Techinsights 2011 SEA – Hey you… Stay away from my network…

Hi everyone,

This is right after my second session on the second day of Techinsights 2011 South East Asia here in Kuala Lumpur, Malaysia. The title of this session was Hey You.. Stay away from my network…

I uploaded the slides for you to download:

Cheers

Detecting Common Attacks using TMG Intrusion Detection

Apart from those complicated and advanced-level attacks that are targeted against every network every once in a while, there are common attacks that could be really troublesome. A lot of time this happens when people believe that their network does not contain any important data to even go under attack and when the attack occurs, they panic because they don’t expect it and in fact they have nothing to even stop this type of attacks.

Forefront Threat Management Gateway 2010 has an IDS (Intrusion Detection System) inside as one of its features that can detect many of these attacks. To access and configure this feature in TMG you need to go to Intrusion Prevention System and then click on Behavioral Intrusion Detection and first click on Configure Detection Settings for Common Network Attacks:

Here you can see a list of different types of attacks that if checked will be detected and a log will be created for them in the Monitoring section of the TMG. For instance if you check the Port Scan, you can specify the number of ports to be scanned before the TMG considers the traffic as a port scanning attack and can log it.

In the other tab, we can also detect different types of attacks against the DNS service:

Coming back to the Behavioral Intrusion Detection tab in TMG, you can also click on Configure IP Options Filtering to filter specific IP options that may be included in the IP packet’s header. Most IP options in the packer header are harmless but there are some of them that could indicate malicious traffic and must be checked. They are shown below in the picture. If there is any traffic containing these options in the packet header, they will be dropped if you select Deny packets with the selected IP options.

Under the other tab called IP Fragment, you can block IP fragments to block the type of traffic generated from those applications that fragment the packets so that they will not be detected by the firewall but you have to keep in mind that if you enable blocking of IP fragments, you may also block other types of traffic such as L2TP which is pretty common in every network having remote users.

Again under Behavioral Intrusion Detection in TMG, if you click on Configure Flood Mitigation Settings, you will be able to detect and block flood attacks towards the TMG and facing the network. Using this feature you will be able to specify the number of allowed different types of connections to a host and if there are more requests than that, it will be detected as a flood attack and will be denied. You can click on Edit to configure the settings for any of the connection types:

After all this configuration, if there is any traffic detected as attack, it will be logged under the Monitoring section in TMG and will be visible under Alerts. After knowing the source of the attack you will be able to easily block it using the firewall feature if it is not by default blocked.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Cheers

Security Dependencies

To me, systems security is not all about the configuration but it is mostly about design. Staying away from attacks and keeping the environment safe pretty much depends on how the security engineer designs a system. There are a lot of things that play very important roles in bringing security to systems. One of the most important things that should be paid a great amount of attention to is security dependencies.

A security dependency occurs when the security of a system is dependent on the security of another system. This is the case in almost all networks with all these unified systems deployed in each of them. Take Active Directory for instance. In an AD environment there are so many different services which get authenticated and authorized with the Domain Controller. What does it mean? This simply means that the security of all those systems running those services are dependent on the security of the Domain Controller. Once the DC is hacked, the whole network with all those services which are dependent on the DC will be in danger.

This way of thinking will give the security designer a very good view on their design. They pretty much know what they need to begin their design with. They know exactly what kind of data must be stored on each server and how this data is going to be used by the other servers. This way of clarifying things will give the designer a better view on how to relate services and servers.

We generally have two types of dependencies:

Acceptable dependency: In this type of dependency, a less sensitive service or server is dependent on a more sensitive server or service. For example the security of a client PC is dependent on the security of a DC in an AD network.

Unacceptable dependency: In this type of dependency, a more sensitive service or server is dependent on a less sensitive server or service. As a simple example, you can take a DC running Windows Server 2008 R2 in a part of a network being protected by another server running Windows Server 2003 running Routing and Remote Access Service with a basic firewall. This is where we should think again about our design:

Should we run the AD database on a Windows Server 2008 R2 server and protect it from the outside attacks using a Windows Server 2003 or the other way around???!!!

Or maybe we should go a head with a totally different design by adding another Windows Server 2008 R2 to the network.

Thinking about virtualization technologies we get to the same point. The point here is that all the virtual machines (VMs) are dependent on the security of the Hypervisor. With a basic configuration of Hyper-V the whole virtualized environment could be exposed to attacks and once the host is hacked, the other VMs will be at risk but yet again there are ways to make some changes in this kind of dependency and mitigate the attacks. In this post I have explained one of those ways.

All in all, security dependency always exists in our network and systems but what really matters is the level of this dependency and seeing exactly what is dependent on what? In those situations that we have to make a choice, it’s very important to analyze different choices that we have and then choose the one which makes the less sensitive server dependent on the more sensitive one if there is no way to eliminate the whole dependency.

Cheers

The Enhanced Mitigation Experience Toolkit (EMET)

In the previous posts of my blog we talked a little bit about security exploits and how they function and how to prevent from attacks using security exploits. In this post I am so excited to introduce a great toolkit offered by Microsoft to defense against the exploitation of the system.

The tool is called Enhanced Mitigation Experience Toolkit (EMET) which uses exploitation mitigation techniques making it very difficult for exploits to defeat the system. However the protection applied by EMET does not guarantee that the system will not be exploited but it just makes it as difficult as possible to exploit the system even using a 0-Day vulnerability exploits. 

Working with EMET is pretty simple and you just need to download it from here  and then install it on your machine and simply choose the software that you want it to protect and you believe is more probable to have a security vulnerability and then you are all done. It is possible through the GUI interface of the tool.

EMET is compatible with any software and it does not really matter whether the software you want to protect is a Microsoft software or not. Below is a screenshot of the GUI interface of the toolkit:

You should for sure try this tool as it’s a must for every security engineer worrying about the security of their environment with all those softwares installed on their servers which each could have possible security vulnerabilities putting the whole network and system at risk.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Possible Attacks on Windows and Countermeasures – Part 2

In the previous post I talked about password cracking and how you could actually protect against these attacks. In this article I want to explore another type of attacks:

Buffer Overflow Attacks:

This is a very common type of attack that is triggered against an operating system (Not necessarily Windows) due to a security vulnerability existing whether inside the operating system or the applications installed on top of that. Probably the reason why this is a very common type of attack is because the security bugs inside the softwares and applications on the OS could also result in a security hole in the OS…

What is buffer overflow vulnerability?

This happens when data copied into the memory buffer is larger than the buffer size making it overflow. This problem could be mostly seen in applications written with C and C++ programming languages which offer no built-in protection against accessing or overwriting data in any part of memory.

This problem could result in execution of some malicious codes by a hacker making it pretty easy for a hacker to even remotely execute malicious codes on an OS so that they could access the OS.

When a buffer overflow security hole is found, there will be usually security advisory released on the OS or software website. This security advisory to my way of thinking has advantages and disadvantages.

The advantage is that users become more aware of the security vulnerabilities on their OS or software and can better plan for protection using their firewalls by closing specific ports or even disconnecting a specific computer from the internet. I have written a specific article about this that you can read here.

The disadvantage is that hackers become aware of such vulnerabilities and will begin writing malicious exploits for that security bug so that they could take advantage of it to access affected systems. But what are exploits?

Exploits are programs maliciously written to take advantage of a security vulnerability. We have two general types of exploits. One is Remote Exploits that could be run remotely against a server with that problem and the other one is Local Exploits that could be run locally when the hacker has some limited local access on a machine so he could use the exploit to escalate his permission and get full access to the system.

If the vulnerability is pretty critical and is found on a popular OS like Windows or any other common software, there would be possible worms written for it. Worms are exploits with additional capabilities to scan the network and search for any machine with the same security problem and then try to penetrate into that machine and keep spreading.

Solution:

It’s really difficult to say how to protect against these attacks as there are so many applications installed on the OS and any of them could cause such a problem but the best practice is to keep your computer up to date by enabling automatic update on your Windows.

There is also a very good feature on Windows called DEP (Data Execution Prevention) that should be turned on. It can protect your computer against this type of attack by monitoring programs to make sure they use computer memory safely. If DEP realizes that a program is trying to run instruction from the portion of memory used for data, DEP will close the program and notifies you.

You can turn it on from System Properties -> Advanced System Settings -> Performance Settings -> Data Execution Prevention and enable Turn on DEP for essential Windows programs and services only

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Hope you enjoyed it

Cheers


Possible Attacks on Windows and Countermeasures – Part 1

It’s been a great week with so much news in the world of security. Of course Security both in the real world and the virtual world. Today I decided to begin writing a series of articles about possible attacks and their countermeasures on Windows operating systems whether client or server including the latest ones such as Windows 7 and Windows Server 2008 R2.

In this series I will try to put a little bit of my experiences into words and in easy words explain to you different types of hacking techniques used by attackers to penetrate into your network. I will try to get it started with the most common ones to the most advanced like those causing millions of dollars loss; and then I will dig into different ways of defense against such hacking techniques and will show you how to keep your network services and servers secure against them.

Password Cracking Attacks:

This is one of the most common types of attacks used at least once by every attacker. It always seems the dummiest but honestly this has shown to be one of the most effective way to find a way into somebody’s computer if not protected against such attacks.

This type of cracking has a pretty long history and I really cannot count the number of softwares developed to crack password by different hacking groups or even security companies. The only difference between these two is that the second one believe their software is only purposed for a so-called act of Ethical Hacking but who knows what is being done by those tools and softwares.

There are different ways to perform password cracking among which Brute Force attacks are the most popular. Brute Forcing is simply finding a computer’s password by trying different combinations of letters, numbers and even characters. The time required for it to work depends on the complexity of passwords. However more complex the password, the longer it takes to be cracked.

A single computer can try from one to fifteen million passwords per second against a password hash (That is true) for weaker algorithms like DES (Which is very commonly used nowadays) using a fairly good password cracking tool and if let’s say you choose an 8-character password of letters (both cases), numbers and symbols, we could say that it would take something like 16 minutes for it to be cracked. So you feel pretty unsafe.. huh???

Attackers nowadays could easily find pre-computed password hashes for different algorithms stored in database files called Rainbow Tables and it would take a matter of minutes to crack almost any passwords in a network.

There are other techniques used as well such as dictionary or words-list attacks that are usually tried before the Brute Force to kind of guess the user’s password if the user has used common dictionary words or things like 123456 or anything like that as passwords.

L0pht Crack:

One of the most famous password cracking tools is l0pht Crack developed by a famous group of expert hackers called l0pht who officially joined @stake which itself was later on announced to be an acquisition of Symantec corporation. You can download the latest version of L0pht Crack from their website. Below is a screenshot of this tool:

Any operating system could be the target of this tool even Windows Server 2008 R2 and could really well work on almost any operating system to target the other hosts on the network. You can get more information on their website.

John the Ripper:

John the Ripper is another well-known name among password cracking tools. This is a tool firstly developed to be run on Unix-based operating system but now it supports Windows as well. You can download this tool from their website.

John the Ripper truly is one of the fastest password cracking tools I have ever seen. It is being used by a lot of penetration testers and of course hackers every day.

Countermeasures:

Protecting your network against password cracking is completely dependent on the policies on your network and your servers and clients. Whether you have a very small environment and operating a workgroup of computers or you have a big domain network you should have policies and more specifically account and password policies.

Password policies can be defined in Group Policies in Windows and Active Directory. So if you open up the Group Policy Editor either locally (By typing gpedit.msc in thr Run) or on the domain using the Group Policy Management console, you need to go to:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Below you can see a screenshot of the password policies settings:

Now let’s go one by one with what they mean:

Enforce Password History: You can set how many passwords for each user is stored in the history. If we set this number to 10, it means the user is not able to choose any of the past 10 passwords for his new password.

Maximum Password Age: The maximum time a user can keep a password and after it comes to an end, they should change it.You could use it to force the users to change their passwords every now and then.

Minimum Password Age: The minimum time a password must be used before a user changes that. You can use it to stop users from changing their passwords every hour.

Minimum Password Length: The number of characters that a user must have in a password. Do not let it be less than 8.

Password must meet complexity requirements: You can decide whether or not you want to force the user to choose a password including letters (Both cases), numbers and symbols. You must definitely enable it.

Store passwords using reversible encryption: Let it be disabled as it is used by some protocols rarely used and enabling it is equal to storing the passwords plain-text.

The other settings that you need to configure is Account Lockout policies which are more important if you want to protect against the brute force attacks:

So in order to access the policies you need to open the Group Policy Editor and go to this address:

Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policies

Account Lockout Duration: How long do you want the account to be locked out after a number of invalid logon attempts.

Account Lockout Threshold: How many invalid logon attempts are needed to lock the account. If you set it to a number, then the password cracking tools can not try millions of passwords on your computer since the account is going to get locked.

Reset Account Lockout Counter After: If you set it to 30 minutes for example, in 30 minutes if there are more than 4 invalid logon attempts are made, then the account gets locked. If it takes more than 30 minutes for the number of invalid logon attempts specified in the previous settings, then the account does not get locked and the policy will not apply so you must be really careful when defining your policies.

Usually 30 minutes will be the best since it can block all kinds of password cracking tools even the slowest ones.

Here we come to the end of this first article and I hope you liked it. If you had any question, please leave me a comment and I will answer that almost in no time.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Security from the Inception !!!

The experience shows that consumers whether they are ordinary people using their computers for everyday tasks or even experienced network administrators never tend to be very open to security updates. Talking to so many network admins about security updates especially Service Packs (They do not necessarily include only security updates) of operating systems especially Windows Server, they mostly didn’t show much interest for installing some specific updates and service packs for some reasons:

  • They thought of some of the security updates as unnecessary
  • Some of them believed it is too risky to install some of the updates due to a fear of possible service crackdown. Some also believe some hotfixes and security patches are not compatible with some other services and could possibly create problems
  • They mostly considered service packs as unnecessary update packages with this reasoning that they have already installed those needed hotfixes and the rest included in the service packs are unnecessary
In my own experience I’ve always seen people hit by a pretty famous worm on the Internet like Sasser and even after that they were always looking for some virus removal tool to get them out of the trouble and not a security patch unaware of the fact that an anti-virus software can not stop a worm from functioning.
So you can see that security people at Microsoft are on a very difficult road to educate all those users and admins and kind of convince them that patching a system is the best thing to do for every user to stay safe on the Internet. But here it comes another concept called Security from the Inception which says instead of going through all these difficulties of educating the users which seem pretty impossible at times, a much better approach is to try to secure the code of the products by applying SDL (Security Development Lifecycle) from the beginning of the development of a product. That is how we can reduce the impact of security vulnerabilities missed during the software development process.
Right now Microsoft is on the right track in developing more secure code by only applying SDL as we can see less security vulnerabilities in its products.
Cheers
Esmaeil

How to plan in advance for security updates !!!

If you have some years of experience in the field of information security, you must have seen a couple of famous Internet worms hitting your network causing damage to your environment. Many network or security administrators remember to patch their network only when they are hit by attackers or worms and honestly speaking that is terrible for a security guy…

Microsoft Security Bulletin Advanced Notification released every month is intended for security people to plan 3 days ahead before Microsoft security updates are released. Microsoft Security Bulletin Advanced Notification includes information about:

  • The number of new security updates
  • The softwares affected
  •  The severity levels of vulnerabilities
  • Information about any detection tools relevant to the updates
Now the question is, what can a security admin do with all this information?

Before I answer this question, let me take you through the process of how a worm or an exploit is created. There are websites like Security Focus, Secunia and so many more that publish security advisories about the most recent security vulnerabilities in different softwares. Since Microsoft is a big company with so many softwares, some of these vulnerabilities with different severity levels are found on Microsoft softwares and operating systems.
So what hackers do is check these websites everyday and find those critical security bugs and write exploits or worms for them. Microsoft security response center releases security updates for all those vulnerabilities once every month (The second Tuesday of the month) and we can say that hackers kind of stay ahead and write the exploits and worms and let them out to the Internet before the updates are out. Since the process of writing worms is not very short and it takes even weeks to write a pretty advanced one, there are usually some days left for a security admin to take an action.
What could be the action?
  1. Check the Microsoft Security Bulletin Advanced Notification 3 days before the updates are out.
  2. Check to see if you have any of those affected operating systems and softwares available in your network environment.
  3. Check to see if any of them is placed in a critical part of your network like the network edge.
  4. If they are and the security risk is critical (High) and the vulnerability is a Denial of Service vulnerability, then you could place a firewall in front of the affected server against the Internet. If you have a virtual edge and DMZ, then this process will be done more easily since it is more dynamic. (Check out this blog post of mine)
  5. If the vulnerability is critical but it is a buffer overflow or any other kind of vulnerability, then you would need to go deeper to see what port on the server or what service on the server causes this security problem and then easily filter the port or disable the service if it does not make any network disruption.
  6. keep an eye on the log files of the affected servers and services and enable alerting so that you could be aware of any attacks. 
You should take these advice seriously if you want to stay safe against any possible attacks. Remember that prevention is always better than cure.
Best Wishes
Esmaeil