Breaking then Fixing...

March 26, 2009

How to Win Friends and Influence Testing

Yesterday I encountered and interesting issue that demonstrated the real necessity behind good network testing. To give some background on this story, I have previously contacted a testing vendor and have them give a very good presentation on the ins and out of good Q&A testing. The organization that saw this presentation sought this to be a bit much for their environment.

This organization has a pair of IPS Sensors in which are leveraging spanning-tree in order to have fail over. The figure below illustrates the design.

Now the vendor that supplied the IPS code is having a problem with their few latest builds. The vendor's most stable release still has a bug with the SMB portion of their engine. What is interesting is that when a particular type of SMB traffic passes through the engine the engine will fail. Now this particular organization has several tools to view the health of certain things but the IPS sensors are not one of the ones they can easily view. What happened to this particular organization was that the sensors failed, both of them. The primary sensor failed and the secondary sensor failed upon seeing the traffic conditions. It was 9 days different between the primary and secondary failure.

The beautiful thing about this design is that you leverage spanning-tree to complete fail over and the reason that is important is because the switches and routers are participating in a load sharing mode for increased performance.

The vendor is now suggesting to this team that an engineering release that can be specially developed for them that will address the issue is the way to go. So what does this organization do? Do they install code that is not completed vetted? Can they test the code thoroughly first? Do they rely on blind faith and risk complete IPS failure?

They now see the need for better network and system testing before go live and production. You see they could put the new IPS code on the secondary sensor and see if it crashes the 'passive' node, however they have not run traffic through that release since its a passive node.

This was good opportunity to win friends...and influence testing.

Posted at 04:19 PM in Security | Permalink | Comments (0) | TrackBack (0)

March 18, 2009

An Intro into Web App Security

For many years we have all come to see the fact that the network systems are flawed. TCP/IP is not perfect and was not designed for secured transmissions. Appletalk or IPX/SPX for all you apple and novell fans waiting around for a comeback will not make things better. There are some that believe that we are getting good at discovery and blocking these types of attacks. After that came the OS attacks, how lovely those easy buffer overflows were to find and exploit. One day you may even here me do my best impression of 'who's a good boy' pet, except instead of my dog it may be to MS03-026, but I digress. Now that we are going further into the stack we keep hearing that one day the web will be our operating system. I am hopeful that won't be the case in a strange way.

Web Application Security is a pretty hefty subject. Let's look at the components first to get a better understanding. The server side can run a multitude of servers to give you the ability to deliver web based content. Apache, IIS, Websphere, and even custom servers all appear frequently. Now this conversation will not pertain to vulnerabilities within the service lets look higher in the stack. In the same token you have a multitude of browsers now, Internet Explorer, Mozilla Firefox, Safari, Opera, Google Chrome and more. They can all render web traffic out of the box. The problem isn't necessarily this architecture but let's dig further.

The web servers are now able to deliver 'dynamic content'. As end users we love dynamic content, as pen-testers we LOVE dynamic content, and as defenders we have NO LOVE for dynamic content. How can we deliver this content? If you are an open source proponent you think, what about LAMP or WAMP. LAMP stands for Linux-Apache-Mysql-PHP/Perl/Python/Etc, and WAMP is the Windows equivalent. Most organizations are now focusing on .NET Framework. For some reason we are still kick around Java.

...Oh yeah AJAX too...

So lets get back to this idea of dynamic content. Computers love code, they LOOOVE to run whatever you give it. In the web application space this becomes precarious because the code that the browser will automatically render and run, or the code that the server will process and run, can actually allow for 'exploitation' without 'exploitation' in a strange sort of way. Since this is an introduction with more 'parts' to come lets explore this.

You have a browser that automatically renders Javascript and PHP code. You have your browser go to a malicious site which allows for an 'attacker' to hook your browser and control its interactions through JavaScript code. Assume that the actions in which the 'attacker' is using to control your browser is now not considered 'dangerous'. It looks like regular http based transactions and will look like perfectly normal javascript and delivered to your device. This type of system will most likely be re-rendered through a proxy, ignored by IPS systems, and if the site is considered 'safe' content filters will allow it as well. In addition most host IPS's will allow for this to pass as long as the content delivered is not doing something 'malicious' to the system like deliver an actual exploit to a service.

So then the question I pose to you is, If a giant multi-billion dollar, multi-national corporation like Microsoft cannot fully fix all the security problems within their paid for software, how are we to expect that custom application code running on web servers and rendered on your browser are not going to have issues? Insecurity Yet?

I welcome feedback and discussion!

Posted at 08:25 PM in WebAppSec | Permalink | Comments (0) | TrackBack (0)

February 07, 2009

Recession Security, or back to basics?

About a year and a half ago I took on a job at a government sanctioned enterprise. When I took on the role it was very simple. Do in 12 months what would normally take 48. It took my past roles as an engineer and a security professional and molded them together. It was a good gig when we had an unlimited budget. In one sense we were judicious in our needs. We were modest, as well as concious not to purchase what could not be implemented in 12 months. This last few months we were given the opportunity to look at the spending and had a modest chance finish the job this year. As I look at a real recessionary time I started to consider the realities of how great of an opportunity that is. On one hand, many look at it and say, that they are going to have it hard with budget cuts. My more frugal side is now looking at it as a grand opportunity to go an improve on the softer and, in my opinion, more important portions of the project.

The first questions I ask myself are:
Can we audit the implementation? Do we have in production not just everything we put on paper but also everything we asked for?

Are all of our devices put in correctly?

Did we layer in enough security?

What operational processes do we have?

I hope I can answer these in upcomming posts in the next few months.

Posted at 01:57 PM in Security | Permalink | Comments (0) | TrackBack (0)

November 27, 2008

Todays Bit: Making the Case for Host Based IPS

In Todays bit I decided to write about Host Based IPS Technologies, and how you can make a case for it within your environment. I have succesfully installed possibly over 5000 IPS Host Based Systems since I first used one in 2004. I have been happy with 2 specific vendors, those being of eEYE Digital Security Primarily and Cisco's Security Agent.

Host Based Intrusion 'Prevention' technologies is the ability to analyze traffic patterns, and system behavior on an operating system level. It is the same type of 'technology' that is used today in the Unified Threat Management Systems or in the IPS systems many have deployed on the network level. So why consider a Host Based System?

A Host Based System will protect your system from attack without an actually penetration occurring and then scanning for the malicious activity after the fact. In other words, when your current 'Anti-Virus' system or 'Anti-Malware' system finds an infection the file itself has been placed on the system. In other words the system has been compromised and the scanner is then going to either stop the process from running or delete the file. In addition most 'anti-virus' scanners will not detect many payloads. For example, a recent podcaster uploaded a payload from the popular metasploit framework. What is a 'payload'? A payload is nothing more than 'code' that runs on your computer that is delivered with an 'exploit' or some other method such as email, USB, etc, and does something. What can it do? Open a Command Shell to the attack, add a user, add VNC, whatever your heart desires now a days. The payload was uploaded to virustotal. Virustotal takes 36 different Antivirus Engines and scans the file. 4 of the 36 detected the file. In addition other such events such as DefCon's 'Race to Zero' event where the challenge was to slightly change a 'virus' in order to completely evade Virus Scanners should concern you as well. The even 'scarier' What does this mean to you? This means that the 'effectiveness' of your current anti-virus scanner is possibly insufficient for todays environments.

This where Host Based Intrusion Detection and Prevent Systems will shine. These systems are more than just firewalls, which is a good thing. A firewall will typically allow virus's or any other malicious attacks through if they are permitted through the firewall. A IPS/IDS especially a Host Based IDS/IPS system will read into the packet and detect the malicious attack and prevent them from penetrating your system. In addition since it sits in the host system it is not ignorant of what is happening in encrypted streams while a Network IPS cannot view the encrypted traffic on the network.

Stay tune for my analysis on how to choose them, how they perform, and some possible gotcha issues.

Posted at 10:55 AM in Todays Bits | Permalink | Comments (0) | TrackBack (0)

November 26, 2008

Have I been lazy?

Yes I have. I purchased this system several months ago thinking I would motivate myself into keeping a working journal. What happened? I imagine life happen. But I told myself. Write. Write everyday. Don't Stop and do it.

So here we go.

The state of the information world today, how we got here, where we are going.

I think that this year we will be seeing a mixture of threats that will be both social in nature and digital in attack. First of all the upcoming recession and possible depression will make an impact to the state of IT as a hole. I think we will be seeing a possible uptick in theft virtual and physical. I think we will be seeing an uptick in foreign and domestic threats. There maybe some disenfranchisement happening within the states. While all this may spell 'good news' in the eyes of some security consultants, I think that there are not enough 'good' guys to help out. Unfortunately Information Security is a difficult field, it requires a specific type of person and its possibly easier to attack in some aspects than defend. What should this mean to you?

Well first of all I think we really need to put many of our ongoing projects on hold. Why should we continue to roll out insecure architecture, products, or designs if the attack vectors become larger? I hope that companies take this time re-categorize the importance of information security as a whole, however I find that many will be reactionary in effort. These next few months will be challenging, and many in the world are watching and waiting. I do apologize if this post is rather morbid, but brutally honest. At the end of the day it will be a struggle, but consider that it may be a good thing. I found that the largest learning experiences in my life are when I have struggled t

Make the best of it!

Posted at 01:48 PM in Security | Permalink | Comments (0) | TrackBack (0)

July 12, 2008

The beginning

I've probably have done this a dozen times. I decide to myself its something I want to do, maybe I decide its the right thing to do , or maybe I decide that it will benefit me in some way. The honest truth is I want to start writing for several reasons, and I think if you've never have tried it this may help you ... start.

- I think I can better the community I belong to. This should be essential. I want to believe that somehow, someway, we can all be benevolent individuals. I am a security professional at heart, so I will try my hardest to do my best to give back. I want to hope that I can make a difference to that community. Maybe.
- I want to better my own writing, grammar, and communication skills. I have seen many great talents that have not been able to achieve greatness because they have an inability to communicate. Lets hope that we do not loose that.
- I want to be able to self medicate if you will, somewhat therapeutically.
- I do not want to be lazy.
- I want to force myself into structure and discipline, by promising that I can write daily. Weather this means five minutes or five hours.

I must have started a blog more than 10 times in the last 4 years, and I was always thinking for hours how do you start? Do you race into it? Do you just start in the middle of a book and randomly post thoughts? I have done this several times. If you've ever wondered, this is how you

...start.

Posted at 09:47 PM in Just being me | Permalink | Comments (0) | TrackBack (0)