It’s been something like a year, or maybe two, since last time but now I’m back! I’m thinking of rebranding the blog and re-shaping it in its entirity.

For now, I’ll give you a sample of what I’m doing at work atm:

Daniel Nyström
This is me holding a seminar on the development of cloud security solutions, and what we at Panda Security mean by “cloud security”. In Swedish.

Panda Sweden people talking (again, in Swedish) about different types of threats that might face home-users today:

Thanks for this time, I’ll be back soon and probably with a bit of changes to this site!

//Daniel

Looking forward to two days of hopefully new knowledge or new point of views…

“All in all”-recap

I had the wrong expectations going into this event, thinking it would be more hands on, real world tests, active examples of tool usage etc. There was some, but not of the sort I expected. That dropped me a bit the first day and made me a bit unhappy.

However, the second day remedied almost all of the problems I had with the first one. For example the issue of legislative questions was cleared up, and all other questions of scope was handled. This was good for me as I could switch my brain from hackermode to managementmode, which was the state I should have been in from the beginning in order to gain as much as possible from the sessions.

It is also important to recognize the value of the information provided. Not many people bring the traditional issues up on the table anymore, just because they’re not hot anymore. You usually get stuffed with SQL injections, XSS, CSRF and other “web 2.0″ hax at a lot of seminars, but those are really very secondary to a Cisco router with an open SNMP implementation.

This situation makes it harder for people new to the securityworld (managers dropped into a security role for example) to get hold of the basics, and seminars like these are the ones that get them up to speed.

William Matthey had a slide showing all the layers and possible attack vectors in all of them that illustrated this quite clearly.

When summarizing the event for myself, I’m not regretting my attendance. I am however, regretting the mode I was in entering the event. It covers the whole big picture, and some finer details, but it’s not a hands on hacking event.

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

And more from the same source (different article):

In December 2007, Microsoft patched the file- and printer-sharing functionality in Windows Vista to fix a medium-severity vulnerability. Unfortunately, the company inadvertently added a critical flaw, a security researcher said on Friday.

In an e-mail interview with SecurityFocus, Laurent Gaffié — the researcher that disclosed a critical flaw in Microsoft’s Server Message Block (SMB) version 2 code earlier this week — said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft.

So, it seems that Microsoft has shipped yet another remotely exploitable security hole in their operating system(s). Hopefully it won’t be wormable to any greater extent, but we’ll find that out real soon.

This helps illustrate the point I tried to make in my last post, that no client machines can be trusted. They are all compromised sooner or later.

Also, if you are trying to be compliant with some policy, your risk ratings just peaked if you are using Vista… in particular if you have mobile workstations being carried in and out of your network. How do you manage that threat? Firewall port 139 and 445 on all clients, thereby loosing the possibility of remote administration and breaking functionality that might be needed by your business systems?

And this is just one hole… I sure hope that you have control over the Acrobat Reader’s and Flash installations on your clients

Administrators tasked with creating a mobile platform that’s not only is reasonably secure, but also keeps internal resources safe from it might be scratching his head. Smaller organizations also have restricted budgets that prevents them from purchasing high-end security solutions to handle this. Larger organizations often turn to solutions like Microsoft NAP to ensure the integrity of clients entering the network, but in my opinion that kind of solutions are fundamentally flawed.

NAP (as an example) just verifies that a client fullfills certain requirements such as an up to date antivirus signature, full set of patches and other (known) criterias.

So what? What does that mean to the integriy of a machine? If a machine is infected or compromised in any way, it is because the existing protection measures obviously did not work. The network is still at risk because of that client and that’s not going to change just because the machine is compliant with a policy that has been based on verifying known factors.

Keep in mind that the amount of malware now hitting viruslabs all over the world is approaching 35 million samples per year, and keeping signatures and heuristic measures fit to tackle that problem is a hard job. Some would even argue that it’s impossible (altough I would not, we’re getting closer). Security simply cannot be measured in patches and signature file dates anymore.

So what can you do to handle the threat of mobile workstations, USB-sticks, PDAs, phones and other mobile devices?

I’ve thought about this for a while and came to a pretty simple conslusion:

Just assume they’re all compromised, and design your service and security architecture based on that assumption.

Internal networks are often considered secure, or at least semi-secure, environments in which people are authorized to use certain applications and access certain data in a way that assumes that the clients are not compromised.

In this kind of environment a worm outbreak often has a severe impact as it can spread quickly throughout the network. Attacks often become more serious than they need to be because restrictions, if any, are very loose and often modified to suit “ease of use” instead of security.

And why shouldn’t they be loose, the clients are secure, right?

The idea I’m trying to get some practical tools to fit into, is to consider all network segments as compromised except the one(s) actually holding the data that you need to keep secure.

In this model you could, for practical reasons, keep the perimeter around the internal network and other segments. One might even do some or even extensive content filtering of network traffic at that point. From a data security perspective, this net should still be considered compromised though as there’s no real way to ensure its integrity.

The only part of the network to focus your security measures on would be the “Data storage and application serving”-part. How you could do this is a practical thing, but you should avoid removing any data from that environment. The practical part of handling this could of course vary, but one could serve data to users in the local network by utilizing terminal services and/or more secure solutions such as Appgate SS. Using web-based (internal) versions of CRMs and other things might be something as well.

You should still do encryption, antivirus, firewalling and possibly DLP on the clients. But that is kind of secondary as long as your application and data access structure is constructed in a secure fashion. VPN connections from the outside world (Internet etc.) would of course terminate in the local network and be subject to the same filtering as other devices in it. Maybe remote clients application availability should also be the subject of further restrictions.

I’m not exactly clear on the details but I’m getting there. An increasingly mobile world needs security measures that’s adapted to this situation, not that are stuck in the old world of stationary devices locked in a specific part of the network(s).

Many organizations do stuff like this, but often in a limited manner and not with the same philosophy in mind. For example shielding servers in one network from the clients, allowing a subset of them access to certain places. Those with access are considered trusted and the data is still spread between servers and clients.

What I’m getting at is that people should try to make their own application and data servicing work like online, “cloud based”, services such as Google Docs, SalesForce etc. instead of using applications and handling data locally. Sure, they could use those actual products, but then they’re lacking control over their data and for some that’s just as bad.

Client machines is not to be trusted, and that is important to remember.

I’ll post some more on this, and try to give some practical suggestions, when I’ve wrapped my head around this a bit more…

Found a great article where Bill Seiglein (on csoonline.com) discusses the differences of being compliant and being secure.

Favourite quote;

I use the analogy that there might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one

Wonderful analogy, really hits the spot and identifies the problems that appear when you try to use a compliance sheet as a checklist. You might miss things that are quite basic, while over-investing in controls that doesn’t do much to overcome the real problems.

A good example of this, to tie into my previous standards posts, might be companies using WEP in older wireless implementations. Insecure as hell but it is still considered “compliant” when the audit goes down.

Read the full article here!

And remember, being compliant does not mean that you’re secure.

I was browsing the intertubes using an open WLAN when i stumbled on this article on Bakmans blog. The entry itself is a bit outdated but it got my brain working a bit.

Engaged in a search for more information on the subject and eventually found this paper (PDF – Aegis PCI DSS Wireless FAQ) through a pcianswers.com post.

One interesting, if not obvious, thing mentioned is that objective 11.1 require you to audit your sites for wireless networks even though you aren’t running any. This requirement comes from the possibility of rouge Access Points placed in the network(s) that handle card transactions, or a net that is trusted by it. You are not permitted to allow any rouge AP’s if you want to be or stay compliant.

Requirement 11.1 reads:
11.1 Test security controls, limitations, network connections, and restrictions annually to assure the ability to adequately identify and to stop any unauthorized access attempts. Use a wireless analyzer at least quarterly to identify all wireless devices in use.

And this control objective is applicable to all organizations that are aiming at PCI DSS compliance. The paper mentioned above has some of Aegis frequently asked questions on this listed and before you start asking expensive consultants, give it a read

The other control objectives discussed in the paper (including FAQs) in relation to wireless networking are:

4.1.1 For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN. If WEP is used, do the following:
• Use with a minimum 104-bit encryption key and 24 bit-initialization value
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel with access to keys
• Restrict access based on media access code (MAC) address.
[...]
10.5.4 Copy logs for wireless networks onto a log server on the internal LAN.
[...]
1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes)
[...]
2.1.1 For wireless environments, change wireless vendor defaults, including but not limited to, wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable.
[...]
9.1.3 Restrict physical access to wireless access points, gateways, and handheld devices.
[...]
11.4 Use network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date.
[...]
12.3 Develop usage policies for critical employee-facing technologies (such as modems and wireless) to define proper use of these technologies for all employees and contractors. Ensure these usage
policies require the following:
12.3.1 Explicit management approval
12.3.2 Authentication for use of the technology
12.3.3 List of all such devices and personnel with access
12.3.4 Labeling of devices with owner, contact information, and purpose
12.3.5 Acceptable uses of the technologies
12.3.6 Acceptable network locations for the technologies
12.3.7 List of company-approved products
12.3.8 Automatic disconnect of modem sessions after a specific period of inactivity
12.3.9 Activation of modems for vendors only when needed by vendors, with immediate deactivation after use
12.3.10 When accessing cardholder data remotely via modem, prohibition of storage of cardholder data onto local hard drives, floppy disks, or other external media. Prohibition of cut-and-paste and print functions during remote access.

The above text was copied from the standard document and to fully grasp the implications involved I would, as I did above, recommend you to read Aegis PCI DSS Wireless Security FAQ.

Also, version 1.2 of PCI DSS is to be “released” in the beginning of October and you can find the document of changes here (PDF).

Warning: Panda Security/work related post.

… this week.

The main news in the 4.03 release is:

* Optimized console performance
* Reduced installation package size
* More auto-uninstallers for competitor products
* Improved update features for mobile users
* Full support for XP SP3 and Vista SP1
* Full support for Exchange 2007 SP1
* Full NAP support in our desktop protections

A lot of other news and bugfixes also included.

Ask you local Panda office for the complete document of changes.

If you’re a client you can download the upgrade here.

Cheers,

so did a lot of serious security incidents.

During last week, we saw…

- The largest newspaper in Sweden get their e-mail systems hacked

Apparently, the intrusion was made by initally hacking the newspapers intranet (which was connected to the internet!) and once the attackers had access to the intranet users names and passwords, they just tried those against their webmail system. Apparently people use the same passwords in different systems The group claiming the hack was “Vuxna Förbannade Hackare” (In english: Mature Pissed-Off Hackers) and apparently it was motivated by the fact that the newspaper did not have any coverage of their previous attack on the TV channel TV3′s website.

During the past week the hackers has been releasing more and more internal details from Aftonbladet such as e-mails and user details for partner websites etc. and they have stated that they will continue until the newspaper admits that they have been hacked on the front page of the website.

- The Largest ISP in Sweden looses 2 weeks worth of e-mail for 300 000 customers

This was an OMFG experience. Apparently, according to the information now available, there had been no backups taken (or they had been corrupt), monitoring or maintenance of the affected systems since the 14 December. Telia are now offering 20£ vouchers (only usable in Telia stores) to all affected customers and are also going to handle more serious data losses on a case-by-case basis.

And why did this happen? Well, apparently the guy that was monitoring the systems quit. (Period.)

Nice way to follow routines and policies guys…

- A USB stick containing hundreds of pages of US NATO reports left in a library

Some of the material found had the classification “secret“, but this has not been verified by the newspaper reporting.

Apparently this information was left in one of Stockholms largest libraries on an unencrypted USB stick.. heh.. I mean, encrypted USB sticks are soooo hard to come by these days, so why use them?

This has also been reported on by “The Register“:

According to Swedish daily Aftonbladet, the stick contained material on NATO’s ISAF peace-keeping force in Afghanistan, as well as an intelligence report on the attempted assassination of Lebanon’s defense minister and the murder of Sri Lanka’s foreign minister.

Word of advise, do not trust anyone else with your data people

Cheers and good luck in this 20£ corporate voucher world!

I think their own advisory from 1999 (!!!) explains the issue pretty well:

Well,

too bad they only protected their customers from this if their domains ended in .com, and that this issue has persisted through eight more years of code (how much new code did they say there were in Vista?). This little function seems to have remained unchanged for almost a decade anyhow…

Now let’s hope that Microsoft are faster than the bad guys… And in the meantime:

• If you have a webfilter, block all adresses containing “wpad.” in them.
• On most Windows operating systems, stopping the service “WinHTTP Web Proxy Auto-Discovery Service” would also do it, but some people have been having problems with this.

In other words, keep an eye on your network the next couple of weeks until MS produces a patch.

Cheers and browse safe!

The problem lies in the jar: protocol implementation used by Firefox and it enables an attacker to conduct XSS and gives them almost limitless possibilitys for malware hosting.

This is an example URI which exploits the issue:

jar:http://www.icmpecho.com/myjarshrine/yarihooo.jpg!/malwareloadingscript.html

Now, instead of copying others work which they have probably spent hours or more on to explain the issue in full, I’ll give you a short recap of the happenings and more and more exposing blog posts:

The problems with the recommendations given by these persons and/or organisations is mainly that the recommend blocking URI’s containing JAR: in webfilters and deep packet inspecting firewalls or avoid following “jar:” links.You should understand why this would be a total waste of time if you have read the above articles and in particular Giorgio’s comments on the issue.

Also you should know why if you have seen one page load another like in most web based exploits (Including the one on the Swedish Parliament’s websites this week (swedish link, sorry)). My feeling is that the first advisories were rushed out “to be first in the corporate sector” and sloppy research took its toll.

If you do want to protect yourselves for real, you might wanna download and install the NoScript extension to Firefox which also handles JAR.

Happy times!