Sunday, February 28, 2010

SANS Bangalore Community Night

SANS along with DSCI hosted a community reception last week in Bangalore. This was a great opportunity for the information security practitioners in the city to interact with each other and hear from the SANS instructors who were in town for two of SANS courses.

The event featured the following topics:

Defending Against “Man-in-the-Middle” Attacks by Bryce Galbraith. Bryce discussed about “man-in-the-middle” (MiTM) attacks and how attackers use advanced  attacks to defeat common encryption mechanisms (SSL, RDP, VPN, etc). He also discussed about many of the tools that the attackers use.


Memory Analysis for Incident Responders and Forensic Analysts by Chad Tilbury. Chad discussed about the newest trend in forensic analysis, the memory forensics and how it helps organizations to identify many of the new attack techniques.


The event also featured, Varun Sharma, Security Engineer for Microsoft. His talk was on Windows BitLocker, in which he discussed how BitLocker encrypts a volume, where are the keys stored and what options organizations have to recover data encrypted using BitLocker. He also discussed how, using GPO, organizations can centrally backup the keys of individual machines.


Overall it was very informative and I asked Suresh (SANS Managing Director) to conduct more community events like this.



Saturday, February 27, 2010

201 CMR 17

For financial or other companies that operate in US and deal with personally Identifiable Information, you must be familiar with "201 CMR 17". If not, you better be before March 1st.


Over the years there have been many new regulations in corporate governance and financial accounting but recently many US states started developing privacy laws mainly due to the concerns regarding individual privacy and security of corporate and individual data. GLBA is one such law at the US Federal level and EU data protection requirements is a similar one for Europe.  


One of such laws is the Massachusetts Privacy Law or "201 CMR 17", the deadline for compliance with this law is March 1, 2010. The date has already been pushed back three times, hopefully this is the final one. This regulation lists comprehensive requirements to protect Massachusetts residents from fraud and identity theft from data loss. The law establishes a minimum standard to be met for the protection of Massachusetts resident's personally Identifiable information (PII) contained in both paper and electronic records.  The compliance document lists the purpose as  


"The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer."  


One important requirement is about third party contracts where organizations need to make sure that third parties they deal with all need to compliant with this law. I think this is a bold step towards making sure that organizations take the third party interactions seriously. Many of the recent data breach reports have mentioned that third party or partner connections are the cause of many intrusion attempts and data breaches.  


Vendors looking for comments like "application security", "web application", "penetration testing", "data leak", etc would be disappointed as the document does not state any specific requirements in these areas. However, organizations should look at this and other regulatory requirements as "minimum standards" and look upon setting up a higher level for themselves. Remember that Compliance != Security.  


In order to ensure compliance with this regulations, the following activities should be performed.
  • Identify the requirements
  • Map compliance requirements to organizational risks
  • Collect application inventory data, this should include the details of the data within those applications
  • Work with data owners to identify if the application/database contains PII data
  • Identify the servers and databases where this data reside
  • Identify the encryption requirements
  • Map the technical controls for these applications, servers and databases
  • Identify the missing controls (both technical and non-technical)
  • Implement the missing controls
The requirements and other details are in this document.
http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Saturday, February 20, 2010

Identifying vulnerabilities in open source software

There are many web sites that help you research on vulnerabilities released by the product vendors, most of these web sites are geared towards commercial vendor released vulnerabilities or major open source application related vulnerabilities.

For assessing the risk related to open source applications we now have a new exclusive web site, it is basically a search engine for crawling vulnerabilities. The link is below,

http://bugspy.net

Saturday, February 13, 2010

DEP and security benefits

Last month I wrote about the IE 0-day, the vulnerability affected IE6 and non DEP enabled IE7 & IE8. So what is DEP? In this post I will try to explain that and provide more information on why it is a good security feature.

Typical behavior of many malware codes is to entice the user to download their code,  insert that code into memory and then execute the code. Majority of buffer overflow vulnerabilities are exploited this way.

As part of XP SP2 and 2K3 Server SP1 releases, Microsoft introduced what is known as Data Execution Prevention or DEP. It is a defense-in-depth feature to protect the system from executing malicious programs. So if your anti-virus program or host IDS fails to protect you, this additional wall is there to protect you.

Beginning XP SP2, there are two separate DEP checks enforced, one by the hardware and the other by the software, where certain areas of memory is designated as non executable and if any programs tries to execute from these areas, it is intercepted and an exception is raised.

By default, when a program is launched, the system allocates memory pages and within this memory certain areas are marked as non-executable. Even though it is enabled by the hardware and the operating system, only limited system binaries are protected by this feature. Other applications enable this feature separately. This feature was enabled in IE with IE7 and MS Office in Office2010.

For corporate environment, the first step in taking advantage of this feature is to upgrade the operating systems and then the applications to support this feature. For third party applications, Microsoft warns that “Applications that perform dynamic code generation (such as Just-In-Time code generation) and do not explicitly mark generated code with execute permission may have compatibility issues on computers that are using DEP. Applications written to the Active Template Library (ATL) version 7.1 and earlier can attempt to execute code on pages marked as non-executable, which triggers an NX fault and terminates the application”

Because of this dependency and additional configuration requirement, many applications does not work well in its default configuration and this is the main reason why organizations does not upgrade to XP SP2 but they miss out on this important security feature.

As I already mentioned, with DEP enabled, organization gets automatic protection from the IE zero day. Last month's Adobe Acrobat critical vulnerabilitythat existed in a function called util.printd leads to a memory corruption causing code injection also could have been prevented if organizations had the DEP enabled on their machines.

To learn about specific DEP and DEP enabled applications, visit the below Microsoft pages

http://support.microsoft.com/kb/875352/EN-US/
http://blogs.technet.com/robert_hensing/archive/2007/04/04/dep-on-vista-explained.aspx
http://blogs.technet.com/office2010/archive/2010/02/04/data-excecution-prevention-in-office-2010.aspx

Friday, February 5, 2010

Don't miss ShmooCon 2010

ShmooCon is an annual information security conference, which is highly affordable, usually gets one of the best speakers and this year you can watch it live via streaming video.

Here is the link for the streaming content

https://www.shmoocon.org/video.html

Here is a snippet about the conference

"ShmooCon is an annual East coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software & hardware solutions, and open discussions of critical infosec issues."