

Well in just over 8 hours the fun of Secure360 starts in St. Paul and I'm pleased to be a presenter at this fine conference. I gotta tell you, this is kind of a big deal for me, and I'm feeling a little bit nervous. I keep trying to decide if I should practice my presentation one more time or try to go to sleep. Unfortunately there was a Bruce Springsteen concert tonight and the streets are flooded with loud fans so I'm probably not going to be able to do either.

Anyway, if you're planning to be at Secure360 tomorrow, then come check out my presentation and ask me softball questions so I'll look extra smart.

Real World Phishing Statistics

2009-05-08T11:39:00.000-07:00

Over the last two days I have been dealing with the fallout of a big phishing message that hit our organization. We had two messages come out in two days and one of them was really well done. It had no grammar mistakes and it used the proper name of our organization and our services. The spoofed reply to address even matched our domain, which has not been the case in previous phishing messages. This one was head and shoulders above the rest.

We had to field a lot of calls from people asking about this message. We get phishing messages every day so I have to admit that I am a little bit jaded about them now. But after we got a few calls I ran a query to find out how many of these had come in and when we saw that it was a rather large number (465 users) we decided that we needed to take some action. We queried our outgoing mail and locked the user account of anyone that responded to the message in any way. The next day the second message came in and it went to about 840 users. This time we hijacked the return address so that anyone who sent a response went into a mailbox that we control instead of the phisher. This was helpful in preventing misuse of our systems, but it also allowed us to gather some statistics that I'd like to share with you. Keep in mind that these are statistics for one single incident at a college in the Midwest United States. It would be foolish to think these numbers will hold true for any organization in any part of the world.

The two messages went to a total of 853 unique users (there was some overlap in the two messages). Of those 853 users, 29 responded to the message. We have about 14,000 user accounts so that means that we can say with 95% confidence that 3.34% (+/- 1.17%) of our users will provide *SOME* response to a well-crafted phishing message.

Of the 29 total responses, we were able to intercept and examine 13 of them. Of the 13 we found that 11 of them had responded with a username and password. The other people told the phisher to "piss off" or asked if the request was real. Based on these numbers we have a sample size of 29 out of a population of 853 and 84.61 provided their password. So we can say with 95% certainty that 84.61% (+/- 14.83%) of responses to phishing messages contain the username and password.

There are a couple interesting demographic things you should know about our organization and my methodology for coming up with these numbers. First of all, I came up with the statistics using the sample size calculator here: http://www.surveysystem.com/sscalc.htm

Next, our organization has about 14,000 users most of whom are from the Midwest and most of whom are between the ages of 18 and 22. 10% of the population has been through a computer-based computer awareness training program, and the organization sends email reminders about phishing about twice a year.

One thing that no human or machine could count is the number of calls, emails and shouts in the hallway asking if the message was real or not. That actually consumed more of my time than dealing with the 29 people that responded to the messages. So if you're ever working through how much a phishing attack might cost your organization, make sure you add in the value of people's time dealing with the same question about 6 million times. 6 million times in an organization with about 14,000 users. That's a good starting metric, but you may get more.

Open Source Application Layer Firewall part 2

2009-04-27T14:03:00.000-07:00

Continuing my discussion on setting up an open-source application-layer firewall. In the last post we talked about the need for such a device and kind of layed the groundwork for what was going to come. In this post I'm going to talk about setting up our vulnerable application that requires protecting.

The first thing I set up was my back-end server. This is the machine that I am trying to protect. I didn't need to do anything fancy with this machine, so I just slapped a default installation of OpenBSD on a virtual machine. The virtual machine has one virtual NIC on it, and that was initially set up with a live IP address so that I could download the sets from the Internet. Once the installation was complete, I rebooted and changed the ip address to something static. Here is how that is done.
1. Edit hostname.em0. On OpenBSD, the interfaces are not named eth0, eth1, etc. Instead the name comes from the manufacturer or the NIC. You can run ifconfig to see which interface has an ip address. In my case, that interface is em0, so that cards configuration is in hostname.em0. The file was set up to allow DHCP, but I don't want that. So I'll set it up with a static ip address on a private network.

#vi /etc/hostname.em0
inet 192.168.1.10 255.255.255.0

I also need to set a default gateway which is in the file /etc/mygate

#vi /etc/mygate
192.168.1.1

Now I shut down the virtual machine and changed the virtual NIC to use a host-only network. When I booted up, I no longer had access to the Internet from this machine. Next up, we need to create an SSL certificate to be used when making https connections to this machine.

openssl genrsa -out /etc/ssl/private/192.168.1.10.key 1024
openssl req -new -key /etc/ssl/private/192.168.1.10.key /
-out /etc/ssl/private/192.168.1.10.csr
openssl x509 -req -days 365 -in /etc/ssl/private/192.168.1.10.csr /
-signkey /etc/ssl/private/192.168.1.10.key /
-out /etc/ssl/192.168.1.10.crt

We need to make a quick change to the configuration file too. The file /var/www/conf/httpd.conf instructs httpd to look for certificates at /etc/ssl/server.crt. Let's change line 1041 of the default httpd.conf file to point to the correct file name: /etc/ssl/192.168.1.10.crt. You will also have to make a similar change to line 1046. Now we can fire up our http server and test it out. This is really easy to do since we're using the httpd server that comes with OpenBSD. You just have to type httpd. I'm going to use the -DSSL option so that it will fire up with SSL support using the keys we just made.
httpd -DSSL

We can use lynx to test it. Type in lynx http://localhost and you should see a text version of the default Apache startup page. Press Q to quit and type lynx https://localhost to see if you've got working SSL. You should ignore the ssl warning because we're using a self-signed certificate. Note that you wont be able to pull anything up on a browser from another machine because we haven't opened up the http/https ports in pf. If lynx indicates that the https server is working right, then we can make it start up by default whenever we fire up this machine.

#vi /etc/rc.conf
# Find the httpd_flags line and change it to this:
httpd_flags="DSSL"

That is all the configuration that we need to do right now to test this thing out. However, if you're feeling a little saucy like I was, we can whip up a quick and simple php application so that we can test out the features of mod_security down the road a bit. Here is how I did that. I added another virtual NIC and configured it for dhcp so that I could get to the Internet.

Install php from packages and update httpd.conf to support php

# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/
# pkg_info -Q php more (look for one called php5-core-something)
# pkg_add php5-core-5.2.6

Edit the configuration file /var/www/conf/httpd.conf. Find the line that reads AddType application/x-httpd-php and change it to read: AddType application/x-httpd-php .php .php4 .php3 .htm .html

Now I edited the file /var/www/htdocs/index.html and added this to the file after the BODY tag.

<?php
$Fname = $_POST["Fname"];
$Lname = $_POST["Lname"];
$Ccard = $_POST["Ccard"];
echo "Hello, ".$Fname." ".$Lname;
echo "<br />";
echo "Credit card: ".$Ccard;
?>

<form method="post" action="<?php echo $PHP_SELF; ?>">
First Name<input type="text" size="12" maxlength="12" name="Fname"><br />
Last Name<input type="text" size="12" maxlength="36" name="Lname"><br />
Credit Card<input type="text" size="12" maxlength="36" name="Ccard"><br />
<input type="submit" value="submit" name="submit"><br /></form><br />

Now I have a basic and very insecure web application that runs on my web server. This is what we will use for testing out our Application Layer Firewall. Once we have everything set up, we should be able to establish an SSL connection to this server that is proxied through our firewall. Our firewall should also be able to make sure that we don't enter improper text into our form. I will now remove the virtual NIC that connects this to the Internet so that there is no access to this server except through our firewall.

Here is part 3.

Pointsec for PC: Watch out when creating installation profiles based on update profiles.

2009-04-20T10:17:00.001-07:00

I got a call from someone the other day asking about a strange Pointsec problem he was having. He had created an installation profile and put it in the installation folder with his installer MSI file. But when he would run the installer, he would get a very generic error that just said "Profile Error." He asked me if I could take a look at his installation profile and see if I could find anything out of the ordinary.

One thing that struck me as being out of the ordinary is that he had based the installation profile off an update profile. Usually, I see installation profiles based off the local settings or another install profile. I see update profile based off install profiles, but never before have I seen an install profile based off of an update profile.

So I opened up his installation profile in my administration console and poked around for a bit. I was making sure that administrator accounts were in there and that there was a valid path for updates and recovery files, etc. Since it was based on an update profile, it is possible that some information was left out. Then I clicked OK to exit the profile editor and see if any errors come up. I was given the error message "Volume protection not defined." This is different from the error message I usually get on an installation profile which reads "Volume protection not based on local."

OK, so how does this volume protection thing work? When I typically build an installation profile I base it on my local machines settings. And usually, my local machine has one hard drive and one partition. So if the volume protection in my installation profile was based on local then every computer that installed using this profile would get protection on only one partition. What if we run this on a computer with two partitions? The second partition would get no protection. So the default when you create an installation profile based on local settings is to set the volume protection to encrypt and protect all volumes on the machine, not just the ones that you have on your reference computer. When you save your installation profile you are told that the volume protection was not based on the local machine, and I tell most people to ignore that message because it's actually a good thing. But that isn't the message that we're getting here. This machine is telling us that no volume protection has been set at all.

To understand why, you have to know about the limitations of update profiles. An update profile can change ALMOST any setting on a Pointsec installation except for the encryption algorithm used to protect the volumes, and which volumes have been encrypted. These settings cannot be changed after the installation and so they are not present in an update profile.

Since those settings are not present in an update profile, any installation profile based on an update profile is going to be missing these settings as well. I told him to go back to the installation profile, click on Systems Settings, Install, and double-click Select Volume Protection. Then he can select the encryption algorithm he wants to use and specify which volumes he wants protected. A day later I got an email telling me that making that change fixed the installation profile and he was able to use it to install Pointsec on client machines.

PI License for Forensic Work in Texas Revisited

2009-04-15T09:28:00.000-07:00

I've talked about the ongoing debate about requiring Private Investigator licenses for people doing computer forensic work before. I've also talked specifically about the requirements in Texas because of the unintended consequences that came of it. See Texas screws the pooch even harder for more details.

The SANS Forensic blog is reporting on some changes to the Texas Requirements that people performing computer forensics get private investigator licenses. A bill has been introduced in Texas to amend the Business & Commerce Code to define what a "Computer data recovery specialist", "Computer forensic analyst", and a "Computer technician" is. The bill also makes changes to the Occupations code and changes the licensing requirements for some computer work based on the definitions that were added to the Business & Commerce Code. You can find the bill here: http://www.legis.state.tx.us/tlodocs/81R/billtext/pdf/HB02564I.pdf and the law currently in place here: http://tlo2.tlc.state.tx.us/statutes/docs/OC/content/pdf/oc.010.00.001702.00.pdf

I am not a lawyer, but I can read fairly well so here is what I think is going on. Don't take any legal advise from me though. Let's start with those definitions.

Computer data recovery specialist: dude that recovers data, but not for evidentiary purposes.

Computer forensic analyst: dude that acquires data, or dude that analyzes data acquired by someone else for the purpose of providing evidence in actual or potential civil or criminal proceedings.

Computer technician: dude that repairs computers, including the software.

The first change in the way we do business also comes in the Business and Commerce Code. Section 107.002 of the proposed amendment requires all three of those people defined above to get a statement before they perform any work on a computer. That statement basically would say that the facts presented in the work order are true and that the computer being analyzed has been legally obtained. In other words, it is being presented for work by the owner or it has been authorized by a court of law (think search warrant). Forensic analysts and computers technicians do not need this if they are working on their employers computer.

OK. So far things seem fair. I know that lawyers are able to take straight forward sentences and make them mean something else, but I would say that I agree with the spirit of the changes so far. I don't think it is terribly burdensome to make people sign off that they own or have legally acquired the data they are asking someone to analyze. Under the proposed changes, not getting these statements is a class C misdemeanor. Under Texas penal code, Title 3, Chapter 12, Subchapter A Section 12.03 (c) "Conviction of a Class C misdemeanor does not impose any legal disability or disadvantage." Section 12. 23 states that "An individual adjudged guilty of a Class C misdemeanor shall be punished by a fine not to exceed $500." http://tlo2.tlc.state.tx.us/statutes/docs/PE/content/htm/pe.003.00.000012.00.htm

Next we should look at the changes being made to the Occupations code. First, we should look at the easy to understand stuff. Section 1702.104 is getting a subsection C and D added onto it, and some changes to subsection B. Subsection D is really easy to understand. The repair or maintenance of a computer does not constitute and investigation for purposes of this section ad doesn't require a license as long as the technician isn't gathering evidence. The change to subsection B is pretty easy to grasp too. It says "all the language that is in here now stays, but we're making exceptions for the stuff written in subsection C and D.

So that leaves us with the change to subsection C. So now we need to look at the current law on the books and kind of understand what section 1702.104 says. The whole chapter talks about the licensing requirements of various people, include investigations companies. According to section 1702.104 a person acts as an investigations company if they are engaged in the business of obtaining information related to crimes, or locations of stolen property, or the general information about a person. Subsection B of 1702.104 specifically calls out computer forensic. It says that doing any of that investigating I talked about above includes investigation of computer-based data not available to the public. Remember that the bill introduced leaves subsection B as it is but says that there are two exceptions which are listed in section C and D (computer repair man). Section C says that obtaining and furnishing information does not include obtaining for furnishing computer data by a forensic analyst as defined up above in the Business & Commerce Code. That kind of work does not require a license under this chapter. Chapter 1702 of the Occupations code relates to private security and the licensing necessary to act in those job roles. So the proposed bill makes it so that forensic analysts and computer repair people are not being lumped into the same requirements as private investigators, people that install security alarm systems, armored car drivers, etc.

The definitions that are applied here are pretty specific to computer forensics though. I wonder if a forensic accountant would be required to get a private investigators license to do business in Texas. Overall, I am happy with the changes if I am reading them correctly. It removes the requirement that you have to qualify as a private investigator before you can analyze a hard drive which I think is asinine. It puts some very reasonable restrictions on the practice of forensics (requiring a signed statement of ownership) and it leaves the door open for other requirements to be imposed on digital forensic analysts that actually pertain to the work they do.

I want to be clear that I am not opposed to having some licensing requirements for forensic analysts. I think that requiring someone to have some number of hours of experience before they can work unsupervised or present their findings in court is reasonable. Requiring 6000 hours of experience as a highway patrolman pulling over speeders shouldn't be sufficient to be licensed as a digital forensic expert...just like 6000 hours of being a digital forensic expert shouldn't qualify you to be a private investigator. I'm not opposed to background checks or requiring analysts to carry errors and omissions insurance. All I want to see is that if states are going to impose some licensing requirements on digital forensic analysts those licensing requirements should be relevant to the work they do.

Pointsec for PC: Can't enable WIL, User Account not working.

2009-04-13T06:53:00.001-07:00

The help desk brought me a strange Pointsec problem today. I'm not even sure how to describe it properly. They had a customer computer that had been locked out and was requiring authentication at the Pre-Boot Environment, but the password that I had provided for the help desk to use was not working. I also found that my personal password that I use for Pointsec was not working either. This was very concerning, but luckily I was able to log in with a third user account that I had built into the Installation profile used to install Pointsec on this machine.

I checked the Enable WIL checkbox in the preboot environment and booted into Windows like normal. Then I opened up the Management Console and I was able to log in with the accounts that were being denied in the Pre-Boot Environment. Weird! I also double checked that Windows Integrated Logon was turned back on and rebooted. I expected the machine would boot directly into Windows, but it stopped at the Pre-Boot Environment and challenged me for credentials again.

You may be aware that there are actually two places where you have to enable Windows Integrated Logon. If you already know this then skip this paragraph. There are two places where WIL has to be enabled. One place is in the Management Console in Windows which I just looked at. The other place is in the Pre-Boot Customization menu. If WIL isn't turned on in BOTH places, then you have to authenticate in the Pre-Boot Environment. To access the Pre-Boot Customization menu, hold down both shift keys when the computer is booting and says "Pointsec for PC" in the upper left of the screen.

But on this machine when I held down both shift keys during the boot process, nothing happened. I am not able to access the Pre-Boot Customization Menu! WTF! I feared that I was going to have to call Checkpoint Support before this poor soul could have his laptop back.

But instead, I decided to create a user account for him in Pointsec and set up single sign on for him. That way he could work on the time sensitive stuff he had to do and bring the computer back to us when he could stand to be without it for a while. I created the account, saved the settings, and rebooted. Surprise! Windows Integrated Logon worked this time.

My guess is that by creating another user account, Pointsec updated the authentication database and other settings for the Pre-Boot Environment which turned Windows Integrated Logon back on. So now he is able to work, but I am still not able to get into the Pre-Boot Customization Menu. I'll have him come back later and we'll probably just reimage this machine. I wanted to share this with all of you just in case you run into this problem so you'll have a dirty fix if you're in a jam. I looked at the Checkpoint Knowledge base and wasn't able to find any thing that looks similar to this.

Open Source Application Layer Firewall

2009-04-07T20:19:00.000-07:00

This is going to be a really long posting if I go into the level of detail that I want. So I'm going to have to break this up over several postings. This will be the introduction and table of contents posting. As I add more postings on this topic, I'll update this posting accordingly. Once I have enough content, I'll probably add it to the Popular Topics link list on the right.

A while back we purchased a Sidewinder firewall as part of our strategy to achieve PCI compliance. The plan that we're enacting is to isolate our entire cardholder environment behind the Sidewinder. In most cases, a simple and cheap stateful inspection firewall would be sufficient for that, but we've also got some web applications that process credit card data and we need to comply with section 6.6 of the DSS as well. That calls for an Application Layer Firewall (or a source code audit, but we decided on Application Layer Firewall).

Now don't get me wrong, I love my Sidewinder. I have referred to it as the coolest device ever attached to the Internet, although it has lost at least 5% of its coolness since they changed the name to something dumb that I wont repeat. But there are some things about the Sidewinder that make me sad. For example, it's not open source so I don't really know how it works. As a security guy that makes me uncomfortable. I also don't like that the configuration files aren't plain text. I can't put them into a revision control system and quickly see what changes were made without my knowledge by some other firewall administrator. And of course there is the fact that Sidewinders are expensive. So I thought I would take some time and see if I couldn't build an open source alternative to the Sidewinder for people who aren't fortunate enough to have one. This isn't going to be as full featured as a Sidewinder, but it will be more secure than a simple Stateful Inspection Firewall and it will help meet the requirements of section 6.6 of the PCI DSS. Remember, though, that your acquiring bank is the referee as far as what meets the requirements and what doesn't. You may want to check with them and see if you can use this instead of some commercial product.

So I guess this is a good time to talk about what exactly an Application Layer Firewall is. In a nutshell, it's a firewall that operates at the Application layer of the OSI. More practically speaking, it's a firewall that acts as a proxy server and makes decisions about passing traffic based on the payload of the connections it proxies. When you make a request of a web server that is protected by a proxy firewall, your connection actually terminates at the firewall, and the firewall initiates a new connection to the web server. Before initiating the connection, the firewall might look at what resources you're asking for and make the decision to deny the connection. This model is inherently more secure than a stateful inspection firewall that only looks at the destination address and the destination port. The downside is that proxy firewalls are usually slower and there aren't proxies available for every service that runs out there. I know there are people that will argue with me about my belief that a proxy firewall is more secure by its very nature than a stateful inspection firewall, and I don't feel like getting into an argument about that. So I'll put it this way: PCI DSS section 6.6 calls for an Application Layer Firewall. If you're not using something that operates at the Application layer of the OSI model then you are not compliant. Again, keep in mind that your acquiring bank is the referee, not me. For a good explanation of why Application Layer Firewalls are necessary, check out this link: http://jeremiahgrossman.blogspot.com/2009/04/disagree-with-concept-or-implementation.html (make sure you read my comments in the comments thread because everything I say over any media is worth reading).

What is our open-source application layer firewall going to look like when it's done? Well basically we're going to be using OpenBSD for our operating system, and we're going to use PF to handle any stateful inspection or natting that we might need. We're going to use Apache with mod_proxy, mod_ssl, and mod_security to act as a proxy for our http/https/ftp traffic and provide application-layer security. Can your stateful inspection firewall look for Cross Site Scripting or SQL injection in the http part of your traffic? Can it perform input validation for your applications before the traffic gets to the servers? Mod_security can, and that is why it rules ass over simple stateful inspection. We're going to use OpenBSDs relayd to act as a generic proxy for ports where we don't have a full application proxy to work with.

I'm also going to make use of a back-end server that doesn't have much on it. It's a very simple setup that will be used to make sure that our firewall is passing services. I have all of this running on virtual machines. The backend machine has a host-only network that connects to an interface on the firewall. The firewall has the host-only network and another nic that is bridged to my real network. That's where the "public" ip addresss will be reached by the clients. So watch this space as I start to fill in the How To posts.

Here is part 2.

Here is part 3.
Here is part 4.

Here is part 5.

The real payload in conficker - damage to our reputation.

2009-04-01T08:23:00.000-07:00

This week has belonged to conficker. We had 60 minutes do a story about malware, including conficker, and there have been thousands of stories out there this week about the "attack" that conficker is going to launch on April 1st. And just like Y2K, nothing has happened.

There was a lot of conflicting information being reported around the Internet too. Some sources were saying that Conficker was programmed to attack or deliver its payload on April 1st. Others were saying that it was going to start spreading itself on April 1st. I pulled up twitterfall.com and took a look at the discussions around conficker and the buzz was huge. The only information (true or false) that wasn't getting widespread reporting was the fact that most security professionals were pretty calm about this. Particularly displeasing is that I got Rick Rolled twice while reading the articles about what was going to happen or what has happened because of conficker. For revenge, I'm going to use this day to send out a mass goatse.

The real damage that has been done here is that to our reputation. We sort of came off as the boy who cried wolf on this whole conficker thing, and the really unfair part is that I don't know any reputable security professionals that were predicting the doom and gloom that was attributed to us. Here is a choice quote "No this is not an April Fool's Day joke, this is serious. Every few years, the internet is hit by a vicious malware that wreaks havoc on on computers. ...security experts are racing against time to mitigate the impact of this hazard. For some reason, malware creators like to target April Fool's Day and this latest attack, known as Conficker C, is rumored to be the most damaging attack seen in years. " Or how about this one from eetimes.com: "Experts are unsure whether Conficker will simply display a harmless April Fools Day message or, for example, begin harvesting PC user names and passwords or even erase hard disks."

I don't know if it was the media, or paranoia, or people that didn't have all the facts, or just plain bad luck that caused this to blow up into the boogieman that it became. Regardless, I think we should find the culprit and shoot him/her/it. People are going to stop considering our warnings to be credible because of crap like this. Today the buzz on twitterfall is how conficker turned out to be nothing. Now the pendulum has swung in the other direction and people are feeling like you can ignore conficker, which is also bad. Here are some choice quotes

@net_news: "CONFICKER IS NOT HAPPENING. IGNORE CONFICKER. [Conficker Is Not Happening. Ignore Conficker]"
@H_i_R "@infosecsurvivor The conficker is a lie! "
@basseq: "Man, Conficker is causing some pretty serious problems here today. Not the actual virus, mind you, but the threat."
@angelcastaneda: "Oh, I see what Conficker does: It dumps a foot of snow on your car!"

In my opinion, the best twitter advise on conficker came from @marcusjcarey: "Security Professionals must remember the 'Little Boy Who Cried Wolf' ie. manage expectations #conficker". If only it were the security professionals faults.

Where does Ubuntu mount servers that you connect to using Gnome?

2009-03-30T06:48:00.000-07:00

OMG, I finally figured this out, and it was totally by accident. For the longest time I haven't been able to figure out how to access a share from the command prompt if I connected to it in Gnome. On an Ubuntu system, when you click on Places -> Connect to Server and you provide all the information then you can get access to a server share. But where was it actually mounted on the filesystem? Well I just found out and it was totally by accident.

So some of you will probably think I'm a dork because it took me so long to find it, and I'm a little embarassed to be posting this. But I also have my rule that if it took me more than 15 minutes to figure something out, then I should put it on the Internet for someone else.

The reason I wasn't finding it before is because I was using the mount command to show me everything that was mounted on my machine. Then I looked for the name of the server to show up, and I didn't see it. So I assumed that it wasn't mounted or was mounted in some strange way. Today, I had to open up a web page that I keep stored on one of those shares and I glanced up at the path. There I saw that there was a hidden folder in my home directory called .gvfs. I looked at my mount output again and saw this line.

gvfs-fuse-daemon on /home/kevin/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=kevin)

So gnome is using Fuse to mount these file shares, and only a generic entry shows up in the mount table. I opened up a terminal and navigated to the .gvfs folder in my home directory. A quick ls showed me that there was a folder for every server that I had connected to with Gnome.

So now if you're a dork like me and you didn't know that, you can finally put this question to bed.

Pointsec Video: Single Sign on in the Pre Boot Environment

2009-03-29T20:50:00.000-07:00

I just put the finishing touches on a new Pointsec video. This time we go through the process of setting up Single Sign on so that your users don't have to log on twice, but you can still enjoy the security of Pre Boot authentication. Enjoy.

Also, I have recorded this video in a higher resolution, but I'm not going to force it to display in that higher resolution. If you've got a wide bandwidth pipe and you want to be able to see more clearly, click on the HD button at the bottom right of the video.

Recent Changes and upcoming material

2009-03-28T19:45:00.000-07:00

It's been an exciting time here at Blackfistsecurity.com, and even though I haven't updated the blog in a week, it's not because I don't have anything interesting coming down the pipe.

About a month ago I redesigned the blog site so that it wouldn't look like so many of the other security bloggers out there. The blog was completely reskinned, and I added the twitter feed on the right. I'm really glad I did that. One of the things I want to avoid on my blog is having a lot of blog entries that just point to someone else's material...unless I have something substantial to add to the conversation. Generally, I would prefer to have a smaller number of updates and provide original content and original thoughts. I set a goal that in 2009 I would like to get out one update per week and so far I'm ahead of schedule. From what I can tell I will be able to remain on schedule for the foreseeable future too. But sometimes there are good articles out there that need to be mentioned. Sometimes there is non-professional stuff that I want to share, but it doesn't really belong on my security blog. That's where the twitter feed comes in. That's the place that I'll brag about the Minnesota State Mankato women's basketball team becoming the NCAA divison II champions, and post links to articles that I can't add anything too. I feel that it has really rounded out my blog a bit

At the same time, I've been trying to build a bit of brand identity and hopefully land the occasional moonlighting gig. I started working with someone to create the blackfist logo that I'm using now, but that process wasn't working out well for me. So eventually I said to heck with it and decided to see what I could make on my own. I am a fairly decent artist in my own right, after all. I have to say, I think the new logo gives the image that I'm looking for. I like to consider Blackfistsecurity to be the Rage Against the Machine of information security, and my logo is supposed to reflect a kind of professionalism that just barely contains the raw energy of the Black Fist.

So what is coming up? Well more Pointsec videos for sure. The Pointsec stuff has been my main draw so far, and I don't want to get away from that. I was working on a video for setting up temporary user accounts and Single Sign on when my laptop was claimed by Full Disk Encryption for Mac. So that has been delayed, but I hope to get that finished and online in the next week. I'm also looking at putting together videos on Remote Help and Installation profiles.

I hope to keep everyone posted on my attempts to impose a Change Management process on a hostile environment. There hasn't been a lot of movement in the last few weeks so there isn't much to say right now.

I also started another project that I'm really looking forward to sharing here on the blog. The PCI DSS requires merchants that have applications in scope to either hire an external code audit, or place their applications behind an Application Layer Firewall. If you've had to buy one of these things then you know that a really good one isn't cheap and a really bad one is, well, really bad. A few weeks ago I set out to build an open source Application layer firewall and I'm fairly proud of the results. I documented the process along the way and I have about five blog entries that are in need of a bit more editing and will be ready to post.

So look for that exciting stuff to come, and let me know if there is anything else you would like to see on the blog. Thanks for reading,
Kevin

FDE for Mac is giving me the blues....again

2009-03-23T07:35:00.000-07:00

Back on March 4th I wrote up a post about the trouble I had installing Pointsec for Mac 3.1. After I got past all of that, I was able to function normally and I haven't had any trouble until today. My precious Mac wont boot. I cant even get to the Pre Boot Environment to log in. When I power up the machine, I get a black screen with this message:

Booting devicepath Acpi (PNP0A03,0)/Pci(1Fl2)/?/HD(Part3,Sig3EE4ECEF-7BED-CDC6-1B2D-E46AEB45FE67)/Pointsec\\ppbe_main_x86_64.efiChanged current root to: 3EE4ECEF-7BED-CDC6-1B2D-E46AEB45FE67
open file esp:ppc.log
LOG: 0 1 2009-03-23 13:10:37 EFI firmware spec: 1.10

LOG: 0 1 2009-03-23 13:10:37 EFI firmware vendor: Apple

LOG: 0 1 2009-03-23 13:10:37 EFI firmware revision 0x1000a

LOG: 0 1 2009-03-23 13:10:37 failed to open file uninstall.dat - Not Found
LOG: 0 1 2009-03-23 13:10:37 failed to open file recovery.dat - Not Found
LOG: 0 1 2009-03-23 13:10:37 found raw file ppc.db (262144, 2000000)

LOG: 0 1 2009-03-23 13:10:37 found raw file ppc.db (262144, 2000000)

LOG: 0 1 2009-03-23 13:10:37 Couldn't initialize container subsystem from raw:ppc.db
FATAL ERROR: Look above for possible cause!

* Hit any key to continue *

I'm working with Checkpoint support to see if I can get my machine working again without having to do a full reinstall. Now pay attention, noobs! Unlike most of you that write to me asking how to get back into your encrypted machines, my recovery file was saved onto a network share and I have recent backups of all my data. So I will not be out in the cold if I have to do a complete reinstall. However, I'm not looking forward to going through all the work of reinstalling all of my apps and tuning them the way I had them, etc. I'll keep you posted on how things go.

Update 1: After talking to support, I looks like I'm going to need to create my recovery media and decrypt the drive. The problem is that I need to convince someone else to let me use their Mac to install Pointsec so that I can create the recovery drive. Given the rather public nature of my problems with FDE for Mac, that may be a tough sell. It would be nice if there was a standalone utility that was distributed with FDE that could be used to create a recovery file. That would be particuarly helpful if I was a small business that only owned one computer...namely the broken Mac.

Update 2: I have found a guinea pig and installed FDE on his Mac. I have not experienced the problems that I had on my own machine. One possibility that comes to mind is that since this machine has never had an older version of FDE installed, it wasn't as cranky. The recovery USB device has been created, but I can't seem to get the Mac to boot to it.

Update 3: I haven't been able to get the USB drive to boot. I found out that my first problem was that I didn't format it properly. The drive needs to be formatted with Mac OS Extended (Case-Sensitive, Journaled). Then I was able to boot to it by holding down the option key while booting. However, I ran into a new Pointsec error so I am no closer to decrypting my drive.


LOG: 0 1 2009-03-23 18:50:56 open file recovery.dat
LOG: 0 1 2009-03-23 18:50:56 Booting from recovery media
LOG: 0 1 2009-03-23 18:50:56 open file ppc.db
LOG: 0 1 2009-03-23 18:50:56 open file ppc.db
LOG: 0 1 2009-03-23 18:50:56 New container file : ppc.db
LOG: 0 1 2009-03-23 18:50:56 Doing user-acquisition, skipping directly to boot.
LOG: 0 1 2009-03-23 18:50:56 Got roodguid: 0C79D3EA-32AE-4AC5-BD7B-2F2BED73BCD9
LOG: 0 1 2009-03-23 18:50:56 raw file not found 0C79D3EA-32AE-4AC5-BD7B-2F2BED73BCD9
LOG: 0 1 2009-03-23 18:50:56 PPBE uuid = 3EE4ECEF-7BED-CDC6-1B2D-E46AEB45FE67
LOG: 0 1 2009-03-23 18:50:56 Found root-device in DB, installing block-encryption on BlockIO
LOG: 0 1 2009-03-23 18:50:56 Changed current root to: 670E55E1-E341-43A7-A517-07841C49ADF3
LOG: 0 1 2009-03-23 18:50:56 Booting devicepath Acpi(PNP0A03,0)/Pci(1Fl2)/?/HD(Part2,Sig0C79D3EA-32AE-4AC5-BD7B-2F2BED73BCD9)/\System\Library\CoreServices\boot.efi
Error: Not Found while loading
LOG: 0 1 2009-03-23 18:50:56 Couldn't boot into user-aquisiton mode!
FATAL ERROR: Look above for possible Cause!

* Hit any key to continue *

Checkpoint support said my hard drive must be going bad, so I'm going to have to completely reinstall my OS and restore from backups. Poop.

Fix it with *nix.

2009-03-16T08:46:00.000-07:00

I recently had to deal with something that can only be described as an EPIC SECURITY FAIL on the part of a software vendor. I'm half tempted to name the vendor just to shame them, but I'm going to refrain on the off chance that what we're seeing is misconfiguration on the part of our system administrator. Unlikely, but I don't want to get called out if I'm wrong.

Anyway, we're using this help desk ticketing software that has a reputation for sucking. I don't know anyone that has used this in real life and didn't say "Oh man, this sucks." We recently upgraded and along with the upgrade we finally got the ability for users to interact with a web client rather than a Windows-only fat application. That made me happy until I saw that the authentication portion of the web application was completely unencrypted. What if we were using Active Directory to log into this thing? We aren't, but if we were we would have our AD passwords going out in the clear. Besides, I'm sure that some of us are using the same password for both systems. So I talked to the system administrator and found out just how deep the depths of sucking in this application are.

The web client is basically an application running on Apache Tomcat that is distributed as an all-in-one binary bundle of some kind. That means that we have no way of slapping an SSL certificate on this bad boy or making it run on a different port (like 443). In other words, we're completely screwed. Luckily, Black Fist is a wise and resourceful security manager. I devised a way to make this thing suck less (I cannot completely remove the suction) and make it acceptable to me in some way.

I decided to build up a reverse proxy in front of the crapplication that would provide SSL encryption and then take steps to make sure that the unencrypted traffic didn't get back on the wire. We are using a virtual server to provide the application, so the first thing I did was have a second virtual NIC added to the machine in a private network. Then I had another virtual machine built up with two NICs: one for the public and on in the same private network. Then I installed OpenBSD on my proxy server because OpenBSD is sweet. Yes, I could have used linux, but I chose OpenBSD.

Obviously I want to take advantage of the sweet firewall that comes with OpenBSD, so I set up pf as follows.

# Edit /etc/rc.conf to make pf firewall start automatically at system startup.
pf=YES
pf_rules=/etc/pf.conf

and then...

# Edit /etc/pf.conf with a basic setup that allows https traffic to my proxy front end
ext_if="vic0"
int_if="vic1"

# It is a good idea to disable filtering on the loopback if
set skip on lo

# It is also a good idea to scrub incoming traffic
scrub in

# This is our default deny rule. Deny traffic in, but let
# everything out.
block in log on $ext_if
pass out log all keep state

# This rule allows icmp echo in
pass in inet proto icmp all icmp-type echoreq keep state

# This rule allows ssh in
pass in log on $ext_if inet proto tcp from any to external_ip port 22 flags S/SA synproxy state

# This rule allows https in
pass in log on $ext_if inet proto tcp from any to external_ip port 443 flags S/SA synproxy state

Relayd is going to act as our proxy server because it is built in and simple.

# Edit /etc/rc.conf to turn on relayd at system startup
relayd_flags=""

And then...

# Edit /etc/relayd.conf to turn on our proxy server
ext_addr="external ip address"
helpdesk="192.168.1.10"
table { 192.168.1.10 }

#
# Global Options
#
interval 10
timeout 1000
prefork 5

# Relay and protocol for HTTP layer 7 loadbalancing and SSL acceleration
#
http protocol httpssl {
header append "$REMOTE_ADDR" to "X-Forwarded-For"
header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
header change "Connection" to "close"

# Various TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 128 }

ssl { no sslv2, sslv3, tlsv1, ciphers HIGH }
ssl session cache disable
}

relay sendtohelpdesk {
# Run as a SSL accelerator
listen on $ext_addr port 443 ssl
protocol httpssl

# Forward to hosts in the webhosts table using a src/dst hash
forward to port 8180 mode loadbalance \
check http "/directory/file.html" code 200
}

A quick reboot just to make sure that everything starts up on boot. Sure enough, my firewall rules are in place

$ sudo pfctl -s rules
scrub in all fragment reassemble
block drop in log on vic0 all
pass out log all flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in log on vic0 inet proto tcp from any to external_ip port = ssh flags S/SA synproxy state
pass in log on vic0 inet proto tcp from any to external_ip port = https flags S/SA synproxy state

and on relayd...

$ relayctl show summary
Id Type Name Avlblty Status
1 relay sendtohelpdesk active
1 table helpdesk:8180 active (1 hosts up)
1 host 192.168.1.10 99.97% up

When I visit my front end ip address on port 443 with my browser, I am seamlessly proxied to the backend server. All the traffic crossing the wire is encrypted, and the traffic between the proxy server and the real server is in memory on the virtual machine server. It's not perfect, but a big improvement over sending unencrypted authentication data over the wire.

There are a couple other things I want to point out. First of all, I am not a master of pf. I know it well enough to make things work. I'm sure that my pf.conf file could use some work. If you have any suggestions, let me know. I would love to improve this. I also know that I didn't have to use a table in relayd.conf. I chose to do that in case we ever add another server like this. It's there for future-proofing, not because of necessity.

I hope this helps somebody out there, or at a minimum gives someone an idea on how to fix some problem they're having with a less conventional technique. Anyone that knows me knows that I am all about unconventional.

Pointsec for PC: Creating an update profile based on an installation profile

2009-03-11T07:47:00.001-07:00

One thing that really annoys my users is having their computers lock after a period of inactivity. They really don't like having to put a password in and would prefer if they could leave themselves logged in forever (and probably forget their password in the process). But when we install Pointsec on a computer it sets the screensaver to lock, and we don't turn that feature off. Usually I tell users how important that security feature is until they get tired of talking to me and go away, but the other day someone presented a valid reason why his inactivity time needs to be longer. I decided to make that change to his computer, but I'm not going to do it to everyone. His valid reason isn't something that applies across the board. Here is how I'm doing it.

To start, I opened up my Management Console and went to Profiles. Right-click on profiles and select New Profile -> Update. The New Profile Wizard appears. Click Next to begin. First you will be asked to give the profile a name. I'm going to call mine 60-min-screensaver. You also have to provide a profile protection password.

Remember, in most cases your profiles are kept on a simple file server and you probably aren't limiting read access to these profiles to a single account. It is possible, but not commonly done. In order to prevent people from downloading your profile and examining them for weaknesses or creating rogue update profiles, you have to specify a profile protection password. You cannot continue until you provide that password.

Now you will be asked if you want to base this profile on an existing profile or the machines local settings. I'm going to check this box and continue. On the next page I will have the option to search for the profile that I want to use as my template, or I can use the local machines settings. In this case, I'm going to use my installation profile rather than my local settings. To be honest, I don't remember if I've made changes to my own machine while playing around with stuff. I know that the installation profile is pristine. So I'm going to select that, and I'm going to make sure that I have not checked "Base on local settings." I'm also going to uncheck "Base on Groups" which will automaticall uncheck "User Accounts."

Was that last step really necessary? Probably not. I have all the same users and groups on the machines that are out there, so including the group and user configuration in this update profile shouldn't hurt anything. The reason I unchecked it has to do with the difference between "shouldn't cause a problem" and "wont cause a problem." If I don't include any group or user information in this update profile, then I know that I wont make any changes to the user and group settings on my computer. Generally speaking, you want to limit your update profile as much as possible to only cover things that you're going to change. You don't have a ton of granularity in limiting the scope of your update profile, but you should exercise the power that you have in that area. Click Next to continue, and Finish to open up the profile editor.

This is a pretty simple change to make. I'm just going to click on the Windows Integrated Logon folder on the left and find the setting called "Set WIL User Screen Saver Timeout." Double-click and change it to 60. Then click OK to quit the profile editor. I'm going to get two warnings. One is a warning that I have Windows Integrated Logon enabled. That's fine, I don't want to turn WIL off so I can ignore that warning. The other message is that "No user has a group authority level high enough to change system settings." We're getting this message because we stripped all the user and group informaton out of this update profile. You couldn't have an installation profile that looked like that, but this update is only going to change that one setting and leave the current users and groups that are on the machine in place. So even though this profile doesn't have any admin users, the end users computer will because they already have them. We can safely ignore this message as well.

Now in my Management Console I see a profile called 60-min-screensaver. If I wanted to push this out to everyone on the network, then I could right-click and select publish. But that's not what I want to do. Instead I'm going to go over to the file server itself and find my profile storage folder. In there I'll find the actual profile file. I'm going to email it to the user the file with instructions on how to apply it to his own machine. Another course of action would be to put the file in the update folder for his particular machine and wait. This guy isn't on our network right now so I'm just going to use the email route.

How do you apply the update profile to a single users machine without putting it in the update folder? The answer is shockingly simple...you put it in their work folder. When a Pointsec machine checks for updates, it really just goes out to the file server and copies the update profiles down to the local hard drive in a folder called work. The path is C:\Program Files\Pointsec\Pointsec for PC\Work. Once the profile is in that folder, it is checked to make sure the Update Validation Password is correct and then the settings are applied. If you manually copy the update file into that folder, you will be doing the same thing. Somewhere between 5 and 15 seconds after the file is copied, it will disappear, and the settings will be applied.

Honestly, it's not mine!

2009-03-07T19:43:00.001-08:00

My wife was cruising on craigslist the other night and she found a lost and found posting. I guess someone got in a fight in one of the bars in our down and dropped his black fist hair pick.

Just wanted to let you know that I was not the fighter with the black fist pick. I also just wanted an excuse to put a picture of some black fist paraphernalia up on the web site. If you've got any great pictures of black fists or items with a black fist on it, drop me a line.

Change Management part 2

2009-03-06T13:30:00.000-08:00

In my last blog posting about change management I talked about how to start selling change management in a hostile environment. I mentioned that you should keep some talking points handy and keep track of service affecting outages that could have been prevented if you had a change management process in place. However, even with all of that sometimes you're going to have to wait for a crisis in order to push change management into reality. As Rahm Emanuel says "never let a good crisis go to waste."

I'm not going to go into detail about what happened in my organization, but there was an unplanned change that resulted in thousands of users not having access to services. The help desk was pissed and that was working its way up the chain of command. The people that were resistant to change management were already on defense over the unplanned change and they were in a position where they couldn't put up a big fight against change management since that was the cost of forgiveness. The help desk was demanding change management, and I was the guy who had been banging the change management drum for two years. It was time to strike.

The question at this point is how hard should I strike? If I came out with a complete change management policy complete with change lifecycle, maintenance windows, change management database, and a process for getting permission to make changes, then the resistors would circle the wagons and fight very hard to tear it apart. I also needed to act quickly. There was no time to sit back and think about how this should go together. I needed to take advantage of this momentum. So I decide to strike very softly. The groups that were resistant to change management would grudgingly go along with this and not put up too much of a fight if it didn't seem like it was too much of a burden to them.

So we started to have our first change management meetings, even though we hadn't even defined what the different levels of change were (minor, major, routine, etc) or even what changes needed to be discussed at the meeting. The Vice President just told everyone that each group within IT is expected to send someone to these change management meetings. I did my best to make sure that the meeting was not a forum to attack anyone, and I wanted to keep it very informal. I also had to stress over and over that people were not coming to change management meetings seeking permission to make their changes. One thing I said in these meetings and tried to repeat a few times is "we're not going to get this right on the first try. There will be mistakes, and we will learn from them." In these early meetings we just went around the table and talked about what we were planning to do next week.

Here is where the magic really started to happen in these first few meetings. The system administrators were not coming to the meetings to get permission to make their changes, but when they presented a change that interfered with another project, they ended up discussing how to resolve the conflict. Very few people are going to say to their peer "I don't care if you're doing a network backup at 10:00pm, I'm taking the switches down and that's that!"

The other magical thing that happened was that decisions started being made at these meetings regarding future changes. You need to write those down and keep them somewhere because those are the seeds that will become your change management policy and procedure down the road. For example, we decided as a group that routine electrical work that was being done in our datacenter did not need to be reported to the change management group. I disagreed with that decision, but I can't win every time. Regardless, that will someday be enshrined in our change management procedure. Maybe put together a skeleton policy and procedure, but don't show it to anyone yet. Let it grow on its own for a while.

Looking back I think the worst thing I could have done was to announce that we were going to develop a change management policy. If I had done that it would have given people the opportunity to delay change management until the policy and procedure were absolutely without flaw. They would have killed change management by demanding perfection. Instead we're easing into things gradually and I think we're avoiding some of resistance because everyone has more of a voice than they expected in the process. We've also scored a few wins where some change was going to cause a problem for another and we were able to resolve that ahead of time. I'm keeping track of these wins just as I kept track of the failures before we had change management. You never know when someone is going to pick up the fight again and you'll need ammunition.

New Version of Checkpoint FDE for Macs

2009-03-04T06:30:00.001-08:00

Last night I got a chance to try out the latest version of Checkpoint Full Disk Encryption for Mac, version 3.1.0 build 171. The software is just over a month old and looking at the release notes has a few interesting features like Single Sign On and User Account Acquisition. With SSO, a user only has to log in once to get into their machine, and they don't have to use the workaround that I was using (OS X account auto-login). User Account Acquisition makes it easy to add user accounts to the Pre-Boot Environment without having to manually create an account on each workstation. The user logs in once as normal, and their credentials are sucked into the Pre-Boot Environment. From then on the user can use those credentials in the Pre-Boot Environment. Unfortunately, the whole thing didn't go as smoothly as I would have liked. Here is the harrowing tale of my installation nightmare from last night.

I downloaded the software from Checkpoint User center. I opened up the DMG and ran the .pkg file inside. I went through the usual stuff about license agreements and an overview of the installation process.

After agreeing to the license agreement, I was asked to select the drive that I want to install this on. I only have one drive on my macbook, so it was an easy choice. Once I selected the drive, I clicked continue and the installation began. Software was installed and then I was asked to provide my license file.

Next comes the familiar process of creating two user accounts. These screens will seem familiar if you've installed Pointsec on a Windows machine. If not, then just know that you need to create two administrator accounts. This time around I didn't create an account corresponding to my OS X username because I want to try out the user acquisition feature.

One thing that is unique about installing FDE on a Mac is that it asks you if you want to encrypt your entire disk or if you want to select volumes for encryption. This differs from the Windows side where Pointsec automatically selects all of your partitions for encryption and then asks you if you want to change that setup. I selected Encrypt entire hard disk, and chose AES for my encryption algorithm. At this time it looks like AES is the only encryption option. However they must be planning to change that at some point otherwise they wouldn't have a screen asking me which algorithm I want to use.

Finally I was asked to provide a path for the recovery file. I gave it a path and clicked finish. A very quick installation later, I was able to reboot the computer. That is when things got a little weird for me.

After the reboot I authenticated in the Pre-Boot Environment with one of the admin accounts I created. The computer appeared to boot as normal. Something had changed though because I was brought to the login screen. My computer had been set up to auto-login with my account. It was my way of getting a single sign on environment with the previous version of FDE. Oh well, FDE must have set it back for security reasons. So I logged in and nothing happened. I sat and looked at a blue screen for about 10 minutes. Finally I had to power down the machine to reboot it. This went on for several tries. I was really worried that I was going to have to reload my machine from scratch. In a last ditch effort, I booted into single user mode and followed the directions to mount the root file system. I was looking for an application extension bundle, but I wasn't able to find anything. I rebooted the computer. After logging in at the Pre-Boot Environment and logging in at the OS X log in screen, I got my desktop. OK, cool. I'm not sure why that happened because the only thing I did in single user mode was run fsck and then mount the root file system. Either way, I'm back looking at my desktop. OK fine, I'm going into the Management Console to poke around.

It doesn't look much different from the previous version, except that there is a new folder for User Account Acquisition. The weird thing I'm noticing is that I can't seem to change any of the settings. I can't make adjustments to the password policy and I can't turn on User Account Acquisition. So I called up support to ask them about it. While I was on hold, I kept poking around and it looks like you need to create another group before you can turn on User Account Acquisition. That makes sense to me because you don't want to automatically create users in the System group. So I created a group called users and made changes to the password settings there. Once that group was created, I went back and I was able to turn on User Account Acquisition. I also made sure to enable Single Sign on for the Users group. Alas, when I clicked OK to save the changes I was told that I need to set an acquisition group. Hmmm. I tried renaming my Users group to Acquisition, but that didn't do it for me. Then I noticed that User Account Acquisition has a subfolder called Select Group. I went in there and found options for selecting the group where my Users will be created. However, I wasn't able to select my users group. I suspected that maybe because I hadn't saved my changes yet, that group wasn't available to me. So I turned off User Account Acquisition and clicked OK to save my changes. I exited the Management console and went back in. Now I was able to select my Users group for Acquisition. Around this time the support person came back on the line and I told her what happened. She said that I should have been able to change settings right away and that adding a user group shouldn't have made a difference.

Once I had set up User Account Acquisition, I rebooted the computer. As expected, I was not asked to authenticate in the Pre-Boot Environment and was instead taken to the OS X login screen. I selected my account and logged in. Then I rebooted again. This time I was taken the Pre-Boot Authentication screen and I was able to log in with my OS X credentials. Sweet.

Unfortunately I was back in the blue screen of forever hell. I was able to get into my desktop by booting into safe mode though. After booting into safe mode I rebooted again into regular mode. Is this sounding ridiculous yet? But now, finally, I am able to achieve single sign on and have a reasonable boot time.

I'll be honest with you, I need to do some more testing. I'd like to know if the problems I witnessed were specific to my machine or if this would happen on any computer. I can't imagine that Checkpoint saw problems like this during Quality Assurance testing and still released the product. On the other hand, I haven't done anything unusual with my machine (no Boot Camp or FileVault stuff) and it is only about 9 months old. So if I had these problems I would worry that another use would have the same problems. And I am not about to put my users through this level of hell to get their disk encrypted.

Update: After the encryption process was complete, I rebooted my machine and found myself dealing with the blue screen of forever again. I was able to boot into safe mode again though. A reboot after safe mode worked properly. Then I did a full shutdown. The machine worked properly when it was powered back on too. So it seems that when the encrypting process changes state I have to go through the safe boot hoops, but once it stabalizes I don't need to worry about it.

Pointsec for PC: Copying your management settings

2009-03-03T10:56:00.000-08:00

I had an embarassing moment today while I was in a conference call. An easy question came in from someone and I wasn't able to answer it right off the top of my head. I was also frustrated that my computer locked up on me and thwarted my attempts to find the solution for her. Anyway, here is the question and the answer.

Let's say you have a workstation that has Pointsec for PC installed on it. The previous Pointsec administrator used that machine to create his sets and profiles. Now whenever you want to manage your Pointsec installation you have to go to that machine to get things done. Is there a way to transfer the settings from that machine to your own?

The answer is yes, and it is very easy to do. What you need to do is located a file called PCMC.cfg and copy it to your workstation. Remember, the configuration set itself is not stored on your machine, it is on the server that you were using. Also remember that a set isn't really anything but a list of locations where you're keeping stuff. Same goes for the profiles. They are all up on the server. The Pointsec Management Console provides a convenient view of them, but they are not stored on the machine that the previous administrator was using. So here is what you need to do:

Go to the machine that the previous administrator was using and make sure that you don't have the Pointsec management console open. Now find a file called PCMC.CFG. On Windows XP systems the file will be located in c:\Documents and Settings\All Users\Application Data\Pointsec\Pointsec for PC\. On Vista machines the file is located in C:\ProgramData\Pointsec\Pointsec for PC. Some of these folders will be hidden from you.

Now go back to your workstation. Again make sure that you have the Pointsec Management Console closed. Copy that file to the corresponding location on your machine based on the Operating System that you use. Now open the Management Console and voila! You should have all of the set and profile information available to you now.

There are a couple things that can trip you up in this process. The most common one I see is people doing this without shutting down the management console. When you close the management console, Pointsec saves it's current state to the PCMC.CFG file. So if you copy that file over while the management console is running, and if there are no sets configured in the management console, then when you close out it will save the nothing configuration and write over the file you just copied. Then you call me up and ask "Why isn't this working?" The other thing you might have a problem with is permissions. If your user account cannot view the folders on the server then you wont see your profiles in the management console. This isn't something that you need to work out with Pointsec, you need to work it out with whomever manages that file server. Pointsec is accessing the server with your user credentials.

Hope that helps someone out.

Pointsec Video: Windows Integrated Login

2009-02-27T06:33:00.000-08:00

Here is the latest Pointsec instructional video from Black Fist. Today we're going to cover Windows Integrated Logon; how to set it up and what it looks like for your users. It's a short video because it's really easy to do. Enjoy.

Errata: After I finished making this video I realised that I left something out. It doesn't change the process of enabling Windows Integrated Logon though, so I decided not to record the whole video over again. Anyway, I talked about setting Max Failed Windows Logon in the video. I said that when you set that number and a user has that many failed logon attempts then the computer will reboot and force authentication in the Pre-Boot Environment. What I failed to mention is that this functionality is not workin in Vista right now. So if you're testing this out on Vista you might beat your head agains a wall for a while.

Pointsec certificate expiring - may cause upgrade problems

2009-02-25T08:17:00.000-08:00

This morning Checkpoint released a bulletin about a problem affecting Pointsec for PC version 6.2.0 (with HFA1 or HFA2) and 6.3.0. The certificate that the software uses to validate recovery files and log files has expired. As a result, recovery files and log files are not being updated anymore, and new installations of these software versions will fail.

It is also possible that you're going to see some error messages such as "The installed license number is no longer valid" or "-1"

The good news is that your data is still secure. I talked to Checkpoint support and they assured me that you are still able to create recovery media based on the recovery files that have already been written. You can also use the crerec.exe (located in c:\program files\pointsec\pointsec for pc) to force creation of a new recovery file. Checkpoint has hotfixes available if for some reason you're not able to upgrade, but this certificate expiration problem will not prevent you from upgrading if you choose to go that route.
Notice from Checkpoint

Blog is in a state of flux

2009-02-24T07:23:00.000-08:00

Pardon the construction mess. Some of the links are broken and others are completely missing. I decided that I needed to change the look and feel of the blog because there were too many other Information Security blogs out there that were using the same template that I was. I hope that by making this change my blog can be a little more unique and not blend in so much.

I also hope to make the layout a little cleaner than before. I had a little too much "flair" on the blog and it was tough for people to find the things they were looking for. I hope to be done with these changes in the next couple days.

Insider threats, now with numbers!

2009-02-23T18:09:00.000-08:00

I find myself in a difficult place tonight. The Ponemon institute has released a study based on a web based survey finding that 59% of fired/laid-off employees steal data on their way out the door. For the most part, I always prefer to use numbers to back up the claims that I will make to management. So rather than say that some unknown percentage of our fired/laid-off workers will steal company data on the way out, I would prefer to say 59% of them will. On the other hand, I don't have the greatest amount of faith in the Ponemon institute right now.

You may recall from a couple weeks ago that Ponemon brought us the news that credit card breaches cost an average of $202 per record, and of that $139 was from lost customers. I explained my rationale for questioning that number, and it was also beat up a bit on the Security Metrics mailing list.

Unfortunately I can't find the actual study itself. I used all the usual Google tricks, but it doesn't seem to be on the ponemon.org web site and this article doesn't have a link to follow. So for now, we have no way of analyzing the report for systemic bias. As always, I recommend that you take this with a grain of salt and see how much of it applies to your organization before you enshrine it in the gospel of your information security plans.

Change Management and some Misc stuff

2009-02-21T14:03:00.000-08:00

Fist up, I want to thank everyone that came out to the Advanced Pointsec / Protector class that I was teaching on Friday. I hope that everyone learned some new tricks and that everyone had a good time. Sorry about the hiccups and some of the language, but like I tell my professor friend: The Black Fist show is rated PG-13! Make sure you hit me up with some of your questions using the contact email that you can find on the right. And if you need any consulting help....well again there is that contact link on the right.

OK, let's talk about Change Management, shall we? There are certain things that everyone who works in IT security knows. For example, we all know that running anti-virus on our computers is a good move. We also all know that Change Management is a good thing. The difference between the two is that the second item is true and the first is a load of crap. However, it can be a real pain to try to convince other people that Change Management is necessary...especially the people that have to give something up in CM.

I'm talking about giving up control. In my organization there is an application development group, a help desk group, a computer lab group, a networking group, and a server admin group. There are a couple others, but we'll ignore them for now. For the most part, Change Management is a process by which the development group, server admin group, and networking group tell the others what they're going to be doing and get their feedback. Many of them are resistant to CM because they feel that they shouldn't have to ask permission to do what they want to do with the systems they manage. There is also a legitimate fear that they will be boxed into only making changes in the wee hours of the evening and that there will be no extra compensation or balancing of these hours. For the others, they are pleased to hear what is being planned and not have as many things come up as a surprise.

Since I came in the door at my University I have been talking about Change Management and the clear message from my boss was "I'm not listening." After we had a couple audits that both suggested we implement a CM process the message was "how can we comply with this on paper without changing anything?" This is why I feel that all IT security managers should try to scratch and claw their way into reporting to the highest ranking figure they can. In the beginning I reported to someone that does not support CM, but then I managed to get in a position where I reported to someone higher up that was neutral about CM. And that is really the first step in getting CM off the ground. You need to get important people to care about it. So make sure you've got your bullet points handy when you're selling this.

Transparency - no more secret changes that make everyone ask "WTF just happened?"
Communication - not just improved communication in the department, but also with the customers.
Documentation - A dirty word to be sure, but documenting your processes is a sign of a mature IT shop.
Quality Assurance - This is a chance to make sure that important changes have been tested and that there is a rollback plan if things go poorly.
Coordination - If system A and B both need to go down, but the administrators of these systems don't know about the other systems change, then they will likely be brought down at different times causing two separate outages. Change Management allows your staff to coordinate these events into one single outage. Better for the help desk and better for your customers.
Best Practice - I know it's crappy to use the "everyone else is doing it" sales pitch, but you can still respect yourself in the morning if you're pushing something that really is good and this bullet point isn't the strongest thing you've got.

Still, sometimes even a really good list of reasons wont sell Change Management. In my case I had a boss that was neutral to CM. Every time I would sell it to the boss, my former boss would unsell it. The main argument against it was that we haven't had a problem so far that would have been solved by CM (totally not true) and that this process was only adding more bureaucracy to our jobs and wasting man-hours. So another thing you're going to want to do is keep track of service affecting changes that caused problems. Having specifics helps. For example, we made a change to our wireless controllers that played hell with Vista users for a few months. I hate to say it but in some places (like mine) something will have to go really wrong to get traction behind CM.

Coming up, I'm going to write about how I got Change Management off the ground after we had a disaster that got me the support I needed. Here's a hint...start slowly.

Black Fist needs some ideas

2009-02-18T08:41:00.000-08:00

Well it turns out that my Pointsec video tutorial has been popular. So popular in fact that I'm getting close to my monthly bandwidth limit from www.screencast.com. I have a couple of options.

Option one is to wait and see if we actually get enough views to push me over the edge and people can't see the content anymore. If we don't reach that magic number, then I can go on as I have been. However, I plan to add more videos in the future and it is unlikely that I'm going to stay under the 2Gb monthly limit for long.

Option two is for me to start paying for bandwidth. Screencast.com will give me 25Gb per month for just $10 per month.

Option three is to host my content somewhere else. Anybody know a place that does it cheaper than that? I really like that I am able to upload the Quicktime video and have a high quality video available. So I don't want to use something like YouTube or Google Video where the quality goes to crap. Unless you know something about YouTube that I don't. Some secret way to get high quality videos online?

Shoot me some ideas using the email address on the right. Click on Contact Black Fist and let me hear some ideas.

First Pointsec Video Tutorial

2009-02-12T07:35:00.000-08:00

So I took some time to put together a video tutorial on a Pointsec topic. In this case, how to do a simple, manual installation of Pointsec for PC. Please let me know what you think of the video. If it is well received, then I will probably make more in the future on more difficult topics.

Upcoming Pointsec class in Minnesota

2009-02-08T21:10:00.000-08:00

Hey, if you're a State of Minnesota employee then you might be able to register for the next Pointsec class that I'm going to be teaching. The class is scheduled for February 20th in St. Paul. Check out the link: http://www.strategicit.org/encryptiontraining.shtml#top

On the Pointsec side of things, I'm going to be focusing on data recovery. So there is going to be a lab on creating a BartPE disk to boot an encrypted device, and there is going to be a lab on setting up a hard drive as a slave so you can get at your information from a working Pointsec machine. I'm also putting in a lab on Network Location Awareness, temporary user accounts, and customizing the Pre-Boot Environment for your organization.

We're also going to be talking about Pointsec protector, which is also available to State of Minnesota Agencies. Protector has a lot of neat features and is a big step up from Pointsec Media Encryption in terms of ease of use. I'm still not certain if it is easier to deploy however.

Anyway, there are still some seats left so if you are a State of Minnesota employee and you still have some budget available for travel, sign up and come see Black Fist. I'll be available for autographs throughout the day.

Risk analysis: Cost of breaches and rolling your own numbers

2009-02-03T12:30:00.000-08:00

In my previous post I talked about how you can apply unknowns to the process of developing your Annual Loss Expectancy (ALE). In the example I gave, we tried to come up with a reasonable estimate of how much money it would cost us per record if some data were exposed. We went through a process of polling our sales force to see what they had on their machines and we estimated how much it would cost us to account for the missing data and notify the affected persons. Why didn't we just use the well known numbers that are thrown around out there? At the time I wrote that, the general consensus was that the average price per record was $197.

But now there is new data and the official price per record has gone up to $202 per record. The good news is that the price per record is not keeping up with inflation! Unless our currency is deflating, in which case we're in even worse shape than we were last year. I had to hand over my personal information and will suffer through the cold sales calls just so that I can read the PDF, but here is a link where someone else has boiled it down. http://treasuryinstitute.org/blog/index.php?ite mid=227. There is one specific point that I want you to pay attention to..."lost business is the largest component of the cost" According to the PDF itself, this cost accounts for $139 of the $202 per record. Ouch. This cost is based on an increase in customer churn and diminished ability to recruit future customers. I wish that the PDF had gone into more details of how these numbers were calculated. For example, was the churn number just made up from the individual guesses of each survey respondant? How do we know that the respondant had any clue about the customer churn rate for his or her organization?

But those of us that have read The New School of Information Security know that we shouldn't just be taking these numbers from a vendor and accepting them as gospel. I quote from the good book: "Some people believe that admitting to a security breach will drive away customers. There is research that shows that in most breaches, no more than a small percentage of customers will leave." I also quote from the abstract of this research by Alessandro Acquisti, Allan Friedman, and Rahul Telang titled "Is There a Cost to Privacy Breaches? An Event Study": "We show that there exists a negative and statistically significant impact of data breaches on a company's market value on the announcement day for the breach. The cumulative effect increases in magnitude over the day following the breach announcement, but then decreases and loses statistical significance." Looking at stock market value is a very interesting and valid way to measure the impact of a security breach. If you subscribe to the efficient mar ket hypothesis (semi strong form) then you know that the value of a company's stock already reflects all of the publicly known information about a company. And if you've spent any time reading about predictive markets then you know that a large group of people making decisions with money on the line can results in very good estimates. For example, the Iowa Electronic Market was able to predict the outcome of the 2008 Presidential election to within 1/2 of a percent http://www.biz.uiowa.edu/news/displaystory.cfm?id=2058. So we can say that the stock market will very quickly adjust the price of a company and give us a good indication of the future earnings potential of that company. And the research from Acquisti, Friedman, and Telang indicates that the effect of a data breach is not significant after a few days.

Take a look at this chart of the stock price of TJX. At this point it is difficult to even pick out when exactly they had to make the announcement of their world-famous data breach. In fact, they were forced to make multiple public statements about the data breach over the course of about a year, and the slope of their price increase was about the same as it was for the period of time before their announcement. For the record, the story broke in March of 2007. I tried to see if the same pattern was apparent in the stock charts of Heartland Payment Systems, but the current financial crisis muddies the water. Yes, their stock tanked on the day that the breach was announced, but their stock started a downward trend on October 1st of last year along with just about everyone else so it is hard to say how much of the current price is affected by breach notification and how much is global financial meltdown. If the slope that started on October 1 had kept going, the price of HPY today would be right about where it is right now.

So in the case of these new estimates on the price per record of a data breach, we can now say that over half of the cost is made up of something that we can reasonably doubt. I'm not saying that we should completely discount the cost of lost business, but I do believe that we have reasonable doubt. And that is why I would rather work out my own estimates of the cost of losing data than count on the estimates of someone else. Especially a company that wants to sell me something. I'm not even saying that the report is not valid, but remember that the headline about each record costing an average of $202 is what the company is using to sell your product. Instead, look through the document and see if there are data specific to your company or industry that you can incorporate into your own estimates.

Applying Unknowns to Annualized Loss Expectancy

2009-01-21T05:31:00.000-08:00

I've started putting together a presentation for a conference that I'm writing a proposal for about how you can use security metrics and statistics to make Annualized Loss Expectancy work a little better. The idea is to get a compromise between the ease of qualitative risk analysis and the accuracy of quantitative risk analysis. I started writing up an example of what I mean, and it turned out pretty good, so I thought I would share it here.

How much should we spend on hard disk encryption for our sales force?
Let's start with a simplifying assumption. How much do you spend on each record that you lose? Well that answer might be based on the type of data that is lost, but you can probably come up with a range of numbers that is reasonably accurate. For example, you know that you're probably going to pay for a stamp for each letter, so you know that it has to be more than 42 cents per record. You probably have to figure that you're going to put two hours into accounting for the records on each breach. You should assume that the employee who lost the laptop is also going to lose some time while he is being interviewed by you. You can expect that your legal department is going to lose a couple hours of time while they draft up a letter to everyone involved. So at an absolute minimum, you know that it is going to cost five or six hours of employee time plus 42 cents per record. A quick look on the web shows that companies that sell expensive software want you to believe that the average cost is $197 per record. That's probably a reasonable high end of the range.

Next it would be nice to know how many records are on the average sales laptop. That's really not too hard to do. Get a list of all the sales people and find out how many you would need to sample to be 95% certain of a 3% confidence interval. Let's say you've got 50 sales people. A quick Google search finds me a sample size calculator. When I plug in my numbers it says that I need to sample 48 of my 50 sales people if I want that kind of accuracy. Crap, I'm not going to do that. But I know from the rule of five from statistics that if I randomly sample 5 of them, I am 93% certain that the true median falls between the top and bottom of that range. So let's randomly sample five of them and check out what is on their laptops right now. In this hypothetical scenario, I found that the laptops had 250, 128, 64, 0 and 0 records. I don't want to run into a divide by zero error, so I'll set a floor of one record. So I can set a range of 1 to 250 records on each laptop.

Let's assume that HR comes back and tells us that the average employee salary is $54/hour with a standard deviation of $14/hour. We decided that each laptop was going to require at least 6 hours of staff time regardless of how many records are in place. So if there is one record on the laptop, then have a cost per record of ($54 * 6) + 42 cents. That's $324.42 per record. If there are 250 records then the cost is $1.72 per record. That $324 per record doesn't withstand my smell test, so I'm going to throw it out in favor of of the $197 per record cited above. That means that when a laptop is stolen from our sales force, we should expect that it will cost between $1.72 per record and $197 per record and that there will be between 1 and 250 records exposed. That gives us a cost range of $1.72 to $49,250 for a single loss.

There are ways that we could get tighter numbers if we really needed them. We could actually sit down and survey 48 of our 50 sales people so that we would be more confident about the number of records on each sales person's laptop computer. We could also run our numbers through a Monte Carlo simulation to see if we get a tighter distribution of costs. All that would be unnecessary, however, if we found that even based on our broad estimation of costs, the software was too expensive to implement. Based on the parameters that we established above, I ran a small simulation and came up with an average of $6.67 per record with a standard deviation of $11.96. We know that there is a 66% chance that the true average is within one standard deviation of the mean, but we should also expect that we still wont have a scenario where the cost dips below $1.72 per record. So now we can say with a fairly high degree of certainty that the average cost per record will be between $1.72 and $18.63. And that gives us a single loss expectancy between $1.72 and $4,657.

Now we're getting numbers that don't seem unreasonable, and you can really tell your managers that you didn't just make something up. There is real math behind using real numbers behind this. What if you were trying to justify spending $5000 on disk encryption for your sales team and you expect the software to be useful for five years? You would only need to have two laptop thefts in the next five years to make this a good decision. You can repeat the same processes above to get a strong estimate of the number of laptop thefts that you're likely to suffer.

Also, remember to bring all of your costs back to today's dollars using Net Present Value. The total cost of your software today should include the discounted cost of employee time next year and software maintenance for next year. Decide how many years you're going to assume for the useful life of the product. Same goes for your losses. If you assume a loss of $4,657 per year, and a discount rate of 4% then the present value of those losses is $20,372.14. Subtract the present value of the cost of your software project and you've got NPV. If NPV is positive, then you've got a good project. If not, then you should look at other ways you can improve the situation for less money.

Forensics: Live memory analysis

2009-01-14T08:33:00.000-08:00

I just saw a link to this video on the Volatility blog and I wanted to share it here. Normally I try not to retread stuff that was just said somewhere else, but I also really want to hype up this video. If you've been wondering why the forensic community is putting more focus on live system analysis and specifically memory analysis then you should definitely watch this video.
http://vimeo.com/2810702

In the video, the presenter touches on some of the stickier points of live system analysis...namely that some of the forensic hardliners disapprove. The main point of disapproval is that these tools will make changes to the system, and we try to avoid doing that. That is true and valid, but I've come to find that RAM contains artifacts so valuable that only a fool would throw it away.

Mike Murr, who taught a forensics class that I took a couple years ago talked about it briefly. I remember that he compared memory analysis to holding the shutter open on a camera. The resulting picture will be blurred in some places because things were changing while the film was being exposed. However, that doesn't mean that you can't get useful data from it. Image a court room, for example, where you've placed a camera in the back with the shutter open. When you develop the photo you're still going to be able to make out features of the room. You would know if there was an open window in the front for example. You probably couldn't make out the faces of the jurors, but you could probably tell if there weren't 12 of them. So while you don't get an exact copy, and you've made some changes to the system, it is still a worthwhile effort.

So for my bretheren in Higher Ed especially, please consider working memory analysis into your incident response plans. Even if you don't have the expertise to examine the image yourself, you can easily gather vital evidence that may be useful to law enforcement agencies if you ever need their help. Check out the video above, and then practice using tools like Win32DD to gather memory images.

Fear and Terror! All your data are being stolen!

2009-01-08T12:58:00.001-08:00

Wow, this is just asinine, with emphasis on the ass part. http://news.bbc.co.uk/2/hi/technology/7816446.stm

This article is telling everyone that if you really want your data to be safe when you throw away your computer, you need to beat the thing to a pulp with a hammer.

The most straightforward solution, according to Which?, is complete destruction - and it recommends using a hammer.

If you're that worried, get rid of it properly: burn it or put it in acid.

Frankly, I think that this article is irresponsible. In a nutshell, the article is saying that yes, you can find software out there that will erase your data securely, but the only way to be completely positive is if you beat your hard drive with a hammer. This, I believe, does a disservice to the non-computer experts of the world. Consider a case of two identical hard drives, one beaten to pieces and the other overwritten a single time with random data. Which one would be easier to retrieve data from?

The answer is the broken one. Now I wouldn't want to be the guy to have to do it, but you can piece together all those broken platters and recover data from them. I was watching Forensic Files a few months ago and they had a case where someone had cut up a 5 1/4 inch floppy drive with scissors and the Department of Defense was able to piece it back together and get the data. On the other hand, recovering data that has been overwritten with other data is as close to impossible as I would say you can get...and it becomes less possible as hard drive densities increase.

Once upon a time there was a man named Peter Gutmann who suggested that with the use of an electron microscope you might be able to figure out what was once written to a part of a hard drive that had been overwritten. That lead people to come up with policies like "you have to overwrite 7 times before it is safe to dispose of." However, despite all the assurances I've heard that it can be done, nobody knows anyone that has actually done it. A couple years back I took a forensic class with Mike Murr from the SANS institute and he was talking about this very thing. Everyone knows someone that has done it, but nobody has done it themself.

I should be clear that I'm talking about data that has been deleted and overwritten by the operating system or some other software. Here is a great quote from the Wikipedia entry on the subject:

Daniel Feenberg, an economist at the private National Bureau of Economic Research, claims that the chances of overwritten data being recovered from a modern hard drive amount to "urban legend".^[3] Daniel Feensberg also points to the interesting fact, that the "18 minute gap" Rosemary Woods created on the tape of Nixon discussing the Watergate break-in, has not been recovered. An easy task compared to recovery of a modern high density digital signal.

I'm worried about people like my dad. He's going to read something like this and instead of looking for some free software to clear his old hard drive, he's going to take it out to the garage and hit it with a hammer. He's going to go through all that work and possibly give himself a heart attack when he could have sat in his living room chair, watching TV and actually had better protection. Poor dad. Please don't let this happen to your dad. Spread the word that overwriting or encrypting your data is more effective than pulverizing it.

Pointsec for PC: Master Boot Record Analysis

2009-01-05T19:22:00.000-08:00

Occasionally when people are thinking about dual booting computers with Pointsec I get asked about what changes Pointsec makes to the Master Boot Record. The short answer is, none. Pointsec installs its boot code to the Volume Boot Sector. At least that is the stock answer from Checkpoint. Last night I decided to check it out for myself. The following is a harrowing tale of forensics and Pointsecery, but if you don't feel like reading it all, then you can take my word for it. Pointsec doesn't make any changes to the Master Boot Record when it is installed.

So the first step is to establish my hypothesis. Here they are:
H1: Installation of Pointsec does not result in changes to the Master Boot Record.
H2: Installation of Pointsec does result in changes to the Volume Boot Sector.
To test my hypothesis, I created a virtual machine using VirtualBox and loaded Windows XP onto the machine. Then I booted to a Helix disk which allows me to do forensic analysis of the disk.

Once inside helix, I opened up a command prompt so that I could gather the Master Boot Record of my Windows machine. For those of you that are not familiar with File System Forensics, the MBR consists of the first 512 bytes on the hard drive for DOS based systems. I wanted to capture the MBR from this virtual machine on my Mac, so I also opened a command prompt on my Macbook and set up a netcat listener with this command: nc -l 8000 > mbr1.txt. Back in the virtual machine I used dd to gather the MBR and copy it over the network to my Mac: dd if=/dev/hda bs=512 count=1 | nc ip_address_of_mac 8000. To sum up, on the Mac, netcat set up a listener on port 8000 and any data sent to that listener was copied to a file called mbr1.txt. On the Virtual machine dd will copy from the hard drive (/dev/hda). The block size is 512 and we are going to copy one block. The output of dd will be piped into netcat which will set up a connection and transmit the data.

Now that I have my MBR copied, I want to create an MD5 hash of it so that I can quickly detect any changes. On the Mac I typed md5 mbr1.txt and got b8ce0ea32fdf9706ff7b17eac93d7ea4.

Now let's take a look at that Master Boot Record. I opened up the MBR with a hex editor, in this case xxd, xxd mbr1.txt | less. There are two important things to look at in the MBR, the boot code and the partition table. The boot code consists of the first 446 bytes of the MBR. After that you've got the partition table. Here is a photo of the one I copied from the virtual machine. Notice that at the very end you'll find the hex 55aa, which is the signature for the end of the MBR on little-endian systems like mine. The line labelled 00001b0: is the line where the partition table begins and the last set of four is the specifc place where it starts. It begins with the code 80 which means that this partition is bootable. On the next line, in the second grouping of four we see the code 07, which means that this is an NTFS partition. This partition entry ends where all the zeros begin which tells us that there is only one partition on this system.

The next thing I wanted to do was get a copy of the Volume Boot Sector, which is also known as the Partition Boot Record. (PBR). So from my virtual machine that had been booted into Helix, I opened a command prompt. I typed the command fdisk -lu /dev/hda to get a list of partitions, and as expected it came back with one. The partition starts at sector 63, and since my sectors are 512 bytes in size, that means that it begins 32256 bytes into the drive. So I set up my netcat listener again and used the following command on Helix to copy the PBR: dd if=/dev/hda bs=1 count=512 skip 32256 | nc ip_address_of_mac 8000. Once the PBR was copied, I ran an md5 hash of it and got 46223945ddf87f223fc8850483b99cf0. The picture on the left is the Volume Boot Sector from my virtual machine. Notice the first three bytes, 0xEB5290. This is a jump instruction that tells the computer where to go for its next instruction.

Alright, so we've established our baselines. The next step in my experiment was to install Pointsec on my virtual machine. I went through the installation, rebooted, logged in and waited for the disk to start encrypting. Then I shutdown and booted back into Helix.

So I basically repeated the same process as above. I opened a command prompt and copied the Master Boot Record to my Macbook. Then I ran the md5 hash on the second MBR and found that the hashes are the same. Pointsec made no changes to the Master Boot Record on the virtual machine. However, when I checked out the Volume Boot Sector the hashes did not match, which is what I expected. Further inspection of the Volume Boot Sector showed that the jump instruction at the begining had changed to something else. This supports my previous knowledge on the subject of how Pointsec boots. The computer boots the MBR and the MBR sends the computer to the active partition where the Volume Boot Sector contains additional code. Pointsec changes the jump instruction so that instead of running the Windows code, the Pointsec code is run first.

So let's follow up on my hypothesis:
H1: Proven true in this case by the MD5 hashes. No changes to the MBR.
H2: Proven true in this case by the MD5 hashes. Changes to the jump instructions and possibly other changes.

New Years Resolution for 2009

2009-01-05T18:38:00.001-08:00

Well another year has come and gone, and we are mercifully nearing the end of the prognostication period: that time of the year when everyone start gazing into their crystal balls to tell us what the big threats are going to be for 2009. Generally speaking, I try to avoid making predictions and I try to avoid reading other people's predictions. However, there is one prediction that I feel safe about: Management is going to freak out about some sexy-sounding problem and throw excessive resources at it at least one time in 2009.

The reason I don't like to focus on predictions is because I really don't think that they help with anything. In fact, I'm more likely to develop tunnel vision and look for these specific attack vectors rather than focusing on developing a sound strategy for securing my resources. So instead of giving you my predictions for 2009, I'm going to tell you about my New Years Resolution for 2009.

This year I want to more effort into moving away from using Fear, Uncertainty, and Doubt to get my ideas past management. I want to start developing metrics that I can use to back up my claims and metrics to prove the value of my suggestions. This is not an easy task by any measure. Many times over the course of the year it will be easier for me to spin some voodoo about an unseen threat and get my way. However, I know that if I can put in the time and develop the discipline to be more scientific in my statements and requests, then it will pay dividends. For example, there are people in my organization that challenge me on just about every idea that I present. If, however, I gain a reputation for having solid data to back up my claims and a track record of showing hard results, then it will become more difficult to impede me.

The other major resolution I'd like to share for 2009 is that I want to spend as little money as possible on security. This year I'd like to show that you can achieve compliance and you can improve security without spending a big pile of cash. The reason I feel this way is because there is so much you can achieve just by implementing the basics. And the basics are free.

Some examples of where I've started each of these resolutions are here on the blog. A few months ago I started a real study into the effectiveness of our passwords and how our password strength is being affected by the recent change in policy. A couple days ago I shared a script I started developing to automate my detection process for data leaks. I hope to do more of that in 2009, and I'll try to keep it all documented right here.

So I hope that 2008 was good to all of you, and I hope that you'll be feelin fine in 2009!

Improving your Google hacking with Python

2009-01-02T08:41:00.000-08:00

UPDATE: I made some major improvements to this code which also made it quite lengthy. You can find the full script here. The linked version adds support for a whitelist file so you don't get bothered by false positives. The improved script will also attempt to download the links that it gets from Google and make sure that it doesn't report any dead links to you.

One of the major information security problems that I have on my campus is that we have a tendency to improperly release data that is supposed to be secret. The primary vehicle for doing that is faculty members posting grades on the Internet. Every semester we have a couple hundred student records that are posted on the Internet, which has created problems for me semester after semester.

Now before I go on, I should point out that there is nothing wrong with posting student grades on the Internet, as long as the data has been sufficiently anonymized. If a professor was to assign random numbers to each of his students then the grades could be posted online using the random numbers. However, most of the time (in violation of campus policies and Department of Education regulations) the grades are posted by Student ID. That's a no no.

But each of our faculty members have their own personal web space where they can put stuff, and I don't have the ability to go through each of them every day and find where grades have been improperly posted, so I use my best friend Google to do it. I might do a search against google for any Excel spreadsheet that contains techids and grades that are on my domain:
"techid grade ext:xls site:mnsu.edu"

That's been my primary way of finding the leaks. But I wanted something better. I want to be able to run a script every day and just get the list of links that I need to check out. So I went to my favorite interpreted programming language, Python.

Below I've pasted a little script that I've put together to do the searching for me. I put my search strings into a file called "searchstrings" and this program runs them. It then pulls out all of the liks, and then removes the links that are not on my domain. Feel free to use this yourself if you want. I have a few changes that I would like to make. I plan to add in support for whitelisting links, and specifying which searchstring file you want to process. But this should show you the basic process that I'm using. I also stole some of this code from several places around the Internet, so please check out the references that I've put at the top.

#!/usr/bin/env python

# This script will connect to google, pull down some search results,
# remove the bullshit and only show me what I want to see.

# reference: http://docs.python.org/library/urllib.html
# reference: http://cis.poly.edu/cs912/parsing.txt
# reference: http://mail.python.org/pipermail/python-list/
#       2006-December/419591.html
# reference: http://www.velocityreviews.com/forums/
#       t326690-urllib-urllib2-what-is-the-difference-.html

# This string holds the site domain that you're looking for.  You should specify
# the domain in your Google queries to get tight results.  This string is only
# used as a filter to make sure that you're getting links from your domain
mydomain = "someschool.edu"

# The sleepiness variable sets how long the program should wait after each Google
# query.  If this number is too low then Google may block your IP.  Generally the
# more queries you're going to run the higher this should be.  A higher number
# leads to slower performance though.
sleepiness = 3

# The first thing we want to do is open the file searchstrings and import all of
# the queries we want to run into a list.
searchstringfile = open('searchstrings','r')
searchstrings = searchstringfile.readlines()
searchstringfile.close()

# Here we set the browser agent string that we're going to send to Google.
# We can't use Python's default since Google doesn't allow that.
UserAgentString = 'Mozilla/5.0 '
UserAgentString += "(Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5)"
UserAgentString += "Gecko/2008120121 Firefox/3.0.5"

# We are going to use urllib2 for this job.  Urllib2 has many (not all) of
# the same features as urllib, but it also allows us to spoof our agent string
# which is necessary to grab data from Google.
import urllib2

# Now we have to build a request object.  Urllib2 will allow us to just send
# a string to google which would be a very simple request.  Since we need to spoof
# the agent string, we need to build a more complex request object to pass to
# urllib2.  It is also important to note that the search string must be in the
# request object since Google wants GET requests.  If we were to use post then we
# would trim the search query off of the url and uncomment the req.add_data line.
# I also added some code so that I can have comments in the searchstrings file.
requests = []
for eachstring in searchstrings:
if eachstring.find('#') == 0:
  continue
if eachstring.find('http') == -1:
  continue
req = urllib2.Request(eachstring)
req.add_header('User-Agent',UserAgentString)
# req.add_data('q=lolcat')
requests.append(req)

# This code was stolen from one of the references above  It uses the htmllib and a
# null formatter to extract all of the <a> tags from the result and dumps
# them into a list.  When the HTMLParser encounters a tag it runs the tart_<tag>
# function.  In this class we overload the start_a function.  Check if there are
# more than zero arguments in the <a> tag, and then extract just the
# href argument.  Append that argument onto the classes list of links.
# FYI, the htmllib.HTMLParser that is passed into the first line of the class means
# that this class is inherited from htmllib.HTMLParser. That is good to know in case
# you're wondering where the code for htmlparser.feed() is.

import htmllib, formatter
class LinksExtractor(htmllib.HTMLParser):
def __init__(self, formatter):
  htmllib.HTMLParser.__init__(self, formatter)
  self.links = []
def start_a(self, attrs):
  if len(attrs) > 0:
    for attr in attrs:
      if attr[0] == "href":
        self.links.append(attr[1])
def get_links(self):
  return self.links

# Now we can create a null formatter and an instance of our class
format = formatter.NullFormatter()
htmlparser = LinksExtractor(format)

# Here we use urllib2 to send our request to google.  The results are stored in
# a file-like variable called data. I also have the script sleep for a few seconds
# after every request so that the google doesn't think it is under attack.
import time
for eachreq in requests:
data = urllib2.urlopen(eachreq)
htmlparser.feed(data.read())
time.sleep(sleepiness)

links = htmlparser.get_links()
msulinks = []

# Now the variable links contains a list of all of the links found on the page.
# Let's go through and remove any of the stuff we're not interested in.
for link in links:
if link.find(mydomain) == -1: #The link doesn't contain mnsu.edu
  continue
if link.find('http') == -1  and link.find('https') == -1:
  continue
if link.find('/search?') > -1:
  continue
if link.find('.google.com') > -1:
  continue
if link.find('www.youtube.com') > -1:
  continue
msulinks.append(link)

for link in msulinks:
print link

PI licenses for forensics: Texas screws the pooch even harder.

2008-12-23T15:33:00.000-08:00

I just read this blog posting from Benjamin Wright talking about some decisions made by the Texas Private Security Bureau. Benjamin has been keeping a close watch on this issue in Texas and his input on the subject has been very valuable.

In previous articles, Benjamin has talked about the law in Texas requiring Private Investigator licenses for persons performing digital forensic work and how that law was being used to challenge tickets issued by red-light cameras.

Now the Texas Private Security Bureau has issued a decision that makes it OK for the red-light cameras to operate, but I'm afraid that it muddies the water about who can and cannot perform digital forensics without a PI license. And I have to disagree with Benjamin's conclusion that this is probably a step in the right direction. I have been very clear about my opinion that the whole notion is completely bunk, and this new decision doesn't help the digital forensic field because it allows the government in the state of Texas to sidestep the B.S. that comes with this law, but everyone else still has to shovel it.

I also think that my reading of the decision left me with a different conclusion about the rational that the Bureau used to justify their decision than what Benjamin reported on. The main reason that the Bureau does not see a problem with the red-light cameras is that they are operated by municipalities, and the government is exempt under the Texas law. The Bureau felt that the contractors are only providing ministerial work for the municipalities.

I feel that this decision skirts the intent of the law as it was passed. In theory, the reason this law was passed was to ensure that people's rights were not violated when an untrained, unlicensed person undertook an investigation. If we accept for a brief moment that having a PI license does make you more qualified to perform the investigation then this decision is in essence allowing the government to use unqualified persons to perform digital investigations. I mean, I understand that a police officer is trained in how to gather evidence while protecting people's rights, but these cameras are probably operated by some dude in the IT department. That dude, by the way, has no more forensic qualification than I do. So when a private organization wants to investigate something they need to hire someone with a PI license to protect everyone's rights. But when the government wants to investigate something they don't need to hire someone that has special training on the matter. The libertarian in me is screaming that the people need just as much protection from their government as they do from corporations. The government in Texas can use unlicensed investigators to gather evidence against you, but you need to hire a licensed investigator to counter that evidence.

This decision by the Bureau also leaves us scratching our heads as to how much work an unlicensed investigator can do for the government and still fit the definition of ministerial acts. For example, the red light cameras are simply gathering evidence. Does that mean that acquiring a hard drive image is also simply a ministerial act? What if the investigator takes special steps to gather data from a Host Protected Area or Device Configuration Overlay? Where does it stop?

So I am very disappointed with this decision. By allowing the State government of Texas to avoid the pain of this law, there is a reduced probability that sensibility will prevail and the law will be changed. People in Texas are going to be hiring Sam Spade to do their forensic work and talented IT people who have a passion for technology will be kept out of the business.

Teach a man to phish...

2008-12-18T13:59:00.000-08:00

If you teach a man to phish, then he'll come to my University and make my life hell. Actually, I guess a single phisher wont make my life hell. Really all of them together aren't making my life hell, they're just making it more hellful.

A while back I reviewed Adam Shostack's book, "The New School of Information Security." One of the things he talks about in that book is user awareness training. Many of us, myself included, track security metrics such as the number of people that are completing our user awareness training rather than looking for metrics that prove the effectiveness of our training. I haven't been able to put together any studies into the effectiveness of our training because so few of my users have actually done the training. Never the less, I think this story might be interesting to some of you.

I've mentioned that we've been having a real problem with phishing email. Just this semester we have had three intrusions into our network by people that have valid credentials which they phished out of our users. The most recent one was last week. We detected the problem and locked out the account. I went through the victims mail and found where he or she had responded to the phishing message. Then I called the victim and we had a very interesting conversation. It turns out that the user was aware that our department does not ask for passwords over email. The user told me that he or she would never respond to such a message because we have put so much publicity around not responding to phishing messages. When I pointed the user to the sent item, the user said "Oh no, I remember sending this."

As we talked the user described complete bewilderment that he or she was suckered in by this. It seems like even though we had successfully educated this user, the user just automatically responded when the real thing showed up. I'm not even sure what to make of this evidence. Does this indicate that our user awareness efforts have been ineffective? You could say yes, because the user gave up the password; or you could say no because the user knew better. Was this just an isolated mistake that wont be repeated by other users? Do I need to focus more on spreading the word, or do I need to change the word that I'm spreading? It's a real head scratcher.

One thing I would like to look into is writing up a plug-in for Microsoft Outlook. The idea would be to write up some basic rules and if the message matches those rules then the Reply button would be greyed out. Maybe it would give them some warning message before they can really reply to the message. Maybe it would notify us in IT if someone responded to a suspicious message. Prevention is always better than policing, right?

Any other ideas to fight phishing when your users are just looking for a hook to bite onto?

Editing the PCI DSS, how and why.

2008-12-09T14:24:00.000-08:00

Anyone that has dealt with PCI knows that it isn't as straightforward as it might appear at first glance. Many of us find ourselves turning into junior paralegals as we wrangle with definitions and try to figure out if what we're doing meets the requirements or not.

For example, what is the boundary of the cardholder environment? Obviously if something is process credit cards or is being used to accept credit card payment then it is part of the cardholder environment. But what if your Point of Sale (POS) uses your phone system to contact the credit card provider? Does that mean that your whole phone system is now in scope?

The latest version of the DSS (Data Security Standard) is a big improvement over the previous versions. It is much longer, but that extra length provides quite a bit of clarity. However, that doesn't mean that all doubt will be erased from your mind. Take this bit of text for example:

At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon such things as a given network's configuration, the technologies deployed, and other controls that may be implemented.

We might spend a lot of time arguing and looking up references and talking to people to decide if our compensating controls are strong enough. Maybe we talk to a QSA who tells us what we need to do if we want to pass his audit. Another thing we might do is search around the Internet and find some answers. Then if we want to preserve this knowledge we have to put it into some document and save it. From now on we are cursed to maintain two documents, the answers that we type into the DSS, and our crib notes. Hell, maybe the tiny comment space in the DSS isn't big enough and we want to be more verbose. What are we to do.

Well I've decided that I'm going to keep my edits in the DSS. I downloaded the .doc version of the DSS and found that I couldn't edit any of the text because the document is protected. I am also unlikely to guess the protection password. I tried saving the .doc to a .html to see if I could find the hashed password value but was not successful. So then I tried opening it up in Pages and voila, I was able to edit the document. Now I can edit the DSS, add my notes and references, and keep track of my organizations efforts to be compliant. So if you want to be able to edit your copy of the DSS, just buy a Mac, buy iWork and open it up in Pages. I can see this technique being particularly useful for QSAs that want to keep some of their auditing practices or notes in the DSS.

I'm pretty sure that what I did is frowned upon by the Payment Card Industry, so if you go this route you probably shouldn't share your edited document. Also, I'm not going to share mine so please don't ask me for it. Hope this helps someone.