Tag Archives: Vulnerability

Security falls often by the wayside if availability is a priority

16 May 2015

When we talk about information security we often forget printing. We add labels like ‘Confidential’ or ‘Top secret’ to documents to make it clear to everyone that these documents contain the company’s crown jewels. But when it comes to printing the printouts stay in the printer output bin, sometimes for days and accessible for everyone.

Fortunately most printer vendors developed secure print systems to support the users in the secure handling of information. In a secure print system documents are not output immediately when printed by the user. Instead, they are cached by the print service and output only after request by the user.

Before the user can request a printout he has to sign-in to the printer with his username and password. Since it is very annoying to sign in for every printout users can register their ID cards or special printing cards to speed up the output process. For fallback, e.g. if the user forgot his ID card, sign in with username and password is possible.

Secure Printing Threat Model

Secure Printing Threat Model. Click to enlarge.

If a user requests a printout, he places his ID card on the card reader attached to the printer. The built-in Authentication Manager (AM) sends an [1] Authentication Request to the Authentication and Authorization Manager (AAM). The AAM checks against the Active Directory whether the user is valid [2] and against the ID-Card Database [3] whether the ID-Card is valid and registered. Upon successful authentication the AM notifies [4] the Print Manager (PM). The PM on the printer retrieves a list of the user’s prints jobs from the Print Service and prints the selected jobs or all.

This works perfect. And since every document is cached by the print service and send only on request to the printer the users can request printouts on every printer attached to the secure printing system.

Unfortunately documents cannot be output when the network connection to i.e. the Authentication and Authorization Manager is not available. And this is a real disaster!

To boost availability the secure print system suppliers introduced the local credential cache [7]. After successful sign in to the printing system the user’s credentials and badge number [6] is cached in the printer. If the connection to the AAM service is down, the system authenticates the user against the locally cached credentials. Great!

But with the local credential cache the suppliers built-in a weakness into the system. If a terminated user could disturb the network connection to the AAM he could use the secure printing system with the credentials stored on the printer.

To securely terminate an employee you need to disable his ID card and his active directory account immediately. This will make sure that he can no longer access the secure printing system.

In addition you shall clear the user’s credentials from every printer he used for secure printing to make sure that he cannot access the secure print system in the case of a system failure.

At this time at the latest, risk evaluation makes sense. Under normal conditions it is very unlikely that an employee without administrative privileges could disturb the connection to the AAM. Thus the risk is low that an employee without administrative privileges can exploit this weakness.

But it is necessary to check the workflows for terminating employees. Since an employee can reach the secure print system by login with his username and password it is very important to disable the account immediately. This will prevent unauthorized access.

If you already introduced a secure printing system I would strongly recommend to restart the risk evaluation process for your printing system and to check the processes for terminating employees.

Don’t panic…

… and have a good weekend.

An ISO 27001 Certification is worth every dollar

15 May 2015

Some weeks ago I took part in an ISO 27001 Foundation training. The students were all IT professionals, some of them involved in certification projects. Many of them complained about the high effort in getting certified.

Certification is often seen as a pure cost factor, in particular information asset classification. But once you have identified and classified the information assets the entire organization can start working smarter. Let me show this by the means of two examples.

Since you know exactly who is responsible for an information asset, you know the information owner and who is able to grant access to an asset if required. The onboard process of employees is simplified because based on the job description access to the relevant information assets could be granted much easier. The same is true for the off-board process or the transfer of employees.

Your IT organization knows exactly what information assets are stored and processed on what IT systems. In the case of a new vulnerability you know exactly what systems have to be patched first. Thus IT organizations could focus again on their primary role as business enabler.

From my point of view an ISO 27001 certification is worth every dollar. It’s just a question of the right marketing…

Have a good day.

How to mitigate Drive-by-Downloads Attacks

24 January 2014

Bad news for Adobe Flash Player users. A new critical vulnerability (CVE-2015-0311) was found in Adobe Flash Player… Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

In the Adobe Security Bulletin we read ‘We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.’

Drive-by-download (DbD) attacks are a often used technology to exploit vulnerabilities in programs. In his post ‘How malware works: Anatomy of a drive-by download web attack’ John Zorabedian from SOPHOS gives a detailed description about how DbD attacks work.

The shocking fact is: It’s not even necessary to click a link on the malicious site. If you just load the site the malware download could start, automatically and silently in the background.

The good news is that we could almost completely deactivate this feature, namely without considerable comfort loss. The Security Technical Implementation Guide (STIG) for Internet Explorer 11 shows the direction.

STIG’s are primarily used to secure the information systems of the Departments of Defense, but this should not deter us from using STIGs to secure our systems at home, and of course in our businesses.

STIGs are available from http://www.stigviewer.com/stigs for operating systems, web servers, databases or applications. They are an excellent means to secure the devices that are connected to the internet against malicious attacks. But, be aware that 100% safety could not be achieved.

Applying STIGs to Microsoft operating systems and applications is very easy if you are familiar with the registry editor regedit.exe and the local group policy editor gpedit.msc. Since only standard windows security options are used the recommended settings could be applied to all computers.

Back to the Drive-by-Download attacks. To prevent DbD attacks we have to configure Internet Explorer such that downloads not consented by the user are blocked. Sound’s easy, doesn’t it? We have just to work through the STIG for Internet Explorer 11 and implement the relevant fixes:

Step 1: Block non user-initiated file downloads

The DoD requirements block unconsented downloads from the Restricted Sites Zone and the Internet Zone. Since I would not trust computers in local networks as well I would strongly recommend to block unconsented downloads from all zones.

Implement at least Fixes from Finding Ids V-46705 and V-46643

Step 2: Block non user-initiated file downloads for Internet Explorer Processes

Implement Fixes from Finding IDs V-46779 and V-46781

Step 3: Enforce Protected Mode

Protected Mode protects Internet Explorer from exploited vulnerabilities by reducing the locations Internet Explorer can write to in the registry and the file system. I would recommend to enforce protected mode for all zones.

Implement at least Fixes from Finding IDs V-46685 and V-46681

Step 4: Enforce Enhanced Protected Mode on 64 bit Windows Systems

Implement Fix from Finding ID V-46987

That’s it for today. Please keep in mind that 100% safety could not be achieved, even if you implement the 155 fixes from the IE11 STIG.

Don’t Panic! And have a good weekend.

Sony-pocalypse is still stuck in my mind

13 December 2014

The more technical details about the Sony attack come to light, the more restless I become. Although the attacker delivered a high sophisticated piece of code, the impact of this attack would not have been such serious without the unintended help of the Sony users and IT groups.

Samuel Gibbs writes in theguardian ‘While security analysts have said that preventing sophisticated and well-funded cyber criminals from breaking into a company is very hard indeed, researchers have criticised Sony Pictures for its poor data security, which allegedly saw login details stored in unencrypted spreadsheets.’

That’s really bad! And particularly critical in the case of functional accounts or global admin accounts.

Another large weak spot, users who work with administrative privileges or accounts, was exploited for the initial attack.

The big question is: How could we make an attackers life more difficult?

Just a few suggestions:

  • Never use an account with administrative rights for daily work. This also applies for members of the IT groups. Administrators should work with standard user accounts, and switch to privileged accounts if required.
  • Never use the same accounts and passwords for administration of services like email or database server systems and workstations. Even if a workstation account is compromised the server will stay safe.
  • Never use the same functional accounts and passwords for workstations and servers. Functional accounts are often used for managing services of third-party vendors, e.g. the anti-malware systems. Unfortunately these accounts must often have administrative privileges. Different accounts and passwords for workstations and servers will prevent the spread of malware to servers if e.g. the workstation account is compromised.
  • Never use the same functional account for multiple services. Mind the isolation principle!
  • Service specific functional accounts should be defined locally, and only on systems where the services are hosted.
  • Use strong passwords with length > 20 chars only. This is in particular for functional accounts no problem because the passwords are not very often used.
  • Decide about implementing Two Factor Authorization.

That’s it for today, and for this year. I will take a Christmas break.

Christmas Trees

A merry Christmas to you all
and the best wishes for health, happiness
and prosperity in the New Year.

Microsoft Publishes Critical Vulnerability MS14-066 in Windows SSL Library

15 November 2014

On November 11, 2014 Microsoft published in Security Bullentin MS14-066 a vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability is rated Critial, the CVSS base score is 10 (high).

The good news is: This vulnerability was discovered by Microsoft itself during a proactive security assessment.

The bad news is: Since nearly all Microsoft products that uses SSL will use the Schannel package, the impact of this vulnerability might be greater than that of the Heartbleed SSL bug.

Although Microsoft published a patch last Tuesday, the November patch day, it will take a long time to patch possibly thousands of systems in a company. But the guys on the dark side will not sleep. It is very likely that exploits will be available on the black market within the next days.

Thus the patching must be strategically addressed. Hopefully you have an up-to-date inventory of your systems. I would start with systems that are exposed to the internet, e.g. external mail servers or web servers. In parallel I would patch all laptops and pad computers that leave the network. Although it’s not very likely that they listen for inbound SSL connections you should check and patch them. In the next step I would patch all internal servers and the remaining internal clients.

Bon week end!

Rion-Antirion Bridge, 38°19'11.0"N 21°46'25.2"E

Rion-Antirion Bridge, 38°19’11.0″N 21°46’25.2″E

Twitter’s Digits Service Inherently Insecure?

6 November 2014

At a first glance Twitter’s Digits authentication service seems to be a major step forward to secure authentication in the web. But if you dig deeper you find a vulnerability that could not be accepted.

Classic Webshop Model

Classic Webshop Model. Click to enlarge.

In the classic web shop model the customer’s username, password and account details are stored in Shop Customer Database (7). When the customer clicks the checkout button the mobile app prompts for his username and password (2) and sends a request for authentication to the Web Shop Service. The Web Shop Service encrypts or hashes the password and compares (5) it with the password stored in Shop Customer Database (7).

This is the weak point in those systems. User passwords and account details are stored in some tables inside the database. The security depends only on a password stored in encrypted of hashed format in one of this tables.

If an attacker steals the user’s credentials, e.g. by a phishing attack, there is no chance to prevent the attacker from shopping with the stolen credentials. Only with an additional factor for authentication, such as a fingerprint in addition to the password, fraud could be prevented.

Twitters Digits service seems to eliminate this weakness. Passwords are neither stored in the web shop database (7) nor in the Digits Authentication Service (15). Even usernames are no longer required.

Web Shop Model with Authentication Provider

Web Shop Model with Authentication Provider. Click to enlarge.

Digits is based on the idea that the user’s phone, more precisely the phone number, uniquely identifies the user. The user inputs his phone number (2) into the app (8). The app sends (10) the phone number to the Digits Authentication Service (15) and receives a One-Time Password (11) if the phone is known to the Digits service. The user inputs the One-Time Password (12) which is used (13) for final authentication. Finally the Digits Authentication Service (15) returns an AuthToken and user details to the app. The AuthToken is used for creating the session with the Web Shop Service (9).

Phishing attacks will become obsolete because persistent passwords are no longer used or stored. If the networks connections between the app (8) and the Digits Authentication Service (15) are secured this is a very secure method for user authentication.

The first factor in the Two Factor Authentication (TFA) process is the users phone number, the second factors the One-Time Password generated by the Digits service. Sounds really good.

Unfortunately this is a very weak form of Two Factor Authentication. Since the phone number is the sole source for authentication a lost or stolen device might end up in a catastrophe. The passwords used to unlock the devices are as weak as the passwords used for user authentication. And even biometric methods, e.g. with fingerprints, for unlocking are not 100% secure ….

But the worst is yet to come: For the management of risks the TEAM approach is frequently used. TEAM is an acronym for Transfer, Eliminate, Accept or Mitigate the risk.

With Twitters Digits service the entire risk is transferred to the customer!

Fortunately it’s easy to convert this weak TFA into a nearly unbreakable TFA. Just add a four to six digits PIN (Personal Identification Number) to the One-Time Password.

Web Shop with Authentication Provider and PIN

Web Shop with Authentication Provider and PIN. Click to enlarge.

But customers are not very enthusiastic of PINs because they are hard to remind. The authentication service provider is not enthusiastic of PIN management because of the increased effort. It’s always a balancing act between comfort and security!

In my opinion Twitter is well advised to enhance the Digits service by a PIN. This will create a real gain in security for the customers and a competitive advantage for Twitter.

Never use the same PIN twice!

Software manufacturers have no sense for IT security – Part II

23 October 2014

Sometimes malware protection software works too well. I found some emails with malicious executables, disguised as pdf files, in the attachment in my junk-mail folder. Unfortunately the anti-malware system removed the attachments and replaced them by the filename.

Some weeks ago a new kind of malware that resides solely in the registry was in the news. To implant Poweliks attackers must exploit a vulnerability of the system and, the good faith of the users. Pdf or rtf documents with embedded malicious code are used very often to start the attack.

Just why is the Adobe Reader such a popular tool for attackers?

Adobe Reader is very popular for viewing of pdf documents, and very notorious for its vulnerabilities. The list of known vulnerabilities published in the National Vulnerability Database is really long, and some of them are perfectly suited to implant malware. By the way, Adobe Flash Player is as popular as the Adobe Reader for attackers, and the list of vulnerabilities is of comparable size.

Fortunately advanced security options like a sandbox are available to defend malicious attacks, but these are not activated during a standard installation. Even for enterprise users the standard installation procedure must be pre-configured.

I can’t find a reason why Adobe does not install the Reader with advanced security options enabled by default. Apparently, Adobe is not interested in protecting the privacy and security of their customers.

Fortunately the National Checklist Program Repository provides ‘detailed low level guidance on setting the security configuration of operating systems and applications’.

For Acrobat Reader X a checklist is available which could be easily adapted to the Acrobat Reader XI. Although this checklist is meant for pre-configuring installation packages the configuration hints could be used to secure existing installations as well:

Navigate to menu Edit/Preferences.

In category General section Application Startup activate option Use only certified plug-ins.

In category Security (Enhanced) set the protection options as described below:

Adobe ReaderEnhanced Security Settings

Adobe ReaderEnhanced Security Settings

[1] Enable sandboxing for all files

[2] Enable Enhanced Security

[3] Disable all Privileged Locations.

Although this sounds somewhat paranoid viewing of pdf files is much more secure now. A pdf file is now opened in a sandbox running at the lowest integrity level. Most features are disabled by default, but could be enabled with just one click.


A brief introduction to Trusteer Apex Advanced Malware Protection

18 October 2014

The Trusteer approach to malware protection could be ground-breaking in the defence of zero-day exploits and phishing attacks.

Trusteer analysed millions of applications exposed to the Internet and created lists of valid application states and operations in a database.

For example, saving a web page to OneNote is a legitimate operation when it’s run from a process created by the user. In this case the Windows Explorer is the so-called parent process. If this operation is performed by an internet explorer process that has no valid parent process, it is very likely that a malicious operation is executed.

A watchdog process is monitoring the applications exposed to the Internet. If an application executes a sensitive operation the watchdog process checks its database and approves the operations if it’s valid. Invalid operations are rejected.

Brilliant idea! A watchdog process that checks the state of an application. I would appreciate it to get this for my windows phone. The ‘Here Drive+’ app hangs sometimes, in particular in foreign cities when you need it the most. A watchdog process could check the state and restart the process in such cases. This would be very helpful.

For more details about Trusteer Apex see the Trusteer Apex Product Flyer.

Unfortunately there are some minor flaws.

Trusteer Apex monitors only applications exposed to the Internet like Browsers, Java applets, Flash player or Office applications. Although the technology could also be used for protection against traditional malware like computer viruses, the product does not support this.

This means that Trusteer Apex is only useful in addition to traditional security products like an antivirus product.

Remember that every additional product increases the attack surface of your computer or network. It is not only the continuous patching to mitigate known vulnerabilities. Trusteer Apex receives e.g. application state updates across the internet, which could be tampered by an attacker. Moreover, the Trusteer computer scientists get their raw data from millions of computers operating in untrusted networks. If an attacker tampers some raw data and masks malicious states as valid, the entire installed base could be tampered.

This is the first signs of paranoia. I’m doing definitely too much threat modelling at the moment. But remind the words of Sigmund Freud:

‘The paranoid is never entirely mistaken.’

Just think of the impact of an attack against the master pattern database of a well-known provider of anti-malware software…

Don’t Panic!!

Software manufacturers have no sense for IT security

27 September 2014

Manufacturers of scientific software could make one’s life really hard. For ease of their own business they make detailed specifications about the software versions required for the operation of their software, e.g. Apache HTTP server version 2.4.2, Tomcat version 7.0.12, Java Version 1.6, Oracle Patchlevel 8 for a 3-tier application. In the worst case they will not offer support if discrepancies are found.

Actually, you have to freeze the system and hope for the next patch or minor release before you can install urgently needed security patches to the operating system, HTTP service, middle ware, etc.

Unfortunately the attack surface of a company increases when unpatched systems and applications are operated inside the company network.

Hilbert curve, first order. Source: Wikipedia

Hilbert curve, first order.

In a well-protected IT system, where all known vulnerabilities are mitigated, the attack surface could be visualized as a first order Hilbert curve. This a curve of limited length. Everything’s under control, the CIO isn’t losing any sleep over the matter.

Hilbert curve, first and second order. Source: Wikipedia

Hilbert curve, first and second order.

Adding an unpatched application system to your network may result in a Hilbert curve of second order.

Hilbert curve, sixth order. Source: Wikipedia

Hilbert curve, sixth order.

Usage of default passwords for your database and file servers could be visualized as Hilbert curve of third order. Operation of lots of unpatched application systems may result in a Hilbert curve of sixth order.

This is a beautiful Picture, but the message is clear:
Nothing’s under control in this environment. 

By adding this vulnerabilities the attack surface, respectively the length of the Hilbert curve, has been increased significantly. And the CIO suffers from sleeplessness.

I often hear from application operators: Don’t panic! Everything will go well because ultimately, we run the systems inside the company network. People from Cologne would say ‘Et hätt noch emmer joot jejange!’ (Constitution of Cologne, Paragraph 3)

Sadly, I can’t share this view. Remind the latest security breach of the Healthcare.gov website. It took a month until the intrusion was detected. This was enough time to attack other systems inside the network. And unpatched systems, which are built upon open source software, are truly worthwhile Targets.

In my opinion, software manufacturers must build their software such, that the dependencies on the underlying software systems are minimized. This will give us the opportunity to mitigate vulnerabilities shortly after they are published.

Moreover, this will cut costs because we do not have to operate such systems in very special security islands.

Have a good weekend.

All Pictures: Source Wikipedia, Hilbert curve