27 August 2016
27 August 2016
8 January 2015
In the past weeks I read a lot about Pass-the-Hash (PtH) attacks, the Zeus botnet and other frightening attack vectors.
For example in PtH attacks, access to specially protected files and registry settings is required. Standard users have very limited or no access to this system objects. If an attacker hijacks your computer he will take all your privileges, in the best case administrative privileges for your computer only, but, in the worst case, administrative privileges for a network.
I think a good New Year’s resolution would be to do everyday work with standard user accounts, and to use accounts with administrative privileges only when required.
If you are managing a company network please avoid login to member servers and workstations with a domain administrator account. Windows stores your password in the computer’s SAM (Security Accounts Manager). Thus it could be attacked by a malicious user …
You will not gain 100% safety, but you will become a lot safer than if you don’t take basic security precautions.
That’s it for today. The only thing left for me to say is …
In the past days I did lots of application protection planning with Oracle databases as backend.
Oracle SQL*Net encryption is an easy to implement measure for protection of the network traffic against sniffing attacks in a standard client-server application with an Oracle database as backend.
Why is encryption of the Oracle network traffic such important? Because everyone who can edit the sqlnet.ora configuration file is able to set up Oracle network tracing by adding just some configuration parameters.
With tracing enabled the entire session traffic, e.g. a change password command like
Alter user system identified by ",v$1ry c2mplex p$3ssword!";
is logged in plain text to the trace file. That’s extremely dangerous! Never change your password this way!
But the output of a standard SQL command like
Select employeeName, employeeSocialSecNumber from employees;
will be reported in plain text as well, even if column ’employeeSocialSecNumber’ is secured with Oracle Transparent Data Encryption option. Works as designed, transparent to the user. Even if the user takes care of the data the attacker with admin privileges could easily create a copy from the trace file.
With SQL*Net encryption activated the trace is no longer readable.
SQL*Net encryption is set up by just adding some configuration parameters to the sqlnet.ora file on the clients and the server. Thus everyone who is able to edit the sqlnet.ora file on the client could potentially disable encryption…
Fortunately parameter SQLNET.ENCRYPTION_SERVER set to REQUIRED on the database server controls session behaviour. A client connection attempt with session encryption disabled will be rejected with error message ORA-12260. Great!
But all server admins are able to edit this configuration file…
What can we learn from this?
Applying isolated security measures will not raise the overall security level.
The combination of security measures makes the difference!
We are on a cycling trip through North Germany and the Netherlands.
Most of the time we use well marked long-distance cycling trails, very often along local roads. In particular in The Netherlands these routes are easy to ride.
But when we enter into towns it becomes chaotic. To avoid well-paved bike trails or sometimes short road sections without bike trails along frequently used roads, the route designers guide us across the city, which results very often in long deviations.
But this detours are in general not safer because we have to cross lots of junctions and driveways. In addition, this secondary roads are frequently used by the townsfolk.
If route designers would be familiar with the concept of attack surfaces they would never design cycling trails this way.
It is time that we start transferring concepts developed in computer science to other disciplines like roadway design or urban development to make the world a safer place.
Bentheim Castle shows the direction to application security.
A minimized attack surface …
A single point of access …
A hidden jewel inside …
How To Become a Better Writer—Best Epic Fantasy Books
Composed thoughts, Penned & Compiled
Australian Pub Project, Established 2013
A blog about knowledge sharing, collective intelligence and enterprise collaboration.