Sysadmin News

Nessus Security Scanner was selected the winner in the Security Scanner Software category of the WindowSecurity.com Readers’ Choice Awards. GFI LANguard NSS and Retina Network Security Scanner Protection were first runner-up and second runner-up.

Winner in the Security Scanner Software Category of Readers’ Choice Awards: Nessus Security Scanner

October 30, 2007 – Nessus Security Scanner was selected the winner in the Security Scanner Software category of the WindowSecurity.com Readers’ Choice Awards. GFI LANguard NSS and Retina Network Security Scanner were first runner-up and second runner-up.

Security Scanner

WiFi and the enterprise network

I would like to start this article off by mentioning a key point that many people are not aware of. Wireless networks are actually IEEE 802.11 which differs from what we all know to be Ethernet aka IEEE 802.3. The main differences between the two are at the physical and MAC layers. Beyond that, the two are comparable in terms of standards. That said, wireless technology is considered a mature technology, albeit, a rapidly evolving one. To whit, IEEE 802.11a, 802.11b, 802.11g and so on. These various subsets of 802.11 have led to changes in both speed and throughput on the internal wireless network. This rapid maturation of wireless technology has caught the eye of enterprise networks worldwide, and is now widely thought of as a business enabler. Many companies now think of wireless technology as a “must have”. With this wide scale adoption of wireless technology by big businesses has come the need to secure it.

Same technology, different problems

Wireless networks, be they home user or corporate, run off of the same technology ie: 802.11 specification. Where the two differ is in the implementation of it. Having a small home wireless router in the corporate enterprise simply isn’t realistic. For one, the range of the router is nowhere near powerful enough to reach the sometimes disparate corners of a large enterprise class environment. A company can occupy an entire building or more at times. With this in mind, we already have an extra layer of complexity as the home user only has one wireless router to configure and maintain. In the aforementioned enterprise environment you can have quite a few to afford the enterprise wireless access throughout their office space.

How to manage both wired and wireless?

I have heard some talk about companies going completely wireless but as of yet have not heard of any one company doing so. The reality of it is that most enterprise class network have both wireless and wired networks to contend with. Having to manage the both of them is where the first cracks can appear in a networks defense. Deploying a wireless network into an existing wired one can be a daunting task. It has been said before that complexity and security just don’t go together, and it still rings true today. This is why it is very important to have some type of central management by which you can monitor and configure your mixed network. Though I prefer to recommend a variety of vendors for an all in one mixed network solution, the fact remains that Cisco does a very good job of it. That, plus the likelihood that most people already use their gear for their infrastructure needs.

The basics

The fundamentals of wireless security for the SoHo user are what I covered earlier in my two articles. This detailed how to properly configure your wireless router, however it also applies to the enterprise environment as well. As a system administrator for an enterprise class network you need to ensure those basic steps are implemented. There are other methods of hardening your wireless network though. Almost everyone has now heard of WEP and what it can do for you. The problem is that WEP is no longer really a viable means of encrypting traffic. One of the better known methods that has since taken over from WEP in the enterprise environment is known as 802.1x. This is a far more secure and robust means of authenticating access to corporate wireless network. More often then not RADIUS is used in conjunction with 802.1x.

What about TKIP?

Not a lot of people have heard of TKIP and what it can do to help further harden your wireless network. Temporal Key Integrity Protocol (TKIP) is often seen as an evolution borne from the weakness of WEP. The relative weakness of WEP was covered in a couple of earlier articles by me. What TKIP brings to the table in terms of enhanced security are new encryption algorithms and further to this is the added plus of always changing the encryption key itself. This makes it exponentially harder for a malicious hacker to get the right one. Further to these measures is that the encryption key itself is encrypted. In essence, even if a malicious hacker can capture the key, the key itself is also encrypted. Furthermore, if the key is itself broken, the odds are rather high that the key would have already changed again. All in all, a very robust solution for any enterprise wireless network. If you are thinking, “this is the solution for me!”, please realize there are some drawbacks to implementing it. Not all wireless routers and wireless cards support TKIP. Ensure that before you contemplate upgrading to TKIP that your present hardware supports it.

How about a mix and match?

On top of all the common sense configuration changes to your wireless router, can you also layer on various defenses? Well, in short, yes you can. You could certainly use WEP, TKIP, and the use of Virtual Private Networks (VPN) on your enterprise wireless network. Were you to incorporate all of these measures, then you would have one very secure wireless network. There is however a drawback to this, and that is that the usage of VPN’s can cause network problems. Using VPN’s extensively can and will cause performance issues on your network. These performance bottlenecks can be overcome through the use of VPN concentrators. This is but one solution to a problem that a security measure introduced on a network can bring.

It all comes down to planning

We have seen in the above paragraphs that there is a wide variety of security concerns and solutions for the enterprise wireless network. Only a brief few were touched as there are literally books that have been written about hardening wireless networks. Many of the security concerns which face the wired network (Ethernet, if you remember, is officially called IEEE 802.3) are also faced by the wireless one (Wireless is also officially designated as IEEE 802.11). Wireless networks themselves are not immune to the effects of a DDoS or DoS attack to name but one danger normally associated with wired networks.

Should you be thinking of integrating a wireless component to your existing wired enterprise network, you would be well advised to sit down first and plan things out. Take a look at your existing infrastructure, and what that equipment has in terms of wireless compatibility. I would always advise to try and stay with the same equipment vendor for nothing else but to help smooth integration. You should also definitely look for some type of centralized monitoring software. This will allow you to quickly and easily monitor all facets of your mixed network in one program.

The goal of this article was to help the enterprise class system administrator to make some informed decisions as it impacts their wireless network. Taking the time to study your existing hybrid network for possible performance or security issues is time well spent. Also remember that there is a wealth of products out there today to help you in your goal of securing your mixed environment network. As always I welcome your feedback and commentary. On that note, till next time.

Mozilla Corp. will be launching a new security update next week to patch five bugs that were unintentionally introduced in the last update. The five regression bugs were introduced while patching other ones.

Firefox 2.0.0.8 patched ten vulnerabilities, including three critical flaws, but also shipped with five regression bugs — problems unintentionally introduced when code was changed to plug other holes.

“Most users won’t see any difference or experience any problems,” said Mike Beltzner of Mozilla in a posting to the company’s development center blog. “We’re working fast to understand and fix these problems, and will shortly be issuing a 2.0.0.9 update to address them.”

[ Via LinuxWorld ]

SSL uses digital certificates issued by a valid certification authority (CA) to authenticate both parties to the transaction (client and server). If the Web server is set up to require secure connections, it will reject non-secure requests. To connect to a secure page, the client uses https:// at the beginning of the URL instead of http://.

Note:
If some of the components on the page use http:// in their links, visitors will receive a message saying that some items on the page are not secure. You can avoid this by either using https:// for all links or using a relative path that doesn’t contain “http” or “https.”

When the client’s browser initiates a secure connection, the SSL “handshake” occurs. The browser checks the certificate to validate the identity of the server, the validity of the certification authority, and confirm that the certificate hasn’t expired. Then the client and server negotiate the encryption methods and keys to be used.

When the handshake is complete, a new key is created, and this key is used to create session keys which are themselves used to encrypt the rest of the communications, using the encryption method that was negotiated between client and server. The server authenticates the client if the server is configured to require client authentication.

Now when an HTTP GET request is sent, form field responses and program variables that are tagged to the end of the URL are removed from the URL and inserted into the encrypted data block, which also will contain the data entered into the form on the client browser. The response from the server is likewise encrypted when it is returned to the client.

Many Bluetooth users only use the technology to connect a wireless headset or similar device to their portable computers, and they may wonder why security is a big deal. Implementing security, even for these types of device pairings, can prevent an unauthorized user from using the headset.

However, another use of Bluetooth is to create a temporary computer network. For example, several people in a meeting room can connect their Bluetooth-enabled laptops to each other to share files during the meeting.

When you use Bluetooth to create a temporary network, it is usually an ad hoc network; that is, computers communicate directly with each other rather than going through a wireless access point (WAP). This means you have no centralized point of security control, as you do with a WAP (for example, you can configure a WAP to use MAC address filtering and other built-in security mechanisms). Thus, security becomes a major concern because you can be exposing important data stored on your laptop to others on the Bluetooth network. Remember that the range for class 1 Bluetooth devices can be more than 300 feet – far enough so that in some locations, the BT equivalent of the wi-fi “war driver” may be able to establish a link with your computer even though not within your sight.

Another special concern is the security of Bluetooth mobile phones. These phones may have information stored on them such as the addresses and phone numbers of contacts, calendar information and other PDA-type data. Hacking into these phones using Bluetooth is called bluesnarfing. Newer mobile phones and software upgrades for older phones can patch this vulnerability.

A related hacking technique is called bluebugging, and it involves accessing the phone’s commands so that the hacker can actually make phone calls, add or delete contact info, or eavesdrop on the phone owner’s conversations. This vulnerability, too, is being addressed by phone manufacturers. Thus, if you own a BT-enabled phone, it’s important to keep the software updated or upgrade to the latest phone models frequently.

Bluetooth devices can also be targets of Denial of Service (DoS) attacks, typically by bombarding the device with requests to the point that it causes the battery to degrade.

Finally, there are “cell phone worms” such as Cabir that can use the Bluetooth technology to propagate to other BT devices. Cabir targets phones that use the Simbian OS.

The relatively short range of most Bluetooth devices helps to ameliorate the risk of most of these security issues. For example, to practice bluesnarfing or bluebugging against a BT phone, the hacker would typically need to be within about 10 meters (a little less than 33 feet) of the target phone.

A typical scenario might be:
1. Information Gathering
An attacker will normally start by finding out as much information as possible on his target. At this point the attacker will want to be as stealthy as possible and will usually make use of less direct methods. Some of these methods include doing a whois lookup and DNS Zone transfers as well as normal browsing of websites gathering e-mail addresses and similar important information belonging to the target.
2. Further Information Gathering
In an attempt to gather more information an attacker will usually perform ping sweeps, port scanning and check Web servers for vulnerable CGI scripts. The intruder will also check the versions of running applications and services on your host - normally done using Banner Grabbing techniques. Typically banner grabbing consists of connecting to a service (for example SMTP on port 25) and parsing the response. In the response one would usually get the version of the application or a typical pattern of that application. A good IDS will catch some of this activity.
3. Attack!!
Having a list of possible loopholes, the intruder will start trying out different attacks on the system. He will for example try to launch the UNICODE attack if he previously found out that the target has IIS installed. Apart from launching exploits for well known vulnerable software, a typical attacker will also try to find out misconfigured running services. For example he will try to guess passwords for known users on the system.
4. Successful intrusion
After a successful intrusion, attackers will usually install their own backdoors in the system and delete log files in order to hide their tracks. They may install ‘toolkits’ such as rootkits that give them access, replace existing services with their own Trojan horses that have backdoor passwords, or create their own user accounts. System Integrity Checkers such as Tripwire have the task of detecting this kind of activity and alerting the administrator. From here an attacker will usually launch further attacks to other hosts especially those that are trusted by the compromised machine.
5. Fun and profit
Different classes of system intruders have different goals. Some steal confidential information such as Credit cards, passwords etc: while others just use the compromised host to launch further attacks on sites (such as DDoS attacks). A few others will just deface a website.
A growing trend is to make use of a different pattern of attack. Intruders are increasingly randomly scanning internet addresses looking for a specific hole or number of holes. For example an intruder may scan for hosts having port 80 open and running a misconfigured / unpatched IIS server. Attackers will make a list of the vulnerable hosts and then launch attacks against each one of the hosts.

Intruders get passwords in various ways. These are some of the most popular methods being used by the hackers nowadays:
Sniffing: Data passing on Ethernet or Wireless networks can usually be intercepted. This is done by making use of a protocol analyzer, which sets the network card to promiscuous mode - meaning that it is able to pass all data on the network to the operating system without filtering. Passwords are typically “sniffed” off clear text protocols. Such protocols include Pop3, FTP and Telnet. In these cases passwords flow through the network without making use of any encryption. Many new protocols now make use of encryption. Although encryption makes the task of sniffing passwords more difficult, it is still possible to get the passwords from the encrypted data by making use of Dictionary and Brute force attacks.
Sniffing is a very effective method for hackers and attackers since it is usually a passive attack and therefore more stealthy and more difficult to detect.
Replay attack: In some cases, intruders do not need to decrypt the password. They can use the encrypted form instead in order to login to systems. Tools are also available to make this kind of attack easier. This kind of attack is very popular against web applications.
Password file stealing: System passwords are usually stored in files or in the Windows registry. On Windows NT 2000 and XP, the passwords are stored in encrypted form on the SAM file. On UNIX systems the password is usually stored in the /etc/passwd or /etc/shadow. Once an attacker gets his hand on the password file he can launch a dictionary or brute force attack against the encrypted passwords.
Observation: A very well known and traditional password stealing attack is dubbed “shoulder surfing” - which is basically when an intruder watches someone type in a password. Observation can also be done by going through a victim’s personal objects. Typically passwords are written on small pieces of paper - and can also be written on sticky notes attached to the monitor itself!
Social Engineering: Many successful hackers and attackers make use of human weaknesses - one such well-known hacker is Kevin Mitnick. A common (successful) technique is to simply call the user and say, “Hi, this is Bob from Some-Company. We have problems within the network and they appear to be coming from your machine. Can you give me your password?” Many users will happily supply this sensitive information without thinking twice.
Default Passwords: Sometimes it is not even required to guess the passwords, since the system would have default passwords put in by the system vendor. A lot of network devices such as switches and hardware routers will have default passwords allowing an attacker to easily gain access.

Hackers are often categorized as either Whitehat or Blackhat. Both Whitehats and Blackhats have the know-how to penetrate a system but their motives are different. A whitehat’s aim is to know a system’s loopholes to secure the system. On the other hand, blackhats make use of this knowledge for personal gain and other selfish and un-ethical purposes.
Some Computer Security consultants are described as Whitehat, while “script kiddies” are also sometimes described as Blackhat. Script kiddies are known to be less sophisticated hackers who launch attacks against computer systems such as port scanning, defacing a website or launching a Denial of Service attack.

An intruder is also referred to as a hacker or a cracker. A hacker is basically someone who hacks a system - he could do this because he finds it interesting or because he wants to access your system. In the latter case he would be a cracker.
In any case, hackers and crackers are both intruders and can be classified as external or internal intruders (outsiders or insiders).
External/Outsiders
Intruders from outside your network. They attack your web servers, email servers and may also attempt to go bypass the firewall to attack machines on the internal network. Outside intruders may come from the Internet, dial-up lines, physical break-ins, or from a partner (vendor, customer, reseller, etc.) network that is linked to your corporate network.
Internal/Insiders
Intruders that are using your internal network legitimately. These include users who misuse privileges or who attempt to get higher rights or use another users privileges. Internal intruders are often overlooked - most security breaches (80%) are done by insiders.

Would you know a key logger if you saw one? Well since you can’t see key loggers I’m sure you don’t! OK let me tell you about key loggers. Key loggers are invisible software programs that are used to track your online activity. Most importantly, they are being used more and more to steal your vital financial information either to sell to criminals or to be used in the theft of your identity.

Finding a keylogger on your computer is next to impossible unless you have professional help in the form of an updated spyware removal software system. The real; problem is that if you don’t know that a keylogger is tracking everything you do then you won’t know when the little darlin’ has stolen your bank account passwords or your credit card numbers until a theft of your assets has been attempted. And the discovery may only be made by you after your assets have been raided and depleted.

When a keylogger is busily at work, you won’t even see your machine slow down or see anything peculiar happening. But visualize that the potential thief is standing right behind you watching and recording everything that you do on the machine.

I’m not sure where this statistic comes form but it is said that more than one third of all online ID thefts can now be traced to keylogging. Unfortunately, keyloggers are easily found and acquired. They are cheap and available. Worse yet they are perfectly legal in and of themselves.

There are perfectly legitimate reasons for employers to use key logger software to monitor employees use of the computer at work and for parents to monitor their children’s web browsing habits. But the corollary is that it is an easy way for a criminal to gain access to your valuable assets and plunder them. And the software itself is perfectly legal.

In view of the foregoing take steps immediately to protect yourself:

* Install a respected anti spyware software that not only scans your computer but prevents unauthorized access

* Install a firewall

* Do not click on pop-ups

* Do not open spam email - when in doubt delete!

* Do not open e-mail attachments unless you can be sure it is coming from a legitimate source for a legitimate purpose

* Make your passwords hard to crack and change them frequently

The keylogger situation is getting worse, not better. Don’t wait until your identity has been stolen. Get the protection you need now and stay alert. You have been warned!