Skype is Open to Social Engineering !!!

I still believe the easiest way to attack a network is by social engineering. A threat never taken so seriously by organizations. In fact they think it’s too trivial and does not need to be paid so much attention to. The bad news is that social engineering is still one of the most effective ways for hackers to get in to a network. They need no tools and no Trojans and they can only use their soft skills to talk the employees of an organization into doing something to the hacker’s benefits. I read on the news yesterday that Skype is one of the companies open to social engineering. As a matter of fact, their support team is so novice that can change a user’s password only by making a phone call. Yes, it is as easy as it sounds. You can also try it. All it takes is to call Skype support desk and request for a new password. Then you will need to prove the ownership of the account by giving them 5 contacts connected to that account. Now the question is, how difficult do you think it is to guess those 5 contacts? Let’s say you want to request to change your friend’s account’s password and you are trying to social engineer the Skype support desk. I think all of you probably know 5 contacts on your friend’s Skype account. You probably have a lot of common friends. Once you let the support desk know about the connections, they will change the password for you to whatever you wish. That is what social engineering sounds like. Scary… huh? Were there any tools involved? Absolutely not. All it took was a phone call and pretending to be someone else. There are a lot of these examples here and there in every organization that should be addressed more seriously by top management. The first thing companies should do is educating the users about such threats and having strict policies and workflows for sensitive processes within organizations. I had a talk about a year ago which part of it was about social engineering. I thought you might want to have a look at the slides deck: http://www.slideshare.net/esarabadani/hey-you-get-off-my-network Cheers

Forefront TMG 2010 has been Discontinued !!!

Finally it was announced and Microsoft has decided to discontinue some of its very popular products such as Forefront Threat Management Gateway 2010 together with some others listed below:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)

It also should be mentioned that among all of these, Forefront Protection 2010 for Exchange Server (FPE) will still be there but will be bound to Office365 and will be called Exchange Online Protection.

I still remember the rumor about a year ago about this decision but it was not confirmed then. Now that is is confirmed, there are still questions left on why Microsoft has made this strategic decision especially the decision to discontinue TMG which is a very popular product. It is now being used by a lot of companies as a gateway software for so many different purposes. It was the successor of popular Microsoft ISA Server 2006 and now all have been discontinued to be any further developed.

Continue reading

How to Patch the Internet Explorer 9 Security Vulnerability…

After the big security issue on Java 6, a few days ago we heard of a very serious security vulnerability discovered in Windows Internet Explorer 9 and below. This security problem would allow remote code execution on an infected machine by an attacker. This will be possible when the user clicks on a link and is redirected to a website that has malicious code inside that will exploit the vulnerability on the user’s machine.

Here is a link that will give you more information about the nature of the vulnerability: CVE-2012-4969

Microsoft reacted on this pretty critical issue, even thought not super fast, it took them only a couple of days (If I am not mistaken) to release a patch for it. It deserves a mention that some hours after the discovery of the issue, they introduced a workaround for the problem that could keep the machine safe but was not the best solution anyways and I don’t think any organization went through the hassle of implementing it on a big number of machines.

Anyways, Microsoft came up with the patch today and here is the link for you to get more information about it:

Microsoft Security Bulletin MS12-063

It will be automatically downloaded to your machines if you have enabled automatic update in Windows but if not, you can go directly to this link and download it:

Cumulative Security Update for Internet Explorer

Of course this was the link to the patch for a Windows 7 32-Bit version but if you are using other versions of Windows, you can go to the first link and get the right version of the update.

Please leave me a comment in case you have any more questions or concerns.

Cheers,

Esmaeil

Centralized Security in Windows Server 2012

Trying to control file security on enterprise servers is like herding extremely fertile cats; without clamping down on breeding, they’re soon too numerous to control. Microsoft (NSDQ:MSFT) addresses this problem with Dynamic Access Control, a feature in the forthcoming Windows Server 8 that introduces centralized, domain-level security for file and folder access that layers atop any existing file system permissions.

According to Microsoft, upwards of 80 percent of corporate data is found on company servers, often will little or no content documentation, custody auditing or departmental ownership metadata.

Delivered via a new version of Active Directory, Dynamic Access Control works by layering Kerberos security and an enhanced file-level auditing and authentication system that can automatically tag sensitive data based on content and creator.

Dynamic Access Control introduces claimsinto the Windows Server security lexicon, a concept long present in the broader realm of federated Internet security, but in Microsoft parlance refers to object assertions issued by Active Directory.

Active Directory 8 defines claims for files, folders and shares; all of which can be sent and applied to other Windows Sever 8 servers across an organization along with file property definitions and access policies.

The four-pillar Dynamic Access Control system begins with identification of high-impact data with manual, automatic or application-based tagging. For instance, administrations might choose to tag all Excel documents as sensitive, and search Word docs for certain words such as “confidential” for additional tagging.

Central access policies are created based on these file tags using a new expression-based tool in Active Directory Administrative Center that sets up access conditions for users and device claims and file tags and handles access-denied remediation.

By applying centralized policies automatically (or manually), access to such files can be restricted by multiple criteria, including user, device and department.

Part three of DAC is auditing, for which Microsoft provides centralized policies applicable across multiple servers using the same expression-based tool and claim support, plus a staging area that permits policy-change simulations.

The final pillar of Windows Server 8’s access security platform is data protection, which automatically applies Microsoft’s RMS security model to Office documents with near-real time protection immediately after documents are tagged and is extensible to non-Office documents.

Windows 8 Security Mechanisms

We live in a world of information where all our data is maintained in a digital format.

What would be your reaction if you found out that an unknown person has accessed your profile information? How would you react if you found out that your credit card details and passwords stored in your computer have been compromised?

Microsoft has ensured that it leaves no stone unturned to ensure that its new billion-dollar venture is equipped with adequate levels of protection.

Viruses, worms and Trojans that corrupted the previous versions of Windows will not be able to tamper with Windows 8 operating system easily. Windows president Steven Sinofsky has mentioned some security features of Windows 8 at the recent Microsoft build conference and how they are derived from their predecessor operating system Windows 7.

In this article, we present an overview of the new security features of Windows 8.

Security Features of Windows 8

  • Address space layout randomization (ASLR)

It involves random arrangement of base addresses of executable, libraries, heap and stack addresses in a process’s address space. The user’s code and data locations on hard drive are shuffled randomly to avoid revealing addresses to hackers. This feature was existent in Windows 7 but has been enhanced in Windows 8.

  • Heap Randomization (HR)

Attackers can corrupt or cause abnormal execution of programs by overwriting data pointers located in the heap. Randomization attempts to prevent this by adding guard pages in between so that data pointers are not altered.

  • Kernel mode security:

Kernel mode processes run in a special section of memory reserved for them. Microsoft has tweaked the user mode processes in Windows 8 so that they cannot access the kernel address space which means the lower 64k of process memory is not accessible by user processes.

  • UEFI Secure Boot:

Drivers and applications that start along with the operating system are assigned keys by Microsoft that is verified by the operating system at startup. If the driver or application does not possess the proper key, it is not allowed to start with the operating system processes. This ensures that malware does not interfere with antivirus programs.

  • Windows Defender:

Windows defender has been enhanced to identify all types of malware, virus and worm signatures from Microsoft malware protection center. Previously, the database only stored spyware and adware signatures.

Microsoft continues its support for third party antivirus and antimalware vendors while revamping their Widows defender with the help of their security development team.

Microsoft is following a security development lifecycle to ensure they do not encounter problems like those that the Windows XP users experienced in the past. Microsoft has noted the main cause of inadequate malware protection on 75% of the computers.

According to Microsoft, users fail to revamp their trial version after expiry and most of them do not update their security components regularly. Stay tuned for more security related news from Microsoft.

Manage the Network Security from the Cloud using Windows Intune

While everything is moving to the cloud, you may wonder if it would be possible to manage the computers in the network from the cloud? The answer is yes, using Microsoft Windows Intune, you can protect your PCs from network threats and malware, manage security policies and firewalls, easily deploy the latest Microsoft security updates and help safeguard data with Bitlocker and Bitlocker to Go in Windows 7 Enterprise.

Microsoft believes Windows Intune, their web-based PC management service, is well-suited for companies and businesses with around 500 PCs. InTune bypasses (but respects) Active Directory (AD) and Group Policy (GP), offering instead a pretty simpler set of management capabilities that should be welcome to overtaxed IT departments in mid-sized businesses.

InTune hits a nice balance. It consists of a Silverlight-based web console that looks and feels a lot like Microsoft’s on-premise consoles as well as a set of client agents. From the web console, you can view details about the connected computers (alert statuses, update statuses, and malware protection statuses); view, manage, and configure how updates will be applied to your managed computers; view the anti-malware status for managed computers; view alerts, survey the software and software versions that are installed across your managed computers; optionally manage volume licenses to ensure that the software in your environment is correctly licensed; create and manage (non-GP) policies, view and create reports, and perform other administrative tasks.

Managed clients can include PCs running Windows XP SP2+, Vista, or 7 and requires a software agent install. For those environments using GP, Microsoft provides instructions for properly configuring the client (to avoid policy conflicts) and rollout the agent. Smaller outfits can deploy the client manually.

Windows Intune also does not support mobile devices like smartphones and tablets; it supports only Windows PCs. But Main says Microsoft plans to extend the support to mobile devices in future versions.

Microsoft also plans to integrate Windows Intune with Office 365 so that IT pros can use Intune to deploy Office in the cloud. But right now, that integration is not in place for Windows Intune 2.0.

Threat Modeling of the Cloud

If there’s one problem in cloud computing you have to revisit regularly, it’s security. Security concerns, real or imagined, must be squarely addressed in order to convince an organization to use cloud computing. One highly useful technique for analyzing security issues and designing defenses is threat modeling, a security analysis technique long used at Microsoft. Threat modeling is useful in any software context, but is particularly valuable in cloud computing due to the widespread preoccupation with security. It’s also useful because technical and non-technical people alike can follow the diagrams easily. At some level this modeling is useful for general cloud scenarios, but as you start to get specific you will need to have your cloud platform in view, which in my case is Windows Azure.

To illustrate how threat modeling works in a cloud computing context, let’s address a specific threat. A common concern is that the use of shared resources in the cloud might compromise the security of your data by allowing it to fall into the wrong hands—what we call Data Isolation Failure. A data isolation failure is one of the primary risks organizations considering cloud computing worry about.

To create our threat model, we’ll start with the end result we’re trying to avoid: data in the wrong hands.

Next we need to think about what can lead to this end result that we don’t want. How could data of yours in the cloud end up in the wrong hands? It seems this could happen deliberately or by accident. We can draw two nodes, one for deliberate compromise and one for accidental compromise; we number the nodes so that we can reference them in discussions. Either one of these conditions is sufficient to cause data to be in the wrong hands, so this is an OR condition. We’ll see later on how to show an AND condition.

Continue reading

A Botnet Under an Anti-virus Vendor Control?!! Microsoft Claims…

A long time ago when the only famous anti-virus vendors were Norton and McAfee and maybe a few others, there were not as many viruses in the cyber world as there are now. People felt much safer on the internet and that was why so many avoided using anti-virus software. People avoided using anti-virus also because their PCs were not capable of running it and they simply crashed especially when the PC was under a heavy load.

Now I remember a rumor which was spreading among people during that time. The rumor was talking about the possibility that an anti-virus software could infect computer systems with a virus. Honestly speaking, right now when I am writing this I don’t really remember what people thought the possible reasons would be for a software company to do such thing but sometimes rumors come out of nowhere, you know.

I was thinking of all these old stories today and also surfing on the net that something came to my attention. Microsoft claims the botnet Kingpin is somehow related to an anti-virus vendor. As it seems they have tracked down the botnet and they got to a Russian guy called Andrey N. Sabelnikov who worked previously in an anti-virus vendor company. The botnet he had designed was pretty advanced and did everything from sending spam to stealing financial information and so many other things that many botnets would usually do.

It seems like working for an anti-virus company has given him enough clues on how to infect a lot of computers and eventually create a botnet under his control. But the question is that could this guy be by any means still connected to his previous (Of course not really) company and could this be a mission being done for the company? But again there is another question which is why does such a company needs to have a botnet under control?

Could a company be behind stealing so much financial information? Is it really worth doing such a risky thing? If yes, had they predicted that their guy in charge could be caught? Would they do it solely for the direct illegal financial outcome or they did it for the indirect financial outcome coming from the sales of their anti-virus software?

These are things that made my mind really busy today and I was thinking with myself those rumors in the past are becoming reality now and it seems like having a botnet under control has become really worthwhile in terms of financial outcome. If this story is true which seems to be, how sure could we be about the safety of our systems and information?!!

What are Honeypots ?!!

Today I would like to speak to you all about honeypots. The purpose of this article is to provide you with a detailed analysis of what honeypots are, what are some of their characteristics, and what are the different types of honeypots, the pros and cons of honeypots, the actual mechanics of how honeypots work, and who uses them. The methods of how can they prevent attacks, and of course their value as a technology form common users use to corporate value.

The word .honeypot. originated from an espionage technique used during the Cold War, with it origins based on sexual entrapment. The term “honeypot” was used to describe the use of female agent sexual entrapment of a male official of the other side for the purpose to gain information. For example, handling over top secret information for his eyes only type stuff, not knowing her true intension as informative spy to hand over our troop movements by: land, air, sea; supply line, to the future plans deployment of invasion or evacuation of troops. Not know the agents true intension, that movie Hostel. So now is the computer term of what is a honeypot. A honeypot is a decoy resource that pretends to be a real target setting up a trap expecting to be attacked or compromised. The main goals are as a distraction of an attacker and the gain of information about the attacker, his methods of attack, and his tools. Pretty much a honeypot attracts attacks to them because of their act of being a weakened system and as an entrance to their target, .it like the fire leading a moth to the flame..

I feel honeypot are an effective countermeasure in the attempts at preventing unauthorized use of critical information systems on the network. Here the basis characteristic to honeypots one they are highly flexible systems, two their able to detect attackers movements and behaviors, and three the capture of the latest spreads of on-line vulnerabilities to the networks for administration team analyze and fix for a stronger network. Where are Honeypots being used for and by whom? Honeypots are being used at Government building, big businesses, other Non-Profit Organizations, and Schools like here at ECU. As you will read and be explained the Government, big businesses, and other Non-Profit Organization will use the honeypot technology for production purposes as support from attacks attempt to invade secure system and bring them down. Instead the attacker will attack the decoy honeypot and serve it purpose. As for the Schools they would use the honeypot technology for research purposes for study to teach future security major the weakness of different attacks gained for the honeypots and as a method of developing new tools for future defense to add to network.

Continue reading

A Step by Step Guide on How to Set Up Teredo Tunneling…

What is Teredo? A Microsoft-supported tunnel that is established directly from your client machine. Teredo was meant to be used only by applications that specifically request it. For this reason, a host that has Teredo enabled would only ever use Teredo to connect to IPv6-only machines. If IPv4 is an option, it will always prefer that. So, why talk about it first? Because it ships with both Windows XP SP2 and Windows Vista/7 – enabled by default in the latter two, though not enabled for “general application use” by default – and we can expect it to be used to get to IPv6-only content, as tunnel brokers, on the outside, may seem like more work to set up. And indeed, with the release of an ipv6 capable uTorrent and HE’s provisioning of Teredo relay servers, Teredo traffic has spiked sharply.

Setting up Teredo

And here’s the step by step guide on how to set up Teredo. Again, keep in mind, IPv4 will always be preferred. go6.net will show you with an IPv4 address if all you have is Teredo.

Windows XP SP2

  • Realize that Teredo in Windows XP does not support Hide NAT, aka PAT, aka many-to-1 NAT, aka what your home router does. In Teredo language, that kind of NAT is called “Symmetric NAT”, and it’s just not supported by the Teredo implementation in XP. You can still experiment some by either sticking a host onto the Internet directly, without a home router in between. If you have an additional public IP address, you could also set up a Static NAT (aka 1-to-1 NAT), which Teredo calls a “Cone NAT” (if you allow all incoming) or “Restricted Cone NAT” (if you disallow incoming connections), and which is supported. My experiments with my router’s “DMZ” setting, to see whether that will get around the issue, have been less than successful. While Teredo claimed I was behind “cone” NAT, I still had no connectivity.
  • Add the IPv6 protocol to your interface. Control Panel | Network Connections -> Right-Click “Properties” on your LAN or WiFi connection, “Install…”, “Protocol”, “Add…”, choose “Microsoft TCP/IP version 6″, hit “OK” until you’re out again.
  • Open a command line – “cmd” from Start | Run – and run “ipconfig /all”. You should now see a “link local” IPv6 address, which looks something like “fe80::214:85ff:fe2f:8f06%4″. This won’t be useful for connecting to anything “out there”, but it’ll let you know IPv6 is up and running.
  • Configure Teredo. Assuming you are in the US, the command would be “netsh interface ipv6 set teredo client teredo.ipv6.microsoft.com”. If you are elsewhere in the world, you may be able to find a closer Teredo server.
  • If you are on a Windows domain – as opposed to a home workgroup – Teredo will disable even if you configure it. You can get around that with the command “netsh interface ipv6 set teredo enterpriseclient”
  • The command to see the configured Teredo parameters is “netsh int ipv6 show teredo”, and the message indicating that a user is behind PAT and thus Teredo won’t work here is “Error : client behind symmetric NAT”
  • Use an IPv6-only host to test connectivity. If you can connect tohttp://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • A useful command to use while trying different configurations is “netsh int ipv6 renew”, which will re-negotiate the Teredo tunnel. “netsh int ipv6 show route” will show you ipv6 routes.
  • Keep in mind that Windows XP will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.
  • Lastly, there are reports that Firefox 2 on Windows XP does not handle IPv6 well. Try Firefox 3, or Internet Explorer.

Windows Vista

  • IPv6 and Teredo both are enabled by default in Windows Vista. Teredo also supports Hide-NAT aka PAT aka what your home router does. Woo, we’re done? Not so fast, young Arakin: In order to avoid IPv6 connectivity issues caused by default Teredo tunnels, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long as the system only has link-local and Teredo IPv6 addresses. Teredo is meant to be used by applications that specifically request its use, and that does not include any browsers.
  • Thus, we need to hoodwink Vista. If the criteria is “has only link-local or Teredo addresses”, why, then we need to supply another address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • Vista would now resolve names to IPv6 addresses, but we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. If you can connect to http://ipv6.google.com/, it’s working.  Or you could “ping ipv6.google.com” from command line, which should show you an IPv6 address, and succeed.
  • Keep in mind that Windows Vista will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

[Edit 2010-02-24 – added Windows 7 and Troubleshooting sections]

Windows 7 [this is the same procedure as for Vista, tested on Win7 x64]

[Edit 2010-04-09 – replaced kludgy workaround for disappearing default route with elegant workaround received through comment]

  • IPv6 and Teredo both are enabled by default in Windows 7, just as in Vista. Also as in Vista, Microsoft have configured DNS so that the system will never resolve any name to an IPv6 address, as long asthe system only has link-local and Teredo IPv6 addresses.
  • Thus, we need to hoodwink Win7. As with Vista, we will provide a 6to4 address. Luckly, IPv6 maps the entire ipv4 address space, so we can use that. In reality, it doesn’t matter which address we configure, since it won’t ever be used anyway. Open up the Properties of your LAN or WiFi interface, and change it to have a static IPv6 address. Use either the converted IPv4 address you figured out using the link I gave, or use the 192.168.1.2 equivalent of 2002:c0a8:102:: with a netmask of 48. Do not configure a default gateway for this address.
  • In order for Win7 to resolve names to IPv6 addresses, we need to force it to route traffic through our Teredo interface first. For this, you’ll need to run a Command prompt as “Administrator”. Create a shortcut to a Command prompt on your desktop, then right-click “run as administrator”.
  • Figure out the ID of your “Teredo Tunneling Pseudo-Interface” using “route print” and looking at the “Interface List” at the top of its output. In my case, it is “14″. Then, using this ID, add a default route that forces all IPv6 traffic through Teredo: netsh interface ipv6 add route ::/0 interface=14
  • Use an IPv6-only host to test connectivity. Try to ping ipv6.google.com or connect to http://ipv6.google.com/.
  • Keep in mind that Win7 will always prefer IPv4 over IPv6 when Teredo is used for IPv6 connectivity. Unless a host has no IPv4 address, its IPv6 address will not be used.

Continue reading