Perimeter defense is useless!

I think it is well known by security experts that the old perimeter defense model just does not work any more. A firewall does give some protection, but users are constantly asking that ports be opened so that they can access services outside of the corporate network. Not only that, but there is not much to prevent malicious traffic to go through your ports that are already opened. Should we ditch the firewall? No, but you should add more layers to your defense. In this post, I will list of the defenses you should have in your environment.

I think it is well known by security experts that the old perimeter defense model just does not work any more. A firewall does give some protection, but users are constantly asking that ports be opened so that they can access services outside of the corporate network.  Not only that, but there is not much to prevent malicious traffic to go through your ports that are already opened.  Should we ditch the firewall?  No, but you should add more layers to your defense.  In this post, I will list of the defenses you should have in your environment.

Whenever such a user requests to have yet another port to be opened, you should make sure that you restrict as much as possible the end-points that can make use of that port you are opening up. For example, John asks that a port be opened so he can establish a VNP connection from the corporate LAN to a business partner, you should make sure that only John’s IP address is allowed to use that port and that there is only one outside IP address that John can reach on that port.

Firewall management is not what keeps me up at night though. What keeps my up at night is the fact that it is so easy to create tunnels from inside my network to the outside over well known ports, such as port 80 or 443 in order to access anything that you would normally block at the firewall. That plus the fact that now you cannot browse most web sites with first installing such things as Flash player and Adobe PDF reader.

A recently vulnerability in Adobe Reader for which there is no patch as of now (Adobe said they will release one on March 11th) is a rather scary one.  This type of vulnerability can be exploited without the user even opening the malicious PDF! How can you defend yourself against that?!  You should have as many layers as possible in order to prevent that malicious PDF from succesfully penetrate your network.  The Verison Business Security Blog has a very good list of steps that can be taken to protect yourself against that threat.  of course, you could always drop Abode Reader altogether.

In general though, that approach can be applied against any threats.  Here are the different layers you should have in place in order of priority:

  1. A firewall.  I would venture to guess that everyone out there has that one in place.  Make sure that a regular review of what rules you have in place is done.
  2. Intrusion Detection (IDS) or better yet, Intrusion Prevention (IPS).  If you can affort it, TippingPoint is probably a leader in that field and works great.  At the very least, you should have Snort in your network.
  3. Don’t allow your users to be local administrators.  Most of the people that get infected with malware  and virus are logged on with local administrator rights.  That’s a very bad idea.  Lock down those users!
  4. Anti-Virus on every machines.  AV is not perfect as it is a reactive technology, but it will catch a lot of what is out there.  Anti-Virus products now can do more than just detecting and cleaning virus.  The can block use of certain ports on your hosts (such as port 25 for e-mails or ports typically used for IRC).
  5. Host-based Intrusion Detection System (HIDS).  This technology is starting to catch on in corporate environments.  This is basically the equivalent of having ZoneAlarm on each desktop, but centrally managed by the corporate IT.
  6. Last but not least, patching!  Make sure that you are current in your OS patches and your application patches.  That is not always easy in corporate environment since it sometimes requires careful testing and planning.

In my experience, the mobile users are the weak links.  Once they take their laptops outside of the corporate LAN, many of those defensive layers, such as IPS and the firewall, are no longer there to protect them.  That’s why you need to have strong defenses on the workstations, such as disk encryption and HIDS.

Can anyone think of other layers that should be in place?

Disection of a web based infection

This post describes how compromised web sites try to infect your pc.

Gone are the days where you actually had to convince someone to open your malicious e-mail attachment to get malicious software installed. Now all you need is to browse a compromised web site and you can become a victim in a matter of seconds. This post will dissect the home page of such a web site and explain the different ways that bad guys are trying to install their malicious software onto your computer.

I was alerted to this compromised web site when our anti-virus console sent me an e-mail because it blocked a trojan on a user’s machine. This e-mail also included the URL of the compromised web site. The trojan is known as JS/Obfuscated by McAfee or JS.Obfuscated.Gen by Bit Defender. The anti-virus actually is able to detect the way the code on the web page has been obfuscated by the author.  This web page only got a 12.83% coverage amongst 39 different AV engines according to Virus Total.  I can only hope that the AV that did not catch that compromised web page will catch whatever the web page will download on the user’s computer before it causes real damage.

You would think that it would be easy to convince the owner of the web site to take action.  Unfortunately, it is not so.  I phoned them personally on Wednesday, Feb. 11.  I actually got a call back on Tuesday, Feb. 17.  I gave the details to the web master.  As of right now (Feb. 21), the site is still has the malicious JavaScript on its home page.  The site is at www dot airdrietrailer dot com and you should not browse it with Internet Explorer on Windows.  You are likely to get infected (especially if you do not keep up with patches).  I took a closer look at the malicious code and it tries to infect you through multiple attack vector, but those are specifically targeting IE.  The nice lady at Airdri Trailer Sales told me that she had already received calls from other people also telling her that their web site is infecting people, but their webmaster could not find what the problem was.

Here is a quick summary of how the infection works:

  1. The web site is somehow compromised and web page(s) modified to inject iFrame into each page on the site.
  2. A user browse the web site, the injected JavaScript code is executed, creating the iFrame which connect to a malicious site to download more code.
  3. The downloaded code is executed and tries multiple attack vectors in order to write to your hard drive.  If one of those vulnerabilities work, a payload is downloaded and executed on your computer.

And voila!  You have been p0wned.

Dissecting the attack

The malicious code is tacked at the bottom of the web page. The code is in two <script></script> blocks.  It is obfuscated by having a bunch of gibberish assigned to variables.  There is actually a bit of code visible in that gibberish, just enough to remove the obfuscation, which is rather simple.  Using the Malzilla tool, it makes it easy to see the code.  The first block reveals how it will de-obfuscate the code.  There are four block of codes that will be de-obfuscated by doing a string substition.  Here are some of the string that are replaced.

  1. Replace aHM with a % character
  2. Replace Zm with the D character
  3. Replace ouG with a % character
  4. Replace tr4 with a 3 character
  5. Replace %P5 with a 2 character
  6. there are more such substitions

All of those strings are then unescaped, and passed to the eval() function to be executed.  That’s where the real action is.

  1. The first block inserts a <BODY> </BODY> and a <DIV> tag into the web page if it finds that the body is empty.
  2. The second block gets a pointer to that DIV and saves it to a variable.  As well, it creates an iFrame element and sets it to a size of 1×1 and sets the source to point to a malicious web site (store16 dot looneytoons dot cc).  Doing a whois on that site reveals that it is a legitimate site registered by Warner Brothers.  Although there is a web server there, it does not return anything as of right now.
  3. Finally, the third block set the iFrame to hidden, gives it an id and appends it to the DIV created in the first block of code.

Since the iframe src attribute is pointing to malicious site, it populates itself with new HTML wich includes more JavaScript.  At that point, the code tries a few number of things in order to gain access to the operating system to enable to write files to your hard drive.  In fact, some of the code looks very much like it was borrowed from the Metasploit framework.  Here are all of the attack vectors that this code tries to exploit:

  1. Flash ActiveX if the version less than 9.0.124
  2. Adobe Reader
  3. Microsoft Office snapshot viewer ActiveX exploit (MS08-041 will protect you)
  4. AOL SB.SuperBuddy ActiveX code found in AOL Client Software 9.0 Security
  5. QuickTime
  6. Microsoft DirecAnimation ActiveX (MS06-067 will protect you)
  7. An oldie but goodie, Microsoft DDS Library Shape Control which was part of Visual Studio 2002 (MS05-052 will protect you)
  8. Windows Sell Remote Code Execution Vulnerability (MS06-57 will protect you)

Bottom line, if you are up to date on patches, you will not have problems.  The trick is to update not only Windows, but all your software you have on your computer.  Not so easy as most people do not really know what actually have installed over time.  The best thing you can do is to visit Secunia Software Scanning and use their scanner.  It will tell you all the software you have installed that requires updates.  If you actually download and install their software, it will keep track of what you have and let you know when there are new updates.

I do have the JavaScript saved, let me know if you would like to see it.

Time to patch your printers

HP revealed a new vulnerability that a directory traversal issue in the web admin interface allows remote user to view files on the printers. Should you start including printers in your patching policies? Here are some things you should do to protect yourself.

This might surprise some, but printers need patching too.  The rule of thumb you should use is if it has an IP address, then it can be vulnerable and will most likely require a patch at some point in time.

SANS handler’s diary has just published such a story – Time to patch your HP printers.  The actual HP bulletin is here.  Looks like PC Advisor also picked up the story.

The easiest way to do the firmware upgrade is to use HP’s Web Jetadmin.  Using Web Jetadmin, you can discover all your printers on your LAN and remotely do firmware upgrades.

Although this vulnerability only allows the bad guys to access any files on the printer (and therefore view previously printed documents), I can foresee printers being used as a staging point for more serious things.  The reason is that printers have not received the same amount of scrutiny that workstations/serves have and most likely are softer targets.  As well, printers do not run anti-virus or other kind of defensive software.  So what should you do?  Here are a few things that will harden your printers:

  1. Use a central management console like Web Jetadmin.  This will allow you to discover any new printers added and to easily deploy the latest firmware.
  2. Keep up with the firmware releases.  This is probably a difficult one to do, especially if you use printers from a number of vendors.  You should at least do a round of patching once a year.
  3. Scan your printers for vulnerabilities.  Make sure to use a tool that can differentiate between a printer device and a workstation.  If it doesn’t, scanning can lead to lockups and rebooting of your printers.  Not so good if it’s in the middle of printing a big color job by your boss.  Nessus scanner is one such scanner.  Be warned that scanning your printer will probably cause it to print a few pages.

If anyone else has anything else that they do to harden their printers, please use the comments below.

Web content filtering without installing any software

Free protection without installing any software. The solution is simple, just use the right DNS to prevent the traffic from entering your network in the first place.

If you could protect your whole network from malware, adware, porn and other web sites that should not ever be viewed by employees or children, wouldn’t you do it?  What if I told  you that you can, and you don’t even have to install any software anywhere in your network?  I usually go by the old adage that if it sounds to good to be true, it probably is.  This is one time where that’s not true.

My secret weapon is called OpenDNS.  I use pfSense firewall at home and I also have installed this great freeBSD based firewall at three other customer’s sites.  Although the ISP for each of these sites supply their own DNS server, I do not point the firewall to their DNS.  I simply set the DNS server address on the General Setup page to point to

  • 208.67.222.222
  • 208.67.222.220

Using OpenDNS does not really slow things down in any way (not that anybody can truly notice anyway).  Also, OpenDNS is introducing a free service to protect you from the Conficker worm.  Read this post from The Register to see all of the details.  Go on and create yourself an account on OpenDNS.  You’ll be able to do filtering based on 27 categories.  The service you get for free from these guys is top notch.

Update: Looks like has just published a very concise page about the Conficker worm and how to deal with it.  Check it out at http://technet.microsoft.com/en-us/security/dd452420.aspx

Update (Feb. 10): Looks like OpenDNS official blog has more information about their new feature.


Use OpenDNS

Add IT a digital life Mippin widget

How to use a Smart Card to digitally sign your e-mails in Outlook

If you are using smart card in your network only for authentication, you are missing out on the other things you can do to secure your communication with others. This post will show you how to enable your smart card to be used to digitally sign or encrypt your e-mails in Outlook 2003.

Where I currently work, we are using smart cards in order to secure Active Directory accounts with elevated privileges.  That’s great way to do two-factor authentication because smart cards are integrated in AD natively.  In order to force an account to use a smart card, you only have to click on a checkbox on the user account.

In order to be able to digitally sign and encrypt your e-mails, you have to first take the following steps:

  1. Import the certificate on your smart card into the IE Store
  2. Configure Outlook to use the certificate
  3. Start signing/encrypting your e-mail

Sounds simple enough.  Let’s get into the details of how we do all of that.

The first step is to import the digital certificate that is on the smart card into what is sometimes called the IE store.  Since I use Gemalto‘s GemSafe drivers, it is fairly easy.

  1. I first go to the Certificates section of the Toolbox and click on my certificate.
  2. This enables the Export… button.  Click on it to go to the export screen.
  3. Select Export to IE store and make sure that you select Personal as the certificate store.
  4. Click the Export button.

This puts a copy of the certificate (private and public keys) into your personal store for your use.  You can verify that the certificate was imported properly by opening up Internet Explorer, click on Tools | Internet Options | Content | Certificates.  Your certificate should be listed in the Personal tab.  Click on the certificate.  This will fill the Certificate intended purposes section at the bottom of the dialog box.  If Secure Email is not one of the intended purposes, then you will not be able to use this certificate to sign your e-mails.

Now the last thing to do is to configure Outlook to use that certificate.

  1. In Outlook (I’m using Outlook 2003), click on Tools | Options… | Security tab| Settings… button in the Encrypted e-mail section.
  2. Here we need to choose our signing certificate and encryption certificate.  Click on the Choose… button and select the same certificate in both cases.
  3. Your Hash Algorithm should be SHA1 because it is stronger than the old MD5.
  4. Your Encryption Algorithm is probably defaulted to 3DES, which is the strongest algorithm available.
  5. Make sure that the checkbox for the Send these certificates with signed messages option is checked.  This will then allow your recipient to import your certificate (with your public key only) into their store.  This way they will be able to encrypt e-mails to you and only you will be able to decrypt them.

And there you go.  The next time you write an e-mail, simply click on the Options… button and then the Security Settings… button to open the dialog box that will allow you to digitally sign and encrypt your e-mail.  Make sure that your smart card is inserted.  When you click on the Send button, you will be asked to enter your PIN before your e-mail is signed and encrypted in order to confirm your identity.

I hope this was helpful to you.  Let me know if you have any questions.

Should you kill NetBIOS from your network?

In a Windows XP network, NetBIOS is on by default. There are some misconceptions regarding whether NetBIOS is required in order to have file sharing working. In fact, that is not the case. This post will explain what I found out when investigating the impact of removing NetBIOS from our corporate network.

Do you still have NetBIOS turned on on all of your workstations and servers in your corporate LAN?  This old network protocol puts you at risk and should be killed without prejudice!

There are quite a few reasons why NetBIOS is bad for your network.

  1. NetBIOS is an inneficient protocol.  It is very chatty with lots of broadcasts.
  2. When used with its defaults settings, it can be used by the bad guys to gather information about your network and users.  This is done through null sessions.  An excellent source of information on null session can be found in the (old, but still true) page titled NetBIOS Null Sessions: The Good, The Bad, and The Ugly.
  3. Although it can now be routed across LANs by using NetBIOS over TCP/IP (NetBT), it was never meant to be used in a WAN environment.
  4. The original design of NetBIOS was actually for a LAN of about 70 users.

One of the major misconception about NetBIOS is the fact that people think that it has to be there in order for you to have a file share to serve files to your network users.  That is actually not the case.

File sharing on your LAN

NetBIOS uses these ports:

  • UDP 137: NetBIOS name service
  • UDP 138: NetBIOS datagram service
  • TCP 139: NetBIOS session service

In actual fact, a workstation that tries to connect to a file share might start by trying using those ports.  Windows will automatically fall back to using SMB, which is on port TCP 445.  You might have heard of SMB (Server Message Blocks) and CIFS (Common Internet File System) in the same conversation.  That’s because CIFS is actually a dialect of SMB.

The downside of disabling NetBIOS

I found only two problems that you might run into if you disable NetBIOS.  Another side effect is that this will affect trusts between forests.  This is definitely true for domains at the Windows 2000 functional level or even a Windows NT to Windows 2003 trust.  In a simpler network with only one domain in your forest, this will not be an issue.

The other negative impact that I found is the fact that you no longer browse for computer in Network Neighborhood (Windows 98) or Microsoft Windows Network (Windows XP). When NetBIOS is enabled in your network, the master browser collects information about all the computers in the network.  That information is then propagated every 12 minutes to all workstations.  This can be displayed in the network neighborhood or using the NET VIEW command.  In effect, this is how name resolution was done, by using the list maintained by the master browser. WINS is the other name resolution method in the NetBIOS world.  This method is no longer used by Microsoft OS since Windows 2000.

How to deal with NetBIOS

The best thing to do, is simply to eliminate NetBIOS.  You probably won’t miss it.  Most likely, if your network has more than a few computers in it, you are using DHCP.  You can use DHCP to easily disable NetBIOS on your workstations.  In a smaller setting, you can change the configuration on each computer in your network by doing the following (instructions for Windows XP):

  1. Click Start, point to Settings, and then click Network and Dial-up Connection.
  2. Right-click Local Area Connection, and then click Properties.
  3. Click Internet Protocol (TCP/IP), and then click Properties.
  4. Click Advanced.
  5. Click the WINS tab, and then click Disable NetBIOS over TCP/IP.

This method disables NetBIOS Session Service (which listens on TCP port 139). It does not disable NetBIOS completely.  If you do not want to have SMB enabled, you can disable it all at once by using the following instructions:

  1. From the Start menu, right-click My Computer, and then click Manage.
  2. Expand System Tools, and then clear the Device Manager check box.
  3. Right-click Device Manager, point to View, and then select Show hidden devices.
  4. Expand Non-Plug and Play Drivers.
  5. Right-click NetBios over TCP/IP, and then click Disable.

This disables the SMB direct host listener on TCP/445 and UDP 445.

Final Thoughts

Before you make such an important change in your network, you need to do some serious testing.  This is especially true if you have a lot of different servers and applications.  I intend to post again with the result of my testing and the effect that disabling NetBIOS had on our network.

Related links

Starting a new Open Source project shouldn’t be this hard

Creating an open source project should be easy. This describes my experience with SourceForge and CodePlex when I tried to create my first project.

Wow!  I thought it would be easier than that.  I have this application I started writing that I feel would be useful to lots of people out there and decided to share.  I wrote an application that takes the output of a Nessus scan and loads it into an SQL Server database.  I intend on working on this over time and add features like reporting.  Ultimately, what I am after is better reporting as the Nessus application only provides ONE report.

Since I wrote the code in C Sharp, I decided to go the one of the best known repository for Microsoft technology open source projects, CodePlex.  Creating the project was quick enough, but I can’t seem to be able to access the source code tab.  I always get the message that The source control server is currently unavailable. Fine, I’m moving on.

So I went to the best known open source repository, SourceForge.net, and created my project.  It looks like it needs to be reviewed by humans before I can even start uploading code.  Great!  It was bed time anyway.

Today, I decided to see if by chance my project in SourceForge would allow to upload code, and it does.  Awesome.  CodePlex is still displaying the same error message.  I don’t know if it is me who is doing something wrong or what.  I cannot find anywhere to go if I have problems.  What looks like their support board actually contains more suggestions for enhancements than support requests.