Techinsights 2011 SEA – Hey you… Stay away from my network…

Hi everyone,

This is right after my second session on the second day of Techinsights 2011 South East Asia here in Kuala Lumpur, Malaysia. The title of this session was Hey You.. Stay away from my network…

I uploaded the slides for you to download:

Cheers

Social Engineering by Fake and Deceiving Support Calls

We have had a lot of talk about technical things and how to protect our environment from a technical point of view, however we still need to pay more attention to social engineering techniques that intruders use to penetrate into your computers and networks because honestly there is no patch for human’s stupidity.

It might be unbelievable but there are so many hackers who call people at home or on their cell phones and ask the person if they’d need support for any issues and they introduce themselves as technical staff calling from Microsoft or any other pretty well-known corporation. You may not believe how excited people (Especially those non-technical ones always looking for support) get to receive help from somebody calling them up from heaven and wanting to help them and I get frustrated when I see how easily people are deceived and will give away their personal information such as their computer’s username and passwords or credit card information or etc. Some even very easily click on a link to download a software on their computers to receive support from the person behind the phone.

Trustworthy Computing Team at Microsoft has conducted a survey of 7000 people and realized that more than 1000 of them had received such phone calls and nearly 22 percent of them (234 people) were deceived and 184 of them even lost money. (Something around 800 USD all of them in total)

It is always really easy to deceive people and much easier than hacking into a computer system which can be pretty up-to-date with all these automatic update services running on machines. I believe there needs to be more seemless training provided to people through different types of media because not all the people read security websites to get to know about such threats. After all, to keep people’s confidential information secure on the net is the main purpose of the professionals and authorities in charge of security and in order to do so, learning is the most fundamental thing to be done.

Above said, I have some very quick tips that I want to share with you people to keep you away from such fake calls:

  • In case of such calls claiming to be from a well-known company, ask for the person’s name and phone number on the other end of the call and ask him/her if you can call him/her back. Ask him to give you the company’s phone number so that you will call the company not his direct phone… (Do not be ashamed, you just want to make sure he is the right guy)
  • Remember Microsoft will never have such support services calling you without your request for any given on-the-phone services… I’m not sure about any other companies but well as far as I can remember I have never seen any company giving such services by cold calling people.
  • Never give the guy on the other end your name, username and password of your computer or any website you are a member of, your credit card information and other confidential information.
  • Ask the person upfront if you will have to pay for this service and try to realize why that person has called you.
  • Do not click on any link on any website that the caller gives you even if it seems to be a pretty well-known trusted website.
At the end, if you feel like you will never be deceived by these fake callers, at least try to increase the awareness about such threats by letting your friends and family members know about them.
Cheers

Joining Forefront TMG to a Domain or Workgroup…

It’s been always a big question whether the firewall protecting the network should be joined to the Active Directory domain or not? There are so many arguments going on around this topic. In this post, I am focusing more on Forefront Threat Management Gateway 2010 as our firewall and we are going to discuss the pros and cons of adding it to a domain or workgroup.

Type of Installation

PROS

CONS

Domain-Member
  • More control for user access in forward and reverse proxy scenario.
  • Applying Group Policy settings on the TMG server from the central DC and therefore hardening the server running our firewall.
  • Using Kerberos authentication when publishing different servers and therefore increasing the security.
  • Support for authentication using client certificates as the main method of authentication.
  • In case the TMG server is in the perimeter network separated from the internal network by another firewall, there should be more ports open on that firewall to allow the communication between the DC and the TMG.
Workgroup-member
  • If the firewall is compromised, the directory services might not be affected.
  • Even if Active Directory is compromised, the firewall might not be compromised because it isn’t part of the domain.
  • Doesn’t give you the ability to use the domain users and accounts to be used in integration with the TMG.
  • Client certificates can not be used as the main method of authentication.
  • User accounts are created on the firewall itself to allow intra-server communication.
  • Doesn’t support Active Directory Group Policy.
  • TMG client authentication requires account mirroring on TMG

What mentioned above was just a pretty simple comparison which can be found everywhere. But now I want to extend this discussion by first clarifying whether the domain controller and our AD environment will be at risk if we add the TMG to the domain and make it a domain member server. I personally believe in a simple configuration, joining a TMG server to the domain could expose the network to some sort of security risks and depending on the knowledge of the attacker, there could be further attacks on the domain controller and also the other services.

This type of attack usually happens when there is only one layer of TMG firewall between the outside network and the internal network. In a two-level TMG firewall design, we will have more flexibility playing around with the rules inside TMG. In a two-level firewall or what we call as a back-to-back firewall design we can join the front-end TMG firewall to the domain so that we can make use of all the domain features for the clients connecting to the front-end TMG. We also can join our back-end TMG firewall to a workgroup. In this case even if the front-end TMG is owned by an attacker, there still will be a back-end TMG a head of the attacker to get to the main network and the DC.

The question that might come up here is that the back-end TMG still has some ports open so that the front-end TMG can communicate with the DC in the network and you might wonder whether having that back-end TMG is useful at all? And the answer is YES, it is useful since just opening a port on a firewall to let the authentication traffic through doesn’t expose any security risk to the network. A firewall can stop a lot of different types of attacks and therefore that back-end TMG can protect the whole network environment even if the front-end domain-member TMG is owned by the attacker.

In this post I just tried to give you some insights. I suggest whenever you are thinking of integrating any service or software or product with Active Directory, do not panic because of potential security risks but try to analyze the situation and what you want to implement and take every step very carefully and consider even very small risks, then maybe you will realize that the integration of services and products with AD is not that scary…

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book. 

To get more information about the book click on the book below:

1

Cheers


Securing Branch Office Networks using RODCs

Nowadays networks are not anymore limited to only one single LAN connecting computers together. Companies are growing and so are the networks. Companies have branch offices in remote locations all connecting together through different types of network mediums. So, network are expanding at the speed of the light.

Talking about branch offices, there are so many challenges when configuring a network environment in a branch office and a lot of things need to be considered. I would like to briefly describe three of these challenges here:

Cost Control: Reduce the cost of managing and supporting remote offices (including making most efficient use of network links).

Security: Improve Security of Data and Access.

Agility: Providing a flexible infrastructure that maximizes IT investment.

In this blog post I am only going to talk about security as one of the most important concerns when implementing branch offices and this note will mostly revolve around the network environments implemented and configured on Microsoft systems.

One major component of Windows Server 2008 R2 that has a direct impact on securing your branch offices is Read-Only Domain Controller (RODC).

As the name suggests, RODCs are read-only databases of the AD DS meaning that they require only unidirectional replication for Active Directory, as well for the File Replication Service (FRS) and Distributed File System Replication (DFSR).

This one-way replication brings along a security benefit. Any compromise or other issue that introduces poisoned data into the RODC’s local copy of the AD DS database cannot be replicated back to the rest of the domain controllers in the other locations from the affected RODC. This is certainly a mitigation that can help stop a local problem from becoming a global problem.

One-way replication brings benefits in terms of designing your replication topology and controlling replication traffic, as well. Bridgeheads and hubs do not have to poll the RODC for changes. The RODC performs normal inbound replication for AD DS and FRS and any DFSR changes.

Because the RODC is a member of the domain, sometimes it has a need to write to Active Directory. However, it does not write to the local database, but will instead connect to a writable domain controller, just like a workstation. The RODC computer account is a workstation account, so it has very limited rights to write to AD DS—again to minimize any damage to the enterprise AD DS if the RODC is compromised. Because they are “workstations” in this sense, RODC computer accounts are not members of the Enterprise Domain Controllers (EDC) or Domain Domain Controllers groups.

Administrative Role Seperation:

With Role Separation you can delegate the local administrator role of an RODC computer to any domain user without granting that user any rights to the domain itself or to other domain controllers. In Windows Server 2003, DCs didn’t have a local administrator; if you could administer a DC, you could administer the whole domain.

Administrative Role Separation can allow a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver, without allowing that user to log on to any other domain controller or manage the domain.

All in all, RODCs provide a way to deploy domain controllers more securely in a branch office location because they are designed to be placed in locations that require rapid, reliable, and robust authentication services but that might also have a security limitation that limits or prevents deployment of a writable domain controller. With an RODC, organizations can mitigate risks with deploying a domain controller in locations where physical security cannot be guaranteed.

Social Engineering, Still a Big Threat…

If you are working as a security engineer or analyst in a large enterprise, you probably have to constantly deal with a large number of different attacks always threatening the network. One of those types of attacks is social engineering which has gotten a new shape these days due to the complexity of relationships and with the vast growth of social networking websites such as Facebook.

Social engineering, in its easiest definition, refers to the act of talking people into doing something without them even knowing that it harms the company or themselves even. It’s usually planned and done by hackers in order to find a way inside the big organizations’ networks at the early stages of hacking. Even right now penetration tests performed by security engineers check the social vulnerability of the employees working in that organization.

With this rapid increase in this type of attacks which is really difficult to handle by the security people, as I mentioned above we can see new types of social engineering attacks taking place. Hackers reach employees through social networking websites to achieve what they cannot achieve using the old methods of cracking. This is pretty much the easiest way an attacker can penetrate into the network. For instance Phishing attacks by using social networking websites which could be called a kind of social engineering technique has jumped significantly from 8.3% in January 2010 to 84.5% in December which pretty much shows its popularity among internet criminals.

But seriously what could be done to stop these attacks from happening?

This really depends on the level of awareness against these types of attacks among the employees. Before I go any further into this discussion, let me ask a question…

Which one would you prefer? Buying the latest and the most expensive Firewall appliances for your network or having regular seminars among the employees?

I am sure more than half would go for firewalls. No one would ever think that security starts from that very employee working inside the organization or company. Even a janitor can reveal so much information about a network. You might think it’s silly but it’s true. Have you ever asked yourself this question that who is the person knowing exactly who is on shift at work or who is the one that knows exactly the person always checking the server room or what time do employees leave their rooms for a break or … ? Yes, that’s the janitor who sees and knows all these… How easy do you think it is to get all this information from a janitor? 1 minute? 2 minutes? 15 minutes? or maybe 1 hour when you treat him for a coffee…

Again I say that might seem funny but these are the real world threats even nowadays… Nowadays that devices are that strong and sometimes unbreakable, hackers would think of human mistakes and vulnerabilities. Yes that’s true… Here is a link to a roundtable video with two guests from Microsoft talking about social engineering threats.

Trust me guys… Hacking and penetration is as simple as this… Go and think of the culture you need to create among the people in your company and try to create an awareness about any possible attacks…

Good luck

Encryption at Layer-2 or Layer-3 ??!

This is the question that often times comes to mind? Where do we need to apply encryption and why? Do we need to apply it at layer-2 which is much more low-level or do we need to apply it at layer-3 where Internet Protocol finds its definition?

Well, in the world today it is the speed of communication which every one thinks of first and talking about that, encryption at later-2 is the best option if you are sending data over a very fast network and if you do not want the flow of the traffic to be slow by any means. Layer-2 encryption reduces the overhead required by layer-3 encryption protocols or protocol suits like IPSec and reduces CPU utilization in devices applying it. Considering the great usage of VoIP nowadays and knowing that security and speed play very important roles in voice communications, layer-2 encryption for sure will be the best choice.

Having mentioned above, layer-3 encryption is still well-suited for environments where you have low-bandwidth connections and really do not have devices to support encryption at layer-2. There are also situations where companies have offices around the world and it is not anymore the matter of only a few devices but hundreds, so you need to consider the fact that encryption at layer-2 is on a hop-by-hop basis and not end-to-end just like layer-3.

Nowadays there are so many devices supporting Layer-2 encryption and it is not like the past anymore as there is a standard for it therefore there could be layer-2 encrypted communication between devices of different vendors. For instance Cisco Catalyst Switches (3560-X series and 3750-X series) now pretty well support data-link layer encryption by IEEE 802.1AE (MACsec), 802.1x REV.

So if you think that you need to apply encryption over your high-speed links and security really matters to you as well as low-latency and simplicity in management, you can for sure go for layer-2 encryption.

The Enhanced Mitigation Experience Toolkit (EMET)

In the previous posts of my blog we talked a little bit about security exploits and how they function and how to prevent from attacks using security exploits. In this post I am so excited to introduce a great toolkit offered by Microsoft to defense against the exploitation of the system.

The tool is called Enhanced Mitigation Experience Toolkit (EMET) which uses exploitation mitigation techniques making it very difficult for exploits to defeat the system. However the protection applied by EMET does not guarantee that the system will not be exploited but it just makes it as difficult as possible to exploit the system even using a 0-Day vulnerability exploits. 

Working with EMET is pretty simple and you just need to download it from here  and then install it on your machine and simply choose the software that you want it to protect and you believe is more probable to have a security vulnerability and then you are all done. It is possible through the GUI interface of the tool.

EMET is compatible with any software and it does not really matter whether the software you want to protect is a Microsoft software or not. Below is a screenshot of the GUI interface of the toolkit:

You should for sure try this tool as it’s a must for every security engineer worrying about the security of their environment with all those softwares installed on their servers which each could have possible security vulnerabilities putting the whole network and system at risk.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers