Kirt Cathey, NH2GX, JG1FXZ » Security

Is It Time To Start Blocking All China IPs?

admin — Sat, 04 Sep 2010 01:38:32 +0000

And I’m not kidding…. I did a clean OS and web server install last week for the new web site on WorkPapers.Pro (getting ready for an upcoming software update and September 1 press release), so about one week later, like a good admin, I thought it was time to sip some coffee and go through the authorization logs.
There was the usual Eastern European and former Soviet block IPs, so I blocked those, then there were a couple out of the US, so I blocked those IPs. You’d think that I would follow-up on the US IPs these days, but understanding that most people who are hacked don’t know that their machine is a launchpad in the first place, so let it go.

Then I get down to Aug. 31 and later and I block IPs that were rogue attempts through this morning from the following:
IP Address Host Name 202.117.3.30 3h30.xjtu.edu.cn
City Region/State Postal Code XIAN SHAANXI -
Country Name Country Code Time Zone CHINA CN +08:00
ISP Latitude Longitude XIAN JIAOTONG UNIVERSITY 34.26 108.936
Domain Name Net Speed IP Decimal XJTU.EDU.CN DSL 3396666142
I block the IP above, then start monitoring logins in real time and see this guy/gal is still at it. I block the IP above, then I get another set of attempts from the same subnet 202.117.4….. I block out the whole 202.117.3 subnet, then .4, then another set of attempts from .5!!! By this point…. I think, heck,’ my web application is not in the Chinese language. Why not block all of China?’ I fell way short of that drastic act, but noticed that after I blocked the whole 202.117 range, everything settled down.
On, on! Gonna go get a workout, then prepare for a WorkPapers.Pro update scheduled for tomorrow night. This one will include some more data export formats and (hopefully… still testing) a reporting module.

However, before doing anything, I am going to re-enable to login failure auto-lockout script again.

Share on Facebook

Accent Zip Password Recovery – A Career-Saver

admin — Sun, 04 Jul 2010 18:01:10 +0000

The fine folks over at passwordrecoverytools.com sent a request for an evaluation about four months ago, and as I was ensconced in a plethora of security work and programming, I never had a chance to test the tool for a good writeup. That was, until I decided to go on vacation last week and a client sent a password protected zip file without forwarding the password! That same client has decided that since I am on vacation, that my emails are not worth responding to! Hmmm…. Hahhhh! (small bellows of smoke roll out from the ears)
Well, the password was recovered in all of ten minutes. Five minutes to boot up Parallels (only have my Mac here) and install Accent Zip Password Recovery, and another five minutes to figure out the program.
Overall, the program works fast and as interfaces go, fairly intuitive. I am going to definitely give this tool another run when I find a client relying on WinZip passwords for file transfer. Also, there are many other password recovery tools at the same site for MS Office (including individual licenses for Excel and Word), MS Access, and MS Money – all a good tool chest for a security auditor that wants to prove a point about the reliability of these built-in password mechanisms. Although I did not have to use it, the advanced dictionary features on this software make it even more useful for security testing. As a security testing professional, any password tool does not pass the muster without custom dictionary capability.

Share on Facebook

WorkPapers Software, Java, Google Web Toolkit, and DCMA

admin — Wed, 24 Mar 2010 07:35:26 +0000

Hi All!! Still alive and kicking. Been a couple weeks since the last posting but have been hard at work putting together another platform iteration of WorkPapers software. So far, I have created the audit working papers management software solution in Cocoa and RealBasic, so this time around thought I would try one more iteration in Java and Ajax. For more information about WorkPapers, please see the projects page on this web site. This will give a cross-platform solution that will sync with a web-base Ajax interface… sexy! So now that I am in advanced stages of this programming iteration, I thought I would shop around for yet another domain name to host the software on. One of the domain names I searched revealed an imposter that states the product is still in development! Whoever decided to use the name must have thought of it, then said, ‘Yeah, that’s an awesome name!’. Then proceeded to use it without searching or anything. I have not submitted links for it in three or four years as I have a user following, and still get number four or five on Google. What were they thinking? I know what I’m thinking… stop using my name or get ready to offer a serious cut!
I have used the ‘WorkPapers’ name for software since 2003, so whoever is out there trying to use my name will have a hard time collecting money for it free-and-clear because I have all intention of protecting the name…. that’s where DMCA fits into the title. Been learning a bit about that and also that it applies to trademarks too! Also, learned that a copyright and trademark right can be very well enforced even if they are not registered, and furthermore, even if somebody manages to register the trademark after you have used a name. I really hope all is settled amicably.

Along with my job as a security practitioner, I have been looking into developing domain analysis tools (especially AD) with Java and came by this link that outlines all the resources from Sun Oracle that outline how to use the JNDI framework for AD analysis. Good stuff for the hands-on types!
Enjoy…. 73s.

Share on Facebook

The Next Wave – Preventive Security and Statisticians

admin — Sun, 07 Mar 2010 04:05:11 +0000

Over the past couple weeks I have concluded that enough (bad) breath has been spent ranting about how system and security auditors really are missing the mark. However, one cannot reasonably just point a finger in one direction – it takes two to tango, so it is now time to point out what CIOs and administrators of secure environments should start to consider in order to prevent incidents. And along the way add a rant or two about how the average CIO (too) is an administrative paper-pushing, policy guru that does not really have real systems administration experience – most come from a consulting background and have not had to own a system for more than a year, and not ever even have hands-on experience. Even more amazing, and I see this all the time when we go to propose on PCI projects, are the number of CIOs that really do not know their network architecture. Just as a CPA is now required on the board of every corporation as a result of SOX, a CIO with a minimum certification should be required for enterprises greater than a certain size.

Okay, okay, will hold back on ranting before covering some of the things that are really informative…

First, this article from Network World goes into some detail about how “the hackers” (from China) managed to get into source code repositories and transfer code over Google’s own WAN to sites in China, then successfully transferred the code via local connections. Does anybody besides me think that … hmmm. Let’s go first-person: If I was in charge of security at Google – basically a software company – wouldn’t one of my biggest priorities be to make sure the source code management systems were secure? Or, a better idea would be to split security into domains – internet security for the services offered, development security for source protection, test validation, and release control, then internal security that focuses on internal threats, training, and awareness. Well, it’s not just Google. A couple other companies – that should have already learned these lessons in Intel’s case, and Symantec is in the security business. These companies being this vulnerable and getting taken for loads of source code, or having existing source code changed, should be a bigger shock than the fact that the Chinese government may be backing the whole incident. Where does this take us? Back to the preventive security argument. Preventive security measures would have prevented all (okay, at least most) of this mess point-for-point.

First, training and awareness would have prevented Google employees that were not using Chrome or Firefox from starting Internet Exploder and getting phished in the first place. In this day and age, the targeted attacks use a variety of methods, but the one sure-fire method of late is spear phishing, which is outlined in detail here and here. Our employees and myself have been the target of a couple of these attacks recently. Some of these emails are so well crafted that shivers go up your spine – they know where you work, functional department, work email, and other details. This is a major upgrade to traditional phishing in the sense that the language is a very fluent, official English and unless you are careful, can be convincing. In my case, the attacker knew that I could read Japanese and sent a rather fluent Japanese message with a fluent English follow-up a day later. This level of awareness needs to be taught, reminded, posted on corporate internal banners in break rooms, and made a part of a current and ongoing awareness program.

Second, periodic measurement of certain environment variables would have probably picked up on the code transfer across the Google WAN. Generally, IT and security management fails to appropriately manage their environments with appropriate measurement. In fact, most are tied up and pride themselves in their ‘management’ and people skills, so don’t think they should be a part of the measurement process. Knowing the statistics within your environment cannot be understated, or better, knowing what to measure, why to measure, how to measure, and documenting all of the above, combined with the proper analysis, is one of the best preventive security advances in recent history. In other words security metrics may have saved the day here. A couple good security metrics for a security manager in charge of source code is:
1) number of check-in, check-outs to a CVS system
2) number of check-outs without an associated check-in – number of outstanding check-outs
3) number of check-outs to foreign (or branch) locations
While all of the above do not address a security vulnerability, such as virus definition update metrics, they do assert a risk disposition for source code control. If you are one of those that are afraid of measurement and statistics, start out slow; go to the security metrics link above, then visit the Carenegie Mellon University open and free courses in the Open Learning Initiative. There is a good starter statistics course in there that you could finish in about one to two weeks with just less than an hour a day.
Third, and the most glaring in this whole incident is source encryption and control. In most source code control systems for secure environments, a developer cannot just go to a repository and download a couple gigs of code without some type of higher level authorization. This is so amateur from a security and secure coding perspective that it really begs to be hacked.

Fourth and last, not the least, addresses whether any of this code was actually deployed with back doors – release control and code review. This is one, if not the biggest, flaw in modern software development. We must have somebody that actually knows, reads, and understands chunks of code have the authorization power to release code into environments. I can safely say that over 80% of the banks operating in Japan (including the foreign multi-nationals) have some schmuck named Handa-san with a CISA certification and a title called Information Risk Manager (IRM) that is in charge of signing off on all test results and code releases. That so-called IRM in most cases has never written a computer program nor could begin to decipher a chunk of code from just about any framework in any language. But he signs his name away and when authorities and auditors ask if there is a sign-off, they get the right answer.
Enough ranting……. Hope you enjoyed or found some insight from the sharing or links. On a personal note….
Lately I have been joining a techie group of Japanese for a Sunday night radio show on Radio Tsukuba. Tsukuba University is the MIT equivalent here in Japan, so the audience and participants are as eccentric. The broadcasts are in Japanese and the recordings are here. The team there has also asked if I can do a three to five minute sideline on technical English or useful English pointers for ham radio operators – which is what I’ll start working on in a few minutes… stay tuned. And comment! Retort! Or express yourself in a non-spam fashion otherwise in the comments!

DX 101X: HF + Six Meters DXing Reference Guide: A Comprehensive Guide To The World Of Hf Dxing. Now With Six Meters!

Share on Facebook

Increasing Attacks Against Grid Systems

admin — Wed, 24 Feb 2010 00:24:10 +0000

This article over in the Dark Reading brings up an issue that power companies apparently have been denying for a long time. However, for those of you who get the weekly SANS newsletter may have seen the sideline from Alan Paller: “The data that will be discussed at the SCADA Security Summit (http://www.sans.org/scada-security-summit-2010/) will make it much harder for EEI to claim it isn’t happening.” The power companies spokespersons seem to be in complete denial, but reports are showing over 120 attacks have been carried out against such systems.

Share on Facebook

Saltzer and Schroeder

admin — Tue, 23 Feb 2010 23:09:37 +0000

This is a great article about Saltzer & Schroeder, two 1970′s computer security researchers that published this paper. The principles in this paper are the most cited in computer security and many apply to secure coding. While many have heard of Saltzer and Schroeder or their basic computer security principles, few actually take the time to read their work.

Enjoy!

Share on Facebook

Twitter Phishing Rampant – Today’s Flavor

admin — Sun, 21 Feb 2010 03:21:40 +0000

The Twitter buzz (<- that’s funny) this morning were a bunch of postings about a phishing direct mail that would include a link which included a link to bzpharma.net (don’t click here if my blog software automatically links!!). When the end-user goes to the site, malicious software is executed that retrieves the user’s Twitter password, then spam direct messages all of their followers. Nasty and too bad. I have grown to like Twitter and other similar services as yet another networking medium.

After seeing several hundred tweets (I’m up to 700-plus followers on @sysrisk), lo and behold, I received one too! Here is the pic.

Share on Facebook

Fight Spam With This Email Signature Image Generator

admin — Thu, 18 Feb 2010 01:51:43 +0000

This is another small step toward fighting spam; especially for users that take advantage of web mail services. Go to the link above and create an image of your email and use this in your signature instead of text. Also, if your provider is not available, click on this link and select the colors that best match your web site.

Enjoy!

Share on Facebook

GMail/Picasa Identity Leakage

admin — Sun, 14 Feb 2010 14:54:40 +0000

The local Japanese hams call me wireless goat

Be careful when using Picasa and other Google applications with default nickname and web address settings, since the number that Google assigns to your ID in those cases is easily decipherable. The number is just a replacement for your ID and is consistent, not random. This is not a new issue, and rather old, but I still see a lot of Picasa links that have those numbers in them. Without changing the defaults, an attacker can replace the URL in a page with javascript:alert(_user.name) to obtain the relevant ID. Read more in this Lifehacker article.

Share on Facebook

iPhone Security Becomes Topic At BlackHat

admin — Fri, 12 Feb 2010 03:47:44 +0000

Me At Shinjuku Mitsui Tower

Too bad I wasn’t there right at the close of the presentation yesterday, but these days I can afford not to ride a plane 13 hours to Washington D.C. At work we performed some in-house reviews of iphone security about two years ago, accepting some risks over functionality. However, three different channels of information through personal contacts, web browsing, and work relationships have raised a flag about this research being performed on iphone security. The findings revealed in the papers dispute two tenets of iphone security that have been repeated throughout the past couple years:

1) sandboxing applications so that applications cannot see and adjacent application’s data
2) kernel, system files, and system resources are shielded from user’s application space

First reaction is, ‘Hmmmmmm….. if this researcher is right, then we have a bigger problem.’ The problem gets bigger since we know that exploits are already out there, or are being developed, by the time a researcher announces. Also, the problem gets even bigger because there is a proof-of-concept to backup the research available at git.
For more information on the attacks, there are papers and presentations available on the site here for the paper, and here for the slides.
Enjoy! Please comment.

Share on Facebook