Enclave Forensics RSS Feed

SANS CDI East

dhoelzer@enclaveforensics.com — 2008-11-13T10:56:56-08:00

One thing that almost every one of them has in common is that they’re top notch people trying to help organizations to control risks but they often feel that they are really missing something on the technical end. ...The entire thrust of this six day hands-on course is to give an auditor the technical know-how that he or she needs to ask the right questions, know what the answers should be and even be in a position to create a world class information assurance and compliance management framework in the enterprise. ...Day one of the class gives you hands on practical risk assessment strategies that can be applied immediately to your audit practice upon returning to the office. On this day we also spend time helping to give you the non-technical tools that you need to better communicate your findings. Perhaps most importantly we spend time assisting you to learn how to better communicate with those being audited and how to effectively convince them to willingly comply with policies and procedures. ...You will leave the class with tools and techniques that can be immediately applied to your organization the day that you get back to the office. You will also have performed and know how to perform a technical validation of a firewall or router rulebase, allowing you to provide complete assurance when it comes to the functioning of these systems in your enterprise. You will also know how to determine whether or not these your network is architectured to properly support the information security requirements of your organization. Day four of the class is everything that you need to know to perform technical audits and validations of web applications. Web applications are one of the most important applications that we have in our organizations when it comes to marketing and visibility, but these are also the number one cause of compromises in our networks and systems today. ...Day five is spent focused on Windows technologies with special emphasis on XP, 2003 and Vista and how to audit these as stand alone systems as well as domain level auditing. Day six is spent doing in depth auditing of UNIX based systems with special emphasis on how to create automated scripts to automatically perform periodic validations and to help administrators to ensure that their systems are remaining secure over time.

Training Videos

dhoelzer@enclaveforensics.com — 2008-11-12T00:05:17-08:00

You may want to start checking back more often! As you may have noticed over on the right hand side, we’ve added a Video section! In this section we will be hosting a variety of demonstration and training videos created by EnclaveForensics staff. For instance, our first video went live yesterday, a twenty minute quick introduction to the WebScarab tool with a demonstration of just a few of its functions. Over the next days and weeks keep your eyes peeled for video tutorials on topics such as iPhone programming, demonstrations of the free/open source DAD log monitoring and alerting tool and more!

Attacking Applications

dhoelzer@enclaveforensics.com — 2008-11-11T14:58:08-08:00

I’ve been teaching for The SANS Institute for just about ten years now. In that time I’ve seen dramatic changes in the information security industry, some of which have been the direct result of the diligent efforts of SANS and the associated power of the GIAC certification. Just as the state of information security practice has improved we’ve also seen a tremendous leap in sophistication on the apart of attackers. Techniques that used to require you to be “in the know” and that were only understood by an elite few have been embedded into easy to use point and click tools today! For instance, just a few years ago it would have required a significant level of sophistication to effectively perform a blind SQL exploit against a vulnerable application. Today there are easy to use tools with graphical interfaces that will both find the vulnerabilities and exploit them without the user really needing to know what’s happening! One of the things that security practitioners absolutely must be able to do these days is effectively asses the security of a web application. You probably noticed, but the number of new vulnerabilities in web applications discovered daily or weekly is astounding, far outstripping the number of problems found in the more traditional places (like operating systems and services!) To give you a quick idea of what’s involved we’ve prepared a short demonstration video on the use of WebScarab, a fantastic tool available at no cost from OWASP. In the video we briefly discuss how to configure the proxy, how the proxy operates, how to do some very basic injection testing and finally a quick demonstration of how to use the Session ID Analysis module. If you need more information, please feel free to contact us or SANS to investigate the training that your people need to perform effective testing using this and other tools.

PCI Testing Suite

dhoelzer@enclaveforensics.com — 2008-09-12T19:01:09-07:00

Several of our clients are required to be PCI compliant. The truly frightening thing is that several of these customers have successfully passed the audit requirements conducted by a designated QSA or ASV yet even a cursory look reveals that their systems and environment are clearly non-compliant! These customers have been left with a false sense of security and, in the end, will be holding the bag when it comes to a damaged reputation and perhaps liability if a compromise of PCI data is compromised. What can be done, and what can a QSA do to improve his practice? From before the time that the original VISA Digital Dozen was shown to us while still in draft form we have had the tools in place to perform the requisite testing. In fact, the original drafters of the Digital Dozen actually attended one of our courses! The influence of the course, especially in the area of firewall configuration and security, is quite clear. To assist in creating a technically repeatable and accurate test for the major technical requirements in the standard we have made available a suite of scripts that can be used in combination with Nmap, Nemesis, Nessus and OpenSSL to automatically score most of the technical controls required by PCI. The tools are available as a free download at the bottom of this page. You are welcome to use these scripts at no charge. If you’re looking for a way to really learn what the requirements are, how to implement them and how to effectively use these and other tools for self-assessment we strongly recommend that you have a look at the SANS Institute course that we wrote for this purpose. You may also be interested in our course for Web Application Developers to satisfy the PCI requirement for “evidence of a training program” for techniques in secure coding.

Log Aggregation & Management

dhoelzer@enclaveforensics.com — 2008-07-12T19:06:47-07:00

The reason that everyone’s concerned about aggregating logs is that there are suddenly a number of legal and industry requirements that deal with log management and alerting. ...While this is all true, until the advent of Vista and 2008 there was no easy way to subscribe to or aggregate the events from several systems into one location. Even if you surmount this problem there are other issues, most notably how to correlate events for users across the enterprise since there is no consistent marker in the events from one machine to another that will distinguish users. ... Let’s see what we can do about getting the logs into one place and reporting on them. ...The most common comment from people in the trenches who are using these tools, though, is that they all looked good on paper but they don’t seem to perform quite as reliably as the salesman said that they would. ... We need to be sure that we can never be accused of stealing someone’s interface or concept in our tool. ...DAD (Distributed Aggregation for Data analysis) is a free open source solution to this log aggregation and reporting problem. ...The really beautiful thing about this particular solution is that we have abstracted the data so that we are not concerned about how the events are formatted. The real power of this is that we can digest absolutely any kind of text based log format including syslog and web logs very easily. ... Not only does this give us tremendous speed when searching for events but it also means that we can store far more events than might otherwise be possible because we never duplicate data. We do encourage you to consider looking at the DAD project as a possible solution but we also want to make sure that you are aware that this product falls somewhere between an Alpha and Beta status. ... If you do decide to try it out, please drop us a line and let us know how you like it!

Writing Policies

dhoelzer@enclaveforensics.com — 2008-06-16T12:06:08-07:00

Writing policies really isn’t rocket science (or brain science as my brother in law would say), but writing effective policies that people can read, understand and follow is something of an art. ...One of the big mistakes that we see people make in creating policies is starting out trying to write a policy. ... Quite often we get one person or a group of a few people to create a “draft” policy that then gets reviewed and everyone starts arguing about what it says. In the end the particularly unpopular pieces of the policy that no one can agree on get killed or the entire policy gets scrapped because no one wants to sign it. Rather than starting out trying to write sentences and paragraphs begin by working with management to define a bullet point list of control principles that the business would like to apply to situations generally. It is good to try to connect these principles to the business objectives of the organization and the risks that can affect the ability of the organization to meet those objectives. Next, create a bullet point list of what the objectives of the policy under consideration are and align these with the principles that you work with management to create. I would recommend that you circulate this list to the stake holders and management to ensure that they agree that the objectives that you are seeking to meet match their view of what is important and how risks should be addressed. ...Next, take both the objective and control bullets that you have come up with to the stake holders and management for their review. ...The problem really isn’t the wording of the controls but most commonly the problem is the actual underlying objectives and controls and how they align and affect the business. By starting at the business objectives and working our way down to the policy control bullet points we have proposed controls that align directly with the business and serve to control actual risk! ...At this point, there may be some wordsmithing and wrangling but we will no longer need to rewrite the policy for every objection.

Zone Transfer without the AXFR

dhoelzer@enclaveforensics.com — 2008-06-02T15:29:59-07:00

Servers used to willingly tell you who was logged on and from where, everyone had an anonymous FTP server and DNS servers were more than happy to give you a copy of their zone records. Of course, there are lots of techniques for scanning and fingerprinting hosts and discovering networks, but these are sure to tip off someone who’s watching that there’s something going on. This is even more true if you’re performing an internal pen-test where, generally speaking, there should be next to no scanning going on. ...Relatively few name servers permit zone transfers anymore and exploiting a well secured DNS server has a good chance of getting someone’s attention. ...Essentially, if you know what you are interested in, you can ask the server directly without requesting an AXFR. Rather than scanning the network for live hosts, send reverse queries to the name server for each of the public IPs in the networks that you can discover. Another fantastic trick, provided your target has not deployed a Split DNS arrangement is to set your resolving server to be one of your target’s servers and then do a reverse lookup for the .1 address of every private network range. To help you along your way, we’ve included a Perl script here that we use for just this purpose. ...# techniques that can be used to map out a network, but that it's always best
...# this reason, I recommend that people NOT try to dump a zone from a DNS
...# Especially of the organization does not have a split DNS, this can be
... print"Usage: dnsscan a.a.a.a b.b.b.b\n\na.a.a.a and b.b.b.b represent the starting and ending IP addresses to obtain information for.\n\n";

PCI/DSS Section 6

dhoelzer@enclaveforensics.com — 2008-05-30T15:54:19-07:00

As the world wide adoption requirements of the PCI/DSS take effect, more and more organizations are becoming concerned about how to meet the requirements in the standard. As it stands today there are still some disparities between the standard and the audit procedures, not to mention one or two... shall we say misstatements? ...Auditors are instructed to look for evidence of a training program for secure programming and verification that the web application programmers have been through this training program. ...Using this portion of the PCI standard, however, we have a fairly good sized lever to cajole the programmers into training with. ...There are many courses out there that will teach you how to hack web applications, how to do penetration testing, etc. ... Fortunately there are a few good options out there that can allow you to satisfy the PCI requirement without having to create your own training program or a secure programming training department (which can be real challenges!) ...There are other week-long training options available out there but in our experience it’s almost impossible to get your programmers to go to a week long training program or to convince everyone that you can afford a week with your programmers unavailable. The SEC 536 program is a two day bootcamp style workshop where the programmers are introduced to the roots of the problems in web applications, educated about how serious and wide spread these are and then taught how to identify problem spots and how to write clean, secure code. During the workshop, the students have the opportunity to work in a semi-competitive environment using whichever web application development tools or framework they prefer to create a simple web application. The application that they create forces them to address all of the major secure coding issues that create vulnerabilities in web applications. By the time they leave each student should be able to understand the principles of secure coding, have experience writing secure code, be able to identify bad coding practice and know how to do quality assurance testing for security issues. All in all, SANS has created an all in one solution to allow you to easily meet your PCI compliance requirements in short order!

Keeping Cool

dhoelzer@enclaveforensics.com — 2008-05-28T12:57:46-07:00

Electronic memory is essentially a set of tightly packed electronic switches. In reality, memory is typically comprised of a large number of latches which are formed from transistors, but it’s much simpler to imagine something more physical. ...When you turn on your sprinkler, it takes a few moments for the water pressure in the hose to rise high enough to start spraying water out of the sprinkler head. Conversely, when you turn the water off, water will continue to flow out of the sprinkler head as the water pressure drops. In a similar way, the memory latches maintain their state as a result of a charge that is applied to them. When the power turns off, the “pressure” source is removed, but it takes varying amounts of time for all of the pressure to go out of the system. By refrigerating the memory chips, you are actually making them much more efficient, so it takes longer for the remaining power to drain completely. Even without cooling, however, tests have found that some laptops will actually retain a fairly accurate representation of the RAM for upwards of ten minutes! Desktop systems, far more power hungry, can only retain memory contents for a few seconds without cooling. ...It means that the rumors are true. In fact, there was at least one paper regarding this issue written and published back in 2006, but it never really caught anyone’s attention. If you’re looking for tools that you can use to test out these theories, have a look at McGrewSecurity, which has released a simple tool with easy to follow directions on how to build a bootable USB key that will allow you to easily dump memory captures to the USB stick.

Magstripe Magic!

dhoelzer@enclaveforensics.com — 2008-05-23T12:53:30-07:00

While there are probably non-standard items out there (there always are), the standard for magnetic stripe data indicates that the data will be stored on one or more of three distinct stripes. ... There are also some differences in how the data itself is recorded (how many bits per character, what the character set is, etc.). At one point, we were producing a prototype for future miniaturization that would allow Law Enforcement to quickly and easily identify magnetic card data stored on any stripe that actually contained credit card data. ...We did not select this out of any preference or because it’s really awesome at reading card data; it just happened to be what we had handy in enough numbers that if we fried a few it wouldn’t matter much. The other major piece of hardware that is required in order to read a magnetic stripe is some sort of magnetic stripe head. While you can make your own (we sure don’t advise that) and there are lots on the market, we found that the Magtek 21047019 mini magnetic head assembly was perfect for our application. The especially nice part about using this part is that you don’t have to write code to figure out when the card has been inserted and where the stripe began (or which way the card was going). ... Once the card has been swiped, you simply (we use that word loosely) need to read the data out of the buffer and interpret it! The other advantage to this particular part is that it runs at 5 volts DC rather than 3.5 volts, which is pretty common for a card read head. This simplifies the circuit design since (at least for us) since all of the PIC parts we had handy are 5 volts. ...The design is extremely simple and, if you’re patient, you can probably reconstruct it from the image or the source code below, but we felt that there should be some hurdle for people who might want to take this and turn it into a card skimmer for nefarious purposes. ... In tomorrow’s blog post we’ll also release and detail the code for the LCD driver in case you have a Hitachi based LCD that you’re trying to drive from a PIC.

Driving a Hitachi 4x20 LCD

dhoelzer@enclaveforensics.com — 2008-05-20T12:51:38-07:00

Over the years, we’ve put together a number of electronic testing rigs for a variety of purposes and we’ve found the four line LCD display invaluable when it comes to quick and dirty output. ...You can save yourself a lot of pain and effort by installing one on pin 3 (Contrast Adjustment Vee) rather than trying to fiddle around wondering why you’re not seeing anything at all. ...For simplicity, we’ve included driver code that will work seamlessly with a PIC16F819 and can easily be adapted for a large variety of other PIC processors with little to no effort. The code that we’ve included will expect to drive the display in eight bit mode, which is the easier way to go if you have the datalines to spare. Other than choosing the width of the data that you will be sending, the two modes that you care most about are whether the display is in command mode or ready to accept and print a character. ... In order for the display to operate properly, it’s generally a good idea to begin by waiting a few milliseconds after powerup so that things can settle down, then setting the data width and then clearing the display. ...While we’re considering an eight bit bus in this example which makes the notion very easy to understand, it actually can be found in virtually all types of digital communications. ... Think about it, if the LCD responded to every voltage change on the data pins, we’d end up with all kinds of junk since the various bits will often not all change state simultaneously. The way that we solve this problem is by using a sort of trigger to tell the LCD, “Ok, take of your blindfold and see what’s on your data pins.” ...Where it requires a bit more thought is in situations where there are only one or two data lines available and we still need to get 8, 16, 32 or any other length data through that single line. ... It is quite likely that the reason this confuses most people is that when they see “clock” they immediately think that they need to hook the system clock or crystal up to drive the input, but as you can imagine that could create all kinds of hassles! In more advanced applications, though, it can make a lot of sense to drive this bus clock through a divider that is driven directly by the system clock, removing the requirement for you to manage this clock “manually”.

The Dangers of Source Routing

dhoelzer@enclaveforensics.com — 2008-05-15T12:47:47-07:00

For our purposes, this could range from a network ACL that prevents anyone from communicating with Alice on a particular port to a full blown trust relationship whereby a user on Bob may access Alice’s resources without presenting any credentials. ...It is pretty clear that if Eddie wishes for his router to be able to communicate outbound to the network, the external address must comply with the networking scheme in the organization. ...If you note slide #5, Eddie could certainly configure his router so that the external address is assigned by DHCP and at the same time he can configure the internal address of the router to be anything that he wants. He cannot necessarily expect to receive an answer, but if he were to configure the router and his host as pictured in slide #5, the packets certainly could be expected to route outbound into the network, unless the network has some form of unicast reverse path forwarding enabled or some other network access controls that will detect that the packets are coming from the wrong network. ...In any event, using this arrangement, if we look at slide #6, we can see Eddie’s first attempt to send a packet. In this case, he has simply reconfigured the internal addresses on his router and host and attempted to send a packet to Alice. Try as he might, though, he will consistently receive an unreachable message because his router believes that Alice’s address is local, but cannot find a reachable host. If you look at slide #7, it is possible for Eddie to set up a static route to force traffic outbound for Alice to be delivered to Alice, (or to use a different address range and simply spoof Bob’s address, which is what is pictured in the slide) but all of her answers will go to the real Bob. ...Instead, a list of all of the devices through which this packet must pass is included at the end of the IP header. ...For this attack to work, we need at least one device not on the target network and not the attacker’s router to pass packets through. ...She would like to send her response to Bob directly (the dotted line) but IP requires that if an IP option is enabled when a packet is received, the appropriate option and option list must be enabled in the responses. ... What this means is that rather than responding directly to Bob on the local network, Alice forwards her response to Ivan, Ivan then forwards it to Eddie’s router and Eddie’s router now makes a local delivery to Bob’s address.

Networking Basics

dhoelzer@enclaveforensics.com — 2008-05-10T11:27:55-07:00

Many people who have transitioned into IT Security, especially in the audit disciplines, discover that they are missing some of the fundamentals. This presentation and accompanying notes is designed to get you up to speed on some of the low level basics. The 100+ page booklet starts out by covering some of the basics of numbering systems used with computers including some of the background theory that connects the dots but that was likely skipped when you were learning math in school. From there we cover some of the basics of networking protocols and finally how network addressing and masking works. As frightening as it is, I remember going through a pool of over fifty applicants for a network engineering position. Of those, quite a few had documented experience managing and designing networks of more than five years. Even so, out of that entire pool, not a single one of them was able to perform the simple task of taking a network address and subnetting it into two networks. In the end, I hired the two guys who said, “You know what, I’m really not sure. I’d have to look it up” rather than the forty and more who tried and failed miserably. Download Book

Poor Passwords - The Real Risk!

dhoelzer@enclaveforensics.com — 2008-05-05T23:40:12-07:00

In fact, if there’s one policy that your company has in the IT Security arena, it’s probably a password policy!... You have to pick a password that’s at least eight characters long, includes upper and lower case, has at least one number or a special character, etc., etc.... What if I told you that there’s a trick that I use when performing penetration tests that always recovers at least five percent of the accounts in the domain without requiring that I capture the password hashes and that can be performed without locking out anyone? ... In fact, most organizations write policy and train users in security awareness about only a part of the authentication equation and this leads to a rather sizable vulnerability that we’ve probably ignored. ... In our policies we tend to put all of our energy, or at least the vast majority, into the selection and protection of a password. To be frank, whatever policy you create for passwords I can promise you that some user somewhere can select a password that completely adheres to your policy yet is obviously an extremely poor password. For example, when we require the standard three out of four (upper, lower, number, special), which seems like a great starting point and which is the standard almost everywhere, I guarantee that you will find users selecting “Password1”, which meets all of the requirements. ... If I can discover the most complex password every created but I lack the username for which it is the key that password has no value. ... The real answer is that it is equally sensitive, but because we tend to base them on common schemes (first initial last name, first initial middle initial last name, etc.) we don’t view them as sensitive even though they are. ... If you’re somewhat technical, you can easily discover the password lockout policy by querying your local system or examining the group policies that apply to you. ... Now we’re not going to write the script for you to go and recover accounts with, but how difficult would it be to do something like this in a script and use the exit code to test for success? ...Of course, the real beauty of this type of test (which is an excellent thing to do during a penetration test) is that we never violate the account lockout policy.

About This Blog

dhoelzer@enclaveforensics.com — 2008-05-01T23:38:36-07:00

Enclave Forensics personnel have been looked to by industry professionals for security advice and solutions for more than ten years. This blog is intended to give you a window into our research and current projects, especially those portions that we make freely available for the community. If you have any thoughts or topics that you’d like to see us discuss, please feel free to contact us.