Archive

Archive for the ‘Information Security’ Category

TLS Protocol & SSL Protocol


SSL (Secure Socket Layer) provides security assurance for any protocol at the application layer that’s based on reliable connections, such as TCP. SSL provides CAI (Confidentiality, Authentication and Integrity) by following way:
1. Confidentiality: Data in transit is encrypted using a symmetric key algorithm thus providing data transmission confidentiality
2. Authentication: It is achieved through 2 way SSL and 1 way SSL configuration. In 2 way SSL digital signature method to authenticate the identity of servers and clients based on certificates is followed. In case of 1 way SSL only server takes part in authentication process.
3. Integrity: Message authentication code (MAC) based on MD5 or SHA to verify the integrity of messages in transit is ensured.

TLS (Transport Layer Security) on other hand is to unify SSL standards on the internet. It is almost same as SSL in componsition, consisting of TLS record protocol and TLS handshake protocol. TLS record protocol is classified into the handshake protocol, alert protocol, ChangeCipherSpec protocol and application protocol.

Advertisements

Security System Administrator vs Network Administrator

February 6, 2011 8 comments

I see lot of people interchangeably using these roles in various contexts while talking or in writing. Here in this post I would like to clear out the concept and list down the responsibilities of both the roles.

SYSTEM ADMINISTRATOR

The role of System administrator varies widely from one organization to another. System administrators are usually charged with installing, supporting, and maintaining servers or other computer systems, and planning for and responding to service outages and other problems. Other duties may include scripting or light programming, project management for systems-related projects,

The system administrator is responsible for following things:

  • User administration (setup and maintaining account)
  • Maintaining system
  • Verify that peripherals are working properly
  • Quickly arrange repair for hardware in occasion of hardware failure
  • Monitor system performance
  • Create file systems
  • Install software
  • Create a backup and recovery policy
  • Monitor network communication
  • Update system as soon as new version of OS and application software comes out
  • Implement the policies for the use of the computer system and network
  • System inventory management.
  • Preparation of documents for internal and external system audit.
  • Setup security policies for users. A system Administrator must have a strong grasp of computer security (firewalls and intrusion detection systems)

NETWORK ADMINISTRATOR

  • Manages the data communication needs of the company
  • Manages the physical network infrastructure, including wired and wireless local area network (LAN)
  • Manages infrastructure servers: Active Directory, WINS, DNS, DHCP, Proxy, RAS, and Internet Security and Acceleration (ISA) Server
  • Manages the acquisition of new network hardware as required
  • Participates in network planning, design, development, deployment, and modification
  • Monitors and controls service levels of network suppliers
  • Liaises with the Service Monitoring and Control SMF to establish a list of monitored network activities
  • Ensures that data communication within the company is reliable and of sufficient capacity to meet business needs
  • Provides physical connections to the corporate LAN as required
  • Ensures that data communications packets are routed efficiently
  • Provides regular feedback on network performance, both in general and against specific service levels
  • Provides access to the corporate network via dial-up or virtual private network (VPN) as required
  • Monitors bandwidth use, analyzes traffic patterns and volumes, and determines impact/implications of issues
  • Monitors and controls service levels of network suppliers
  • Ensures detection of alerts from the network infrastructure
  • Provides physical connections to the corporate LAN as required
  • Ensures that data communications packets are routed efficiently
  • Provides regular feedback on network performance, both in general and against specific service levels
  • Monitors bandwidth use, analyzes traffic patterns and volumes, and determines impact/implications of issues
  • Monitors incident details, including the configuration items affected
  • Investigates and diagnoses incidents and problems (including resolution where possible)
  • Detects possible problems and notifies problem management
  • Documents the resolution and recovery of assigned incidents
  • Acts as a restoration team member, if required, during major incidents
  • Carries out actions in order to correct known errors
  • Performs monitoring and analysis of intrusion detection and other security breaches
  • Maintains access list
  • Performs firewall maintenance
  • Ensures security standards are upheld.

 

Product Penetration Testing – A Generic Framework

February 6, 2011 1 comment

This post highlights on the steps for Product Penetration Testing – A Generic Framework.

Unlike my previous post, which is more close to Network Penetration Testing this post is more about Products and their security. Usually QA who tests the products may not have the right expertise in Security Testing of the Products. It should be understood that companies should rightly invest in such teams, so that any security holes would popup at the initial stage instead of waiting till go to market and thus facing last minute hiccups!

Now let’s get into actual stuff. Let’s start with Black box penetration testing.

BLACK BOX PENETRATION TESTING

Pre-requisites:

  • Collect IP Address of the machine over which the product is installed
  • Password credentials of the machine on which the product is deployed (Not product or application credentials, if it’s SSO then different story altogether)
  • Firewall blocking and restrictions should be removed as it is not network penetration testing
  • Application should be deployed in a separate environment which does not affect production

Step1: Information Reconnaissance

  • Review public discussion forums for any leaked information on product
  • Check for the product support forums
  • Gaining information on product through search engines

Step2: Scanning and application fingerprinting

  • Discovering application Services and ports used by the application
  • Discovering User access handing Flaws
  • Discovering Authentication Flaws
  • Discovering Session Management Flaws
  • Discovering Access control Flaws
  • Discovering user input validation flaws
  • Discovering flaws in error handling and Input handling
  • Inference from published contents
  • Application finger printing

Step3: Exploring the Application technology and Protocols uses

  • Exploring  application protocol requests and response for flaws
  • Exploring  application URLS for  flaws and vulnerabilities
  • Exploring cookies used by application
  • Exploring  for Server side and Client side Functionality Flaws
  • Identify entry points for user inputs

Step4: Enumeration and Application Attacks

  • Enumeration of content and functionality of application
  • Enumeration using Webspidering and user-direct spidering
  • Discovering hidden contents
  • Brute force and dictionary attacks
  • Discovering Hidden Parameters
  • Buffer over flow attack
  • Session hijacking and men in the middle attacks
  • Authentication attacks
    • Brute forcible login
    • Verbose Failure Message
    • Using password change and forgotten password functionality
  • Access control attacks

Step5: Injection of Code Attacks

  • Injecting into interpreted languages
  • Injection into SQL
  • Exploiting SQL injection Bugs
  • Bypassing Login
  • Injecting  into different statement types
  • XSS attacks
  • Cross-site scripting attacks
  • Exploiting Path Traversal Flaws
  • Stack and heap overflow attacks
  • Data base attacks

WHITE BOX PENETRATION TESTING

All above steps apply but in this case you’ll have complete access to source code, design and architecture documents, database details, etc

Mainly it’s all about

  • Product Source Code review – Identify security flaws in the java, c/c++, etc programming code
  • Database design – Identify flaws in database design
  • Error handling – Exception and error handling plays a vital role

That’s all for now!

Understanding Penetration Testing A generic framework

February 6, 2011 1 comment

This post highlights on the Penetration Testing Generic Framework for Ethical Hackers. Let’s discuss what it’s all about…

Penetration Testing is the process of evaluating one’s own network by assessing vulnerabilities and penetrating it. This exercise is to simulate the methods that are used by a real attacker to penetrate your network. Every attempt should be made to access every resource via every entry point.

There are two major frameworks that pen testers use

  1. One is just following there instincts and experience
  2. The other is a formal approach, though it is believed that pen-testing is an art than a step-by-step process much effort has been put into these frameworks so that they do not hinder the creative process.

There are three major approaches to Penetration Testing, They are

  1. Black Box :- With no knowledge of the Infrastructure to be tested.
  2. White Box :- With a complete knowledge of the Infrastructure to be tested.
  3. Gray Box (Internal Testing):- Tests the possibility of insiders accessing the network.

Three mostly followed Pen-Testing Frameworks are :

  1. OSSTMM ( Open Source Security Testing Methodology Manual).
  2. NIST SP 800-42 ( National Institute of Standards and Technology).
  3. ISSAF (Information Systems Security Assessment Framework).

Any basic Pen-test Framework would contain the following steps to be followed.

  1. Pre-Inspection Visit
  2. Network Foot printing/Reconnaissance
  3. Scanning
  4. User Enumeration
  5. Password cracking
  6. Vulnerability assessment
  7. Risk Assessment
  8. Final Report

Various phases of Penetration testing are:

  • Reconnaissance: Reconnaissance is the first phase where the attacker/tester gathers much information about the target’s infrastructure before launching the attack. It involves network scanning either externally or internally. In a broader view Reconnaissance can be  divided into four phases :
    • Intelligence gathering: Learn about the targets business and it’s organizational structure, this gives the list of DNS domain names, reflecting the entire target organization. (web Search, whois, netcraft)
    • Foot Printing: Determine the IP address range for the organization by extracting  the DNS host names and there associated IP addresses.(DNS, WHOIS, SMTP, Wikito)
    • Verification: Verify that the addresses obtained in the previous phase are correct and it is possible to find other DNS domains that were not found in the prior stages (DNS (reverse lookup), WHOIS IP).
    • Vitality: IP addresses determined are reachable or not.
  • Scanning: This is one the three major components of intelligence gathering, which involves finding information about specific IP address, the operating system it uses, and the services running on it. The different types of scanning are
    • Port Scanning: Used to find out the services running associated to each port (NMap)
    • Network Scanning: Finding all reachable hosts on the network (Angry IP scanner, Global Network Inventory Scanner)
    • Vulnerability scanning: Identifying vulnerabilities of computer systems in a network (Nikto, Nessus, Retina).
  • Enumeration: Enumeration is the process of extracting user names, machine names and shares from the computers, user names can be enumerated using Win2k enumeration, SNMP, email Id’s, or Brute force the Active Directory. Banner Grabbing is one of the most used techniques in Enumeration, Using Null sessions list of users and machines can be obtained from windows systems. Though it is not possible to use null sessions on windows 2003 servers on all other windows systems they can be accessed through the ports 139 and 445. Tools like Dumpsec, NetView, Nbtstat, and SuperScan4 can be used to Enumerate users and shares on windows networks. On UNIX systems a different set of tools can be used to enumerate users, showmount can be used to display the shares on a machine, Finger enables us to view user’s home directory,login time and location. Rpcinfo can be used to enumerate Remote Procedure Call Protocol. Snmpwalk tool can be used to enumerate SNMP agents on UNIX platforms.
  • Password Cracking: Password cracking is the oldest form of attack on computer systems. Password guessing was one of the first of this kind. If a proper user Name is known password’s can be either guessed or brute forced. Dictionary attack is also quite useful in pen-testing but these kind of attacks are not easy on complex passwords they may take many years to be cracked if they are sufficiently complicated. An easier way to crack password is to sniff the network traffic and extract the credentials from it. It is also possible to crack encrypted passwords if the algorithm used to encrypt is known, you can simply calculate the hashes for all the possible letter, number and special character combination. And compare it with the password hash. The only way to mitigate this kind of an attack would be to use a more complicated password that is not related to the user and use a combination of numeric alphabet and special characters. Password cracking tools like John the Ripper, OPH cracker, lopth cracker are available for free.
  • Vulnerability Assessment: Passwords can be cracked or social engineered, but its not easy to get a root access to any system. All of the new Operating Systems restrict the access to users other than the Administrator or the Root Account. To be able to use the services or do any malicious activity the attacker needs a root privilege which can be obtained by exploiting existing vulnerabilities in either the OS or the Applications running on the system, this is known as Privilege escalation. Vulnerability can help the attacker in exploiting buffer overflows and stack overflows that can result in privilege escalation. “x.exe” is a well known privilege escalation tool.
  • Risk Assessment: There are several methods of calculating Risk assessment, that range from complex mathematical formula to a simple conversation with the owner. It involves calculating the costs of down time and virtually any risk factor. The pen test team must plan for risks to enable contingency plans in order to use the time and resources effectively.

The information contained in this post is compiled from various sources and do not validate the steps mentioned above if followed ensures secured network 🙂

Social Networking Privacy Issues

January 18, 2011 1 comment

http://www.infoworld.com/d/adventures-in-it/facebook-con-artists-the-rise-662?source=IFWNLE_nlt_blogs_2011-01-17

Reading this, I felt how easy it is for one to perform a Social Engineering! I see lot’s of my friends sharing their day to day activities as scrap on social network web sites. They talk about how they are feeling, how they felt, where they are planning for a holiday, where they were on holiday many many such personal information, which is quite easy for any one to assess the guy’s personality, his/her taste etc. Giving away too much of information is nothing but leaving high probability of misuse by a malicious user.

In fact the profile creation form by it self has many sensitive information, which if gets in to wrong hands will definitely pose some sort of threat.

Moral of the story is next time when you scrap try being safe… what ever you wanna do Think and do! 🙂

My article on Information Security

January 17, 2011 Leave a comment

http://ezinearticles.com/?When-Security-is-Mantra-Then-the-Security-Consulting-is-Tantra&id=1306689

Though I published this article 2 years ago on eZine I still find it more relevant!

Store those audit logs seperately

January 17, 2011 1 comment

This is not some thing new. A hacker would always look into ways to clear his traces either in case of successful or failure attempt.

Hence it’s a strong urge to storing audit logs separate from the machine or database where application data is stored. Not only that, you need to apply same logical and physical controls as to what applied for application database. In fact more better if the security controls applied on the audit machine is more stringent.

Apart from protection and storage,  the audit trail data should be archived periodically and monitored regularly.

As always stated in my posts “Security can’t just be addressed with Technology by itself, you need a strong PROCESS coupled with Technology to address the same more effectively”.