even Ashton Kutcher reads writing secure code book –
You know writing secure code is important when…
Posted: 3rd March 2012 by Gaurav Kumar in interesting stuff0
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication
Posted: 1st December 2011 by Gaurav Kumar in TipsWhen you get that error message, you would guess that there is Windows cross domain authentication issue. But then there is no fun in technology if all errors make sense.
Here is what happened -
The application I was working on ran under domain1\AppAccount and the SQL server it used as back-end data store ran under domain2. When I got the error message, I immediately thought there was no trust between the domains and that’s why I was getting the error. After a lot of debugging, I found that there was actually two way trust between the domains . The error was misleading. What happened was that the password I was using was incorrect!
Instead of error being “incorrect username or password” the error makes you believe it is a trust issue between the two domains.
Another interesting thing to note-
I was running SQL Profiler to debug and was surprised to know that there were no incoming requests when that error is thrown. The error is actually thrown by SQL driver used to connect to the database and not by the database engine itself.
Announcing free vulnerability scanner based upon open standards (OVAL)
Posted: 11th November 2011 by Gaurav Kumar in OVALDear all,
It gives me immense pleasure to introduce OVAL Scanner. It is a free open source authenticated scanner which uses OVAL format definitions to scan remote host for vulnerabilities, patches, inventory and compliance.
Currently it is available for 64 bit Windows 7, Windows Server 2008 and Windows Server 2003. Support for 32 bit Windows and Linux based OS will be available very soon (hopefully within a month).
OVAL Scanner is part of my vision to enable large amount of security information analyzed and presented in easy to use format. Over a period of time, I will be adding several features – from making scanner much faster, robust and user friendly – this of this release as pre-alhpa (version 0.0.1). Later versions (0.1.x) will have integrated engine to reconcile IDS logs with vulnerability information.
Feel free to leave comment below if you’ve any question or feedback.
If you are interested in following the new developments, please subscribe to announcement only mailing list.
Network based OVAL scanner and SIEM (part 1)
Posted: 10th October 2011 by Gaurav Kumar in OVAL, SIEMFor those who are love security and open standards, OVAL is the best thing that has ever happened in the field of vulnerability detection. A brief background on OVAL:
How do you detect if your hosts are vulnerable or not? Its simple- you use a vulnerability scanners like Nessus, Retina, Qualys etc. Some are free tools, some are not. Some tools are good at detecting vulnerabilities, some tools are good at checking policy compliance (e.g. if admin password is blank or not or SSL is disabled in your web server). Over the last one decade or so, tons of tools have been created by various commercial and open source entities which has led to non-standardization of “how to check if X vulnerability exist”. This means these tools are tightly bound to “content” or how vulnerabilities are defined. Enter OVAL.
OVAL is “Open Vulnerability Assessment Language” which is used to define vulnerability (or patch, inventory and policy) in a standard XML format. Have a look at this XML file which can be used by any OVAL compliance product. This particular XML file has vulnerabilities definitions for Microsoft Windows 7. A lot of public content is available here. Contributors from various commercial and not-for-profit organizations contribute vulnerability definitions almost every day.
Here comes icing on the cake.
MITRE has made available an open source tool called as OVAL Interpreter which can be used to process OVAL content and produce HTML report (using XSL transformations on a XML file) on the definition file. What does it mean? It means that you can check for vulnerabilities for free 
This tool is available for various platforms (Solaris, Linux, Windows etc).
Given that this tool is a binary that you run locally on the host, I was wondering if I can run it remotely so that I can get results from hosts at a central place. Once I’ve results (in XML format) I can then dump them into a database and run reporting tools to get enterprise class reports (the fancy charts
That’s it for part 1. As for part 2, I am in process for proving this theory – I will be releasing a virtual appliance (based on VMware) which you can use to run OVAL check remotely. It will be using “winexe” which is a part of SAMBA to run commands remotely on Windows hosts and for Linux type hosts, it will be using native SSH. Once data has been collected, it will perform evaluation and dump results into MongoDB (my choice for backend database). I will then be providing a PHP/Ruby based web application as user interface to query results.
My long term vision is to develop an open source SIEM product which can collect dynamic security data (event logs/syslogs, firewall, IDS logs etc) and use static security data (compliance score and vulnerability score) to provide holistic view of information security. Needless to say, its primary purpose will be security management (e.g. if “administrator” account is being brute forced (dynamic security information) but the account has been renamed (static security information), this event is not as critical as when this account is being brute forced and it doesn’t have strong password)
Did I tell you that it will be cloud friendly too? That is, all you have to do is run virtual appliance off your virtual infrastructure and the heavy lifting (processing of security information) can be done in cloud if you want or on-premise as you may prefer. Don’t worry, we won’t store your credentials in cloud.
Do subscribe to RSS feed of this blog if you want to be notified as we progress.
Cheers,
Gaurav.
TLDR Version- Agent= ♥
While evaluating systems management products specially the ones related to security like vulnerability and policy compliance scanning, one of the key aspects one always has to consider is whether to give preference to agent based products or agent-less. In this blog post, I am going to put down some of my thoughts gathered while evaluating several such commercial and open source products.
As someone who lives security, let’s discuss it first.
Just answer this question- if management console of the product is compromised, will it impact your hosts (on which you run scans)? The answer in both cases (agent and agent-less) is yes. There is a misconception that if a product is agent based, there won’t be a need to store credentials at management console and hence this setup will be more secure. In reality, due to the very nature of scanning, adversary can push down malicious scanning content to the agent which usually runs under elevated privileges. Say for example, your policy compliance tool executes a command line – such as
“net users”
to find out local user accounts. Now, where is that “net user” command coming from? Usually it is the management console which sends this command to be executed by agent. If management console has been compromised, adversary can send following commands to create a rouge admin account-
net user add username pwd /add
net user localgroup Administrators username /add
Got the idea? If management console is compromised, doesn’t really matter if product is agent or agent-less, it’s game over.
Not so soon.
There are additional controls (benefits) which an agent based product can give. For example, agent can enforce cryptographic signing of commands which are to be executed. May be you can utilize PKI infrastructure which can be used to sign content (scripts/commands) – this way, if adversary has compromised management, s/he will still need to get the malicious content signed. Of course, this benefit comes at the cost of administrative overhead. This is usually the case with security 
Do you know of a product which provides this functionality? Please leave your comment below.
Let’s go a bit deeper. If you are using agent-less product to scan Windows host, remember that actual data is flowing in plain-text. This is where agent based product can have a distinct advantage – agents can wrap the data in an encrypted protocol.
I think that agent based products have some distinct advantages over agent-less products.
Thumbs up: Agent
Thumbs down: agent-less
Let’s talk about efficiency/performance.
While agent based products do (usually) reside in memory, there are things which an agent-less product cannot do. For example, there is no remote API available to inspect file content on a Windows host locally – i.e. agent-less product will need to pull the file across network and inspect it on management console. This can be a huge overhead if you need to scan a lot of file content from lots of hosts. For an agent based product, it’s a simple local file open API- very efficient.
In fact, if agent based products can make use of architecture I blogged about, agent footprint can be reduced to almost negligible
Agent based products can also make use of “delayed-scanning” or “offline scanning” i.e. even if network and/or management console is not reachable (e.g. mobile hosts- tablets, notebooks – road warrior’s weapons), agents can do the scanning based upon information already fed to them and then latter on when they becomes available to management console, provide results of scan.
I think agent based products have huge potential of being more efficient than agent-less products.
With all being said, I think agent-less products are easier to deploy- just provide them credentials and hosts information and they are good to go. Though this same advantage can also be had from agent based products if their management console support deployment from management console itself.
BTW, note that if you are using Windows 7 and want to use agent-less products, you need to take execute some extra steps.
Thumbs up: Agent
Thumbs down: agent-less
Hopefully I will be updating this post based upon any comments you may have and as I experience more and more agent and agent-less security products.
Here is how the conversation went between myself and customer care representative of a very large US based financial institution.
Me- Hi, before I ask my real question can you tell me how do I find out my customer ID and PIN. Every time I call customer care, I am asked to enter these and I’ve never received them from you
Customer Care rep- Sir, your customer ID is same as your username and PIN is same as your password that you use to log in to our website
Me- You mean same website that I login to perform my financial transactions?
Customer Care rep- Yes sir.
Me- hmm… but then how do I enter capital letters? Phones do not distinguish between capital and small letters
Customer Care rep- It doesn’t matter.
And after that phone call, I went to drink better to cool myself. Really… such is a state of security. This is year 2011, so called year of APT (advanced persistent threat).
In summary -
1) We are talking about a major financial institution here obviously having a dedicated team of security experts <- People problem
2) There is no indication (visual clue) on their website that they do NOT distinguish between small and capital letters in passwords and hence providing false sense of security <- Process problem
3) They receive credentials over insecure transmission (phone lines) <- Technology problem
Obviously, if they want, they can perform password validation check (capital vs small letters) based upon channel (phone vs web), but unfortunately, they don’t.
Sigh.
Not a security related post. In fact, what I am going to post here might have already been proposed/discussed before.
When was the last time you fired up task manger/ (ps command on *nix) and got agitated by those memory and/or CPU hogging processes? I am talking about enterprise agents here. In Apple terms, “there is an agent for that“. that can be a backup software, or compliance checking software. Or it could a logs collection software. Could be just about anything which is invoked by a server. Now, if you think deeply about these agents, do these _really_ need to be active always? Take for example compliance checking software (like the ones which check local account policies, file/directory permissions etc). These software are usually invoked by server during non-business hours. For example, many logs collections agents just keep storing logs locally and then a server pulls them latter.
One thing is common among these type of agents- they keep listening on a port forever. Why?
What these agents can do is to simply create a listen process and that’s it. The only job of this process is to listen and when a connection is made, it can wake-up actual agent.
Say, for example, there is a ComplianceChecker.exe which listens on port 1234. Currently, it might be taking lot of resources which isn’t really necessary. Instead, this agent can be designed in such a way that there is a AgentListener.exe which listens on port 1234 and as soon as a connection is made to port 1234, agentlistener.exe will run ComplianceChecker.exe and kill itself (agentlistener). When ComplianceChecker.exe is done with its job, it can run agentlistener.exe and and kill itself (ComplianceChecker).
I came up with this idea when I found that there are certain framework (Java etc) based agents which just take too much of resources just for waiting a connection from server. For such agents, I think it makes more sense to use this lazy agent design where agent isn’t loaded in memory but only a “listener” of agent is.
Thoughts?
URL Rewrite Obfuscation And Security
Posted: 13th February 2011 by Gaurav Kumar in Design, Obfuscation, TipsThe very first thing you may have noticed is that I’ve used obfuscation and security words in one sentence. Bad idea, according to conventional security wisdom, isn’t it? For example, won’t you laugh if you come across an app which uses base64 encoding to provide some level of “security” as it is somewhat like an encryption. Well, like any security professional, I used to frown up such instances. But then, one fine day I learnt that I’ve been just too harsh on obfuscation. Here is what happened-
I was reviewing my web server logs and found that someone was trying to find SQL injection and XSS bugs but were not even close because they had no idea about which parameters were taking user input as these were masked by URL Rewrite rules.
Lets take an example. Which of the below two URL are more hacker friendly?
- www.example.com/blog.php?name=JohnDoe&cat=Dogs
- www.example.com/blog/johndoe/dogs
Well, as you can see in first URL, we are telling everyone that we have a file user.php which has a variable defined “name” and it takes values such as JohnDoe and another variable called “cat” (category) which can take values like “Dogs”. In second URL, it is not so evident – one would have to do a lot of guess work/brute forcing.
And that’s the point I am trying to make in this blog. If you have an option of obfuscating something but (and not just a but, but a a BIG but) you don’t think of it as primary security defense, go for it! specially when it makes URL much more pretty and SEO friendly. By primary security defense, I am referring to security design principles like user authN and authZ, encryption, input validation etc
It doesn’t really hurt if you can make something look more pretty and still waste adversary’s time
If you think more deeply, you will realize that whole point of defense in depth is that you should be able to piss off your attacker to that extent that s/he give up. And as such, if obfuscation helps, let it help.
Defense in Depth- Visa/Mastercard vs Amex CVV
Posted: 18th September 2010 by Gaurav Kumar in Design, interesting stuff, privacySpot the difference
As you can see, the CVV on Amex cards is shown on the front of the card- the same side where card number, expiry date and name are displayed. From defense-in-depth perspective, I think it will be better to display CVV on the back side of the card. The reason is obvious- risk of someone’s doing “shoulder surfing” is mitigated by the fact CVV will still be required by him/her to make fraudulent purchases.
Thoughts?
Photo courtesy - singaporeair.com and hiscredit.com
In this post I am going to express my disappointment with a disturbing trend – more focus is being given to compliance than security. I don’t have anything personal against compliance, in fact, in my last job, I was IT Audit Manager and performed compliance related audits. While compliance is necessary and important, it is not sufficient from security perspective. One can be in compliance and still be vulnerable to easy attacks. Below are few examples-
1. PCI
We all know Heartland credit card breach was one of most significant credit card data breaches ever reported. According to this Q&A, their CEO commented “we certainly didn’t understand the limitations of PCI and the entire assessment process. PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusion”
Not trying to nitpick PCI here, but there are 2 requirements in PCI which I always find interesting to talk about. These are:
Requirement 6.6
One of the most contentious PCI requirements. It requires that one should either a WAF or perform independent security assessment. According to PCI, below are “recommend” WAF (web application firewall) capabilities
Obviously, “recommended” is interesting keyword here. Why not change it to “mandatory”?
Last year in July 2009, this whitepaper presented evaluation of several WAFs. I’ve summarized “% of attacks blocked” of these WAFs as evaluated in whitepaper (please read the whitepaper for criteria used for evaluation)
|
WAF |
% of attacks blocked |
|
phionairlock |
36.92 % |
|
Hyperguard |
35.38 % |
|
F5 BIG-IP |
67.69 % |
|
ModSecurity |
52.31 % |
The point I am trying to make is not that WAFs are worse than independent assessment (independent assessment could be worse also), the point is even if one is running WAF to get PCI compliant, there might be many vulnerabilities which won’t be blocked by WAF.
Requirements 8.5.13 and 8.5.14
As per PCI, the requirements are:
8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.
8.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID
And now have a look at this post I made some time back. Got it?
Locking user accounts isn’t a good idea- an attacker can write an automated script which will send six invalid credentials every 30 minutes thereby creating persistent account lockout, effectively, creating DoS on affected users. In case the usernames are predictable (e.g. some telecom web apps use phone numbers as login id), the impact of such “vulnerability” is more as one can effectively make large (or may be all) users locked out.
I don’t know why PCI isn’t recommending/requiring use of Captcha’s instead of account lock out.
In short, one may be PCI compliant and yet vulnerable to simple DoS attack (by virtue of being compliant)
2. HITEC
HITEC provides exemption to notification requirements. In short, if PHI (Patient Health Information) data is encrypted and a breach is detected, there is no need to notify (the customers). For more info, read this
I disagree. Notification must be required even if data is encrypted. Even though HITEC requires you to follow NIST “approved” encryption algorithms, what is secure encryption today may not remain secure tomorrow. For example, DES 64 (58+8 parity bits) isn’t considered secure anymore. What if AES gets broken in near future? What if it has already been? (yes, sort of extreme view, but possible) Suddenly, all of the encrypted data will become exposed.
3. SAS 70
I think this post has really documented the problem of SAS70 being considered like a security certification very well. Below are few interesting screenshots which I find interesting.
One more example-
I was on a client location performing infrastructure security review. The infrastructure/processes were ISO 27001 compliant. I came across this IDS (Intrusion Detection System) which was placed before web server and after the firewall. The network was configured in a way that only SSL (port 443) connections were allowed to be made to this web server. The SSL was terminated at web server itself. I immediately raised concern- is this IDS configured to inspect SSL connections? (several IDS now have this capability which allows you to import SSL certificate so that IDS can decrypt and inspect encrypted traffic) The answer was “No!” – Client was also astonished that he wasn’t aware of such scenarios even though he is fully ISO 27001 compliant.
As a closing comment, I would like to say that while compliance is important, what is more important that it shouldn’t be considered “the” security control. I would also like to quote a fellow CISSP -
managers and executives can easily be misled by the ‘false advertising’ associated with the supporters of these ‘standards’
I would love to hear your comments/feedback.
