Recently in Security Category

From September to this week, I was privileged to teach an introductory class in computer science at Adelphi University (Garden City, New York). My objectives with this class were to take a group of computer science and management of information systems students who had not have any security classes and teach them the basics of computer security.

By the end of class, I wanted them to understand what the technological implications of computer security were, and I wanted them to be able to recognize certain attacks, as well as to know how to prevent and/or stop these attacks them from continuing.

This Tuesday, we had our final exam and the students did better than I had expected.

Starting last week, we have been having some issues with groups of machines experiencing unexplained network connectivity outages. The pattern is typically that of one machine losing connectivity, and over the course of an hour or two, many more follow. Almost from the beginning, I had a gut feeling that something was affecting the machine's behavior that was external to them; the pattern did not point at a large-scale distribution of malware.

Late last week, I formulated the hypothesis that we might have some rogue DHCP servers popping up here and there.

Since the machines that were having the problems revert to a presumed-good image upon reboot, finding the actual problem was a little bit of a challenge. Our only real option was to wait for another outbreak, followed by a focused and temporary capture of network traffic.

A few days ago, we got a call that machines were experiencing browsing difficulties, and we were able to capture some network traffic that confirmed my hypothesis; a box that not one of our DHCP servers was sending out DHCP offers.

The offers convinced the clients that received them to switch their DNS to an external machine. We block outbound DNS to anything but our own servers, so the result was that the infected machined were no longer able to resolve any host names. Not a good thing, since they are primarily used as web browsers (non-proxied).

As we were wrapping up the incident, segmenting our network even further, putting in additional  monitoring, and doing some additional hardening in certain areas, the Internet Storm Center posts a diary message that was timely and on topic. The subject of the message was Rogue DHCP servers.

Not even a half-day later, I was on the phone with my previous employer and 'lo and behold: they were suffering outages and seeing strange DHCP traffic. It seems that whatever site is offering this Trojan.Flush.M-malware is very effective at reaching institutes for higher education world-wide. 

Symantec ranks the risk of this malware as "risk level 1: very low". I disagree with this; risk is a function of probability and impact, and looking at my own experiences, both are high. I have first-hand knowledge of at least three institutes that have been hit, and the impact of getting hit (loss of the ability to resolve hostnames) is also large.

How do we defend against this? The most important steps are to ensure proper network segmentation and providing up-to-date anti-malware software on workstations. On servers, you probably want to statically configure your DNS settings. Make sure you can monitor what's happening on your network; block outbound DNS traffic to everything except your own servers, and consider deploying hardened proxy servers for browsing.

Sometimes I need to play around with some digital certificates and I do not feel like shelling out a lot of money each time to buy real ones. Here's how to set up your own CA (certificate authority) in a quick-and-dirty way. Please do not use this guideline to set up a real CA!

The scenario in which I am interested is to set up a single root-CA, which signs the certificates of two sub-authorities. The sub-authorities are the entities that actually sign the end-user certificates. I will create one sub-authority to issue person certificates and one to issue site certificates.

A detailed description of my efforts has been posted.

I attended a two-hour presentation by Dr. Peter Tippett of Verizon Business's Cybertrust group at the Grant Hyatt Hotel in New York City (nice!) today.

Dr. Tippett is on tour to let the world know about the data breach investigations report that his team put together and published earlier this year. At the very least, the presentation was entertaining, but there were even some interesting bits here and there.

Dr. Tippett is a scientist.

Back in July, I blogged that I had passed my CISM exam. Today I was pleasantly surprised that all the paperwork had cleared and that I am now officially certified.

Dear Dr. Kees Leune, CISM,CISSP

Congratulations! We are pleased to inform you that on 31 October 2008 the CISM Certification Board approved your application and awarded you the Certified Information Security Manager (CISM) designation.

What's next? We'll see. It's probably time for something more technical. Maybe a SANS class, or maybe something more off-beat, such as the training programs offered by Offensive Security. For the time being, I think I'll just ride the flow a bit and see what comes my way.

I regularly get questions of students who expect to graduate soon asking what they need to do to get started in the information security field. Unfortunately, I cannot give a straight unambiguous answer to that. What I can do is start a thought process for that student. In the end, they will have to do the work.

Dear Security Professional,

SANS is bringing Security 504: SANS Hacker Techniques, Exploits and
Incident Handling to your local community in out popular Mentor hands-on
format! Beginning on January 7, SANS Mentor Kees Leune will be leading
this class in Garden City, New York. For complete course details,
please click on http://www.sans.org/info/34049.

Before registering, please contact me for some referral information!

This week's topic of the computer security class that I teach was reconnaissance. The amount of information that is "out there", available for an attacker who wants to build a profile of his target is overwhelming. The things that we discussed today weren't very advanced or outlandish, but they were generally knew to my students (undergrads). Here are some take-homes:

1. Don't underestimate the amount of intel that can be found on social networking sites, such as LinkedIn, Facebook, Myspace, Twitter. It will be almost impossible to control what gets posted, so make sure that you know what information is there. Search for your organization and for your key employees and see what information is posted. Be aware of what others can find out about you as a target and act accordingly.
   
2. Be creative with search engines; check Johnny Long's Google Hacking Database. While you are there, order a copy of his book and support charity. Play around with the Goolag scanner to figure out what you can find.
3. Maltego is awesome; use it, play with it, and learn from using it.
   
4. Don't list anything in whois records that you do not have to. Do not list names, email addresses,  titles, street addresses, etc. if you do not absolutely have to. Instead of a real name, list a job function. Instead of an individual's email address, list a functional email address. If you do list an individual's email address, make sure that the first part of the email address isn't also the user's login. List a P.O. Box, rather than a physical address. Real names and email addresses can be used for social engineering, physical addresses can be used for site visits (for example, to search for WiFi bleeding)
5. Use split DNS and do not allow zone transfers.
   
6. Most of all, abide by the adagio: don't post online what you don't want to be found
   

Unfortunately, I have not had much time to read lately. The only time I really get to see a book is just before bed and then I usually don't read more than a few pages. Because of this, I was a little skeptical to take on two new titles: the new school of information security and Into the Breach. The latter one is at the top of my current reading stack for a number of reasons. First of all, Michael handed it to me personally at Defcon. Secondly, because it has much less pages, and the chances that I actually finish the book are somewhat greater.

Having said that, I just finished part 2 of the book and my opinion of the book is already a very positive one. Santarcangelo captures the true essence of modern information security: information exists to serve users, and users just want to get the job done. Most people are truly willing to do the right thing, but they need to be enabled and empowered to do so.

When a person is confronted with having to chose between finishing the job in a timely enough fashion for senior management to proceed, versus full and unquestioning compliance with information security controls that might prevent him from getting the job done, it is clear what that choice will be.

Just realizing that is paramount.

Information security must never get in the way of doing business.

And yes, that implies that an information security officer must actually know what the business is all about and how it is conducted.

Essential truth: Never say No.

Packet Storm Security points out that New Criminologist features an interesting article which sports the attention-catching title The 10 Most Mysterious Cyber Crimes.

In the write-up, the authors list crimes ranging in time from 1989 (The WANK Worm) when most people had never even heard of this odd thing called the Internet, to more recent times (2008). Some of the mysterious crimes discussed I had never even heard about, which either says a lot about me, or is a serious compliment to the authors.

The list of mysteries is made up of: