The InfoSec Megathread - The Something Awful Forums

The Something Awful Forums > Discussion > Serious Hardware / Software Crap > The InfoSec Megathread

BelDin: Jan 29, 2001

Powercrazy posted:

TACACS is great. However messing with the enable password? Not so great. The reason is the enable password is legacy. It was invented by cisco (little 'c' at the time) because centralized user accounts with differing privilege levels didn't exist yet.

The enable account must be set local to the switch and is only relevant if the switch loses access to the TAC server, usually during a failure scenario. It must be set otherwise you can't connect to the router except through console. Updating the enable password on some random schedule isn't useful, nor more secure. The correct way to do what you are talking about is similar to the way AD works. Every X months, people with TACACs accounts have to change their password, inconvenient for me, but not a bad idea.

If the enable password is known by "bad guys" they can't do anything with it anyway, not without physical access to the equipment. If the enable password isn't known because of overzealous security, then I can't recover a failed router.

As for Cisco 7, who cares? If the security of your organization cannot remain intact because someone can see the running-config of your networking equipment, your security policy is the problem, not the weakly encrypted legacy password. Furthermore, even though Cisco 7 is weak, the MD5 is weak enough these days anyway. It's a salted hash that truncates to 6 characters plus 2 characters of salt, based upon the IOS Version. A decent computer these days can just brute force it fast enough. But where are all the security experts clamoring about that? There are none because the locally stored passwords are obsolete in any organization with good security policy. They are used only for backup access in case of network failure.

Your environment should be secure regardless of what details (well except password of course) people have of it.

And just as an aside, if you take your list of things security people do, and strip out the application/desktop specific ones. That is a list that every good networking environment should have in the first place. I wish my security group would be yelling at my group that we DON'T have those things, my opinion of them would be a lot better.

Fair enough, I was talking about rotating it every three-six months, not the bullshit you were describing that your security guys want. That takes 5 minutes with something like Kiwi. You'd be surprised at how often set it and forget it passwords get reused at lax companies, especially for little things like HSRP authentication and VTP. You can cause a lot of havoc with a little information from anywhere on the network if they aren't protecting it.

And as for level 7? When I started at my last organization, most equipment was using the a local priv 15 user account and password for enable with no ACLs for remote terminal access. Telnet only, to boot. http server was turned on, so anyone with the know how could get full access to most of their switching environment. The running config would also let you know which IPs to spoof. It's all about recon.

You'd be amazed at how many IT workers/departments don't realize that there are even tools that do the things listed above, or that there might be a need. Some security solutions are cost-effective by the dollars saved by not having to fix an incident in the first place.

# ? Dec 11, 2012 23:13

Adbot: ADBOT LOVES YOU

# ? May 26, 2013 09:41

BelDin: Jan 29, 2001

ming-the-mazdaless posted:

A pentester dropping a nessus report in a client's lap offers NO value. I've seen it done before.
Anyone can run nessus.
Also, re-read my statement. It starts off: gently caress tool running bitches.
This means: Bad pentesters who rely on tools and offer only tool output as reports are bad. Bad pentesters are unwelcome.

Fair enough. Met some of those in my time.

Yeah, I wouldn't pay a pen tester who came in and did just that. If that was the only deliverable on his RoE, shame on the management for agreeing to it.

# ? Dec 11, 2012 23:15

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

I agree with the concept of security, it actually became a hobby of mine when I took my first college level matricies class. Since I got involved in networking, I've heard security buzzword enough to make me grimace every time I hear it now.

The main problem with the industry:
"Too many low end resources are attracted to security jobs, because it a buzz industry"

That said, I look forward to dissecting any network policies you guys are thinking of implementing.

Oh here is a quick networking quiz. How do you secure your "first hop" in a given environment. When I say first hop I mean the default gateway of a given segment.

# ? Dec 11, 2012 23:22

BelDin: Jan 29, 2001

Powercrazy posted:

I agree with the concept of security, it actually became a hobby of mine when I took my first college level matricies class. Since I got involved in networking, I've heard security buzzword enough to make me grimace every time I hear it now.

The main problem with the industry:
"Too many low end resources are attracted to security jobs, because it a buzz industry"

That said, I look forward to dissecting any network policies you guys are thinking of implementing.

Oh here is a quick networking quiz. How do you secure your "first hop" in a given environment. When I say first hop I mean the default gateway of a given segment.

We looked at IP source guard with DHCP snooping (and static entries), and use MD5 hashes on HSRP.

# ? Dec 11, 2012 23:42

ragzilla: Sep 9, 2005; don't ask me, i only work here

Powercrazy posted:

Oh here is a quick networking quiz. How do you secure your "first hop" in a given environment. When I say first hop I mean the default gateway of a given segment.

Guessing workstation environment? You could go either-
PVLAN (so the workstations can't talk direct to each other)
DHCP Snooping / Source Guard

Now for a fun one, how do you secure first hop in IPv6?
(bad news, you can't really unless your switching hardware can drop ipv6 fragments)

# ? Dec 12, 2012 02:09

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

BelDin posted:

We looked at IP source guard with DHCP snooping (and static entries), and use MD5 hashes on HSRP.

Almost there. DHCP snooping is important where PVLANs can't be implemented because it allows you to minimize the impact of a rogue host. But the sad truth is, any segment that allows a host on it, is vulnerable to a DoS by misconfiguration. All it takes is for a single host in a given broadcast network to set itself as the same address as the default gateway (usually because the sys admin puts the default gatway as the IP address.)

I like bringing this example up because it isn't a security problem per se, it is a fact of the way modern networking works and no matter how many ill-written policies you have in place, nor how many Problem Incidence meetings you attend, nor how strict your change management is, at the end of the day if someone misconfigures something, they have a chances of severely impacting the environment.

The "correct" answer is PVLANS, but that isn't always an option, nor is it fool proof, and often times the management burden isn't worth it.

# ? Dec 12, 2012 03:22

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

ragzilla posted:

Guessing workstation environment? You could go either-
PVLAN (so the workstations can't talk direct to each other)
DHCP Snooping / Source Guard

Now for a fun one, how do you secure first hop in IPv6?
(bad news, you can't really unless your switching hardware can drop ipv6 fragments)

You enforce a maximum IPv6 packet size of 1280. The reason for this is the IPv6 standard hasn't has as long to "cook" as IPv4, thus many of the standards aren't really standards. This causes a lot of problem with fragmentation and MTU-path discovery. Setting an 'arbitrary' minimum of 1280 fixes a lot of the path negotition problems

# ? Dec 12, 2012 03:27

CloFan: Nov 5, 2004; In case you haven't noticed, I'm a pilot.

Powercrazy, how big is the bank you work for? Mine is ~$3B, and our info security team consists of two people. We outsource our IT and networking, though.

# ? Dec 12, 2012 03:30

ragzilla: Sep 9, 2005; don't ask me, i only work here

Powercrazy posted:

You enforce a maximum IPv6 packet size of 1280. The reason for this is the IPv6 standard hasn't has as long to "cook" as IPv4, thus many of the standards aren't really standards. This causes a lot of problem with fragmentation and MTU-path discovery. Setting an 'arbitrary' minimum of 1280 fixes a lot of the path negotition problems

How's that stop me from sending unsolicited ND messages claiming to be the gateway? Or heck, even easier, unauthorized RAs?

# ? Dec 12, 2012 03:42

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

One of the Banks found here

It's a sad face because I look at how screwed up my department is, and I can only imagine how bad it is elsewhere.

# ? Dec 12, 2012 03:49

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

ragzilla posted:

How's that stop me from sending unsolicited ND messages claiming to be the gateway? Or heck, even easier, unauthorized RAs?

Well you already can't stop the host by definition of "rogue host," however you can minimize the impact by certain vendor specific non-standard solutions

But yea, in general IPv6 has a bunch of standards problems and no single solution will fix them, especially when a non-trusted host is involved.

# ? Dec 12, 2012 04:04

BelDin: Jan 29, 2001

Powercrazy posted:

Almost there. DHCP snooping is important where PVLANs can't be implemented because it allows you to minimize the impact of a rogue host. But the sad truth is, any segment that allows a host on it, is vulnerable to a DoS by misconfiguration. All it takes is for a single host in a given broadcast network to set itself as the same address as the default gateway (usually because the sys admin puts the default gatway as the IP address.)

I like bringing this example up because it isn't a security problem per se, it is a fact of the way modern networking works and no matter how many ill-written policies you have in place, nor how many Problem Incidence meetings you attend, nor how strict your change management is, at the end of the day if someone misconfigures something, they have a chances of severely impacting the environment.

The "correct" answer is PVLANS, but that isn't always an option, nor is it fool proof, and often times the management burden isn't worth it.

Sounds like you're trying to guard against accidental/purposeful misconfiguration. I'm trying to protect against someone bringing in a laptop to a public access building with visitor control and performing arp poisoning with the gateway IP or offering rogue dhcp services.

We have 2950s and 2960s at our edge. I'm not sure if they would provide the level of security you are describing since they only support PVLAN edge. That's no different than turning on 'switchport protected' and forcing all traffic between ports to a L3 gateway or another switch, which breaks local subnets for the same VLAN on the same switch.

It's all about the threat that you are intending to mitigate and what you are willing to spend in both time and money to guard against it.

Also, are you concerned with confidentiality, integrity, or availability? In our environment, availability takes a backseat to the other two and you have to find a way to make the system fail secure if possible and mitigate otherwise.

If you have the problem of an administrator giving the gateway IP address as a host address on a regular basis, you fire their rear end because they are bad at IT. We don't allow users to modify IP addresses and enforce sticky macs for the dummies that plug things in. I fail to see how I ever claimed that policies, procedures, or any other security related functions could protect you from a dumbass of an admin.

Luckily, you would have backups of configurations to restore the equipment because it is in your policy to create baselines and backup schedules for equipment deployment that are verified after deployment by security. Also your change control process should have a schedule of changes to be performed at the time maintained by the helpdesk so you can look at them first to see if they broke anything.

BelDin fucked around with this message at Dec 12, 2012 around 04:16

# ? Dec 12, 2012 04:07

CloFan: Nov 5, 2004; In case you haven't noticed, I'm a pilot.

Powercrazy posted:

One of the Banks found here

It's a sad face because I look at how screwed up my department is, and I can only imagine how bad it is elsewhere.

Ah okay, gotcha. You been hit with a DDoS yet? (Actually I only see 3 on that list that have, so I don't blame you if you don't want to narrow it down that far)

Senior management sees these DDoS reports and ask us what our incident response will be if that were to happen to us. Short of having a separate host for overflow, what else can you do? Weather the storm and watch for fraud is our response, hopefully that's 'good enough' for examiners/audit.

e: for what it's worth, we run a pretty tight ship IS/IT wise. That may be because it's a hell of a lot easier to manage 400 users than however many thousand you employ.

# ? Dec 12, 2012 04:14

ragzilla: Sep 9, 2005; don't ask me, i only work here

Powercrazy posted:

Well you already can't stop the host by definition of "rogue host," however you can minimize the impact by certain vendor specific non-standard solutions

But yea, in general IPv6 has a bunch of standards problems and no single solution will fix them, especially when a non-trusted host is involved.

You could use RAguard, until Gant demonstrated just about everyone's stack will happily reassemble fragments out of order. So we're stuck with PVLAN and layer 2 separation (hooray unnumbered) until the IETF publishes something which says you can't fragment icmpv6 and the stacks catch up.

Good times.

CloFan posted:

Senior management sees these DDoS reports and ask us what our incident response will be if that were to happen to us. Short of having a separate host for overflow, what else can you do? Weather the storm and watch for fraud is our response, hopefully that's 'good enough' for examiners/audit.

If you're primarily concerned with protecting the web properties you could plan to:
Run low TTL (or GSLB) on web property DNS names.
Black hole the current service addresses in your provider(s) networks, gets DDoS off your pipes.
Engage a DDoS scrubbing SP (various ones around)
Re publish web properties using the DDoS scrub service until the attack subsides.

Overall downtime would be less than an hour for a well executed/tested plan.

Doesn't address the "they're attacking my primary network exit points which are impractical to renumber" but most attacks would be targeted against the web properties typically.

ragzilla fucked around with this message at Dec 12, 2012 around 04:23

# ? Dec 12, 2012 04:18

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

No it's not an endemic problem. In fact it only happened once that I can recall. I was also able to track it down within 2-3 minutes, and pinpoint the user + port (which I shut) a minute later. It also happened in the UAT environment so it wasn't production impacting. However, it did happen, and there doesn't exist anything to stop something like that from happening "for real."

If someone (a host) is trusted in your environment fat fingering, can and will cause problems for you.

As far as arp poisoning. That is a perfect example of something that can be avoided by good design. ARP can only affect the local subnet (someone fat fingering a default gateway acts as a crude arp poisoning.) If you keep users segregated, and you hold your server guys to a higher standard as well as implement change windows that chances of a misconfiguration problem decrease significantly. Locking down user stations + PVLANing them is a great idea too. Malicious attacks of that sort are impossible to execute transparently.

If Malicious Bob brings in a laptop to try to cause some havok, PVLANS + DHCP snooping will shut him down. Assuming your unused port isn't parking-lotted, and shut down of course

# ? Dec 12, 2012 04:24

Ninja Rope: Oct 22, 2005; Wee.

It shouldn't matter because all of your traffic is using SSL/IPSec/an authenticated and encrypted communication protocol.

# ? Dec 12, 2012 04:30

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

CloFan posted:

Ah okay, gotcha. You been hit with a DDoS yet? (Actually I only see 3 on that list that have, so I don't blame you if you don't want to narrow it down that far)
employ.

Actually at my old company (who is not on that list) was hit by a DDoS. I posted about it in the Cisco thread. But yea basically our web facing VIPs were hit by somewhere around 10Gig of UDP. I null routed the two impacted addresses at our edge, and that allowed our mail server, etc, to continue to function. Then as far as DDoS mitigation, our CIO employed proxima to "clean" our traffic via DNS redirect.

That was an interesting time for me, to say the least. The cool part was that at the time our edge was a pair of 3560Gs (default routes only), and they didn't flinch. The 5510 ASA cluster behind the edge on the other-hand was destroyed.

# ? Dec 12, 2012 04:31

Mr Chips: Jun 27, 2007; Whose arse do I have to blow smoke up to get rid of this baby?

Do you guys who do this for a living consider 802.1x part of a legit approach to securing the first hop?

# ? Dec 12, 2012 09:39

Dazzo: Jun 22, 2006

I can talk about some useful forensic artifacts if there is an interest in it. I'll talk about one in this post and if people are still interested I can keep on posting more.

Forensics: AppCompat Cache

The Windows Application Compatibility Cache registry key records data related to compatibility checks Windows does for files executed on the system. From a forensics persepective, the information of interest from this registry key is the execution data. To put it simply, this key will record file executions that occured on the system. For an analyst investigating a security breach this data can be invaluable for many reasons. A few of these reasons are:

If you happen to know file names an attacker used in a compromised environment you can easily determine if the malicious file was executed on a system.
You can see when files were executed in relation to other executables. This could yield previously unknown malware and/or attacker working directories.
If you happen to know directories an attacker is working out of ("C:\Temp\" as an example) you could potentially identify new malware and/or tools an attacker is using in the environment.
You can analyze for weird locations for file executions ("C:\$Recycle.bin\totallynotevil.exe")

Unfortunately the AppCompat Cache isn't the be all end all for execution info:

It more than likely won't include all files that were ever executed on a system. The AppCompat Cache key can only hold so much data.
You more than likely won't be able to pinpoint an exact date and time that a file was executed or even created. More than likely you will be left with a file modification time which if you are lucky will correlate somewhat closely to when it was executed.
You can't pinpoint a file execution to a specific user on the system.

Mandiant has a really good blog post talking about the AppCompat Cache. In the blog post there's a whitepaper that is linked (if you want more in depth info) and also a python tool that could be used to parse SYSTEM registry hives for this data.

I ran the python tool on my local desktop and mocked up some additional data for everyone to get a jist of what I'm talking about.

code:

Last Modified Last Update Path File Size Process Exec Flag
10/14/11 06:01:48 N/A C:\Program Files (x86)\Secunia\PSI\sua.exe N/A Yes
11/20/10 13:25:23 N/A C:\Windows\servicing\TrustedInstaller.exe N/A Yes
11/20/10 13:24:52 N/A C:\Windows\system32\LogonUI.exe N/A Yes
05/04/11 05:19:28 N/A C:\Windows\system32\SearchFilterHost.exe N/A Yes
05/04/11 05:19:28 N/A C:\Windows\system32\SearchProtocolHost.exe N/A Yes
11/15/12 14:53:12 N/A C:\Temp\evil.exe N/A Yes
11/12/12 12:23:12 N/A C:\Temp\totallynotevil.exe N/A Yes
11/18/12 17:57:13 N/A C:\Temp\freemoney.exe N/A Yes
07/14/09 01:39:20 N/A c:\program files\windows defender\MpCmdRun.exe N/A Yes
11/20/10 13:25:18 N/A C:\Windows\system32\SndVol.exe N/A Yes
11/20/10 12:18:04 N/A C:\Windows\SysWOW64\audiodev.dll N/A No
11/20/10 12:21:38 N/A C:\Windows\SysWOW64\wpdshext.dll N/A No
11/20/10 12:20:29 N/A C:\Windows\SysWOW64\networkexplorer.dll N/A No
01/04/12 08:58:41 N/A C:\Windows\SysWOW64\ntshrui.dll N/A No

So let's say hypothetically I already knew about "evil.exe". I ran the tool, did a quick control-f and found "evil.exe". Upon closer inspection I also see that "totallynotevil.exe" and "freemoney.exe" were also executed out of the C:\Temp\ directory. Since these three entries are listed one right after another, they were likely all executed around the same time. Unfortunately I have a low confidence that the file modified timestamp recovered reflects when the files were actually created or executed. But hey, I found two more probable pieces of malware!

Dazzo fucked around with this message at Dec 13, 2012 around 02:59

# ? Dec 13, 2012 02:54

Biowarfare: Nov 8, 2010; ASK ME ABOUT BEING NEXON AMERICA'S ONLY SYSADMIN

http://spider.io/blog/2012/12/inter...r-data-leakage/
http://www.youtube.com/watch?v=qxUa2VWnE8A

quote:

Whilst the Microsoft Security Research Center has acknowledged the vulnerability in Internet Explorer, they have also stated that there are no immediate plans to patch this vulnerability in existing versions of the browser.

# ? Dec 13, 2012 05:39

Mount Desert: Jan 14, 2010

These posts are going all over the place with no real starting point. If you want to know more about Cybersecurity and Information Assurance then you need to understand the history of cyber as far as National Security as well as current Cyber Law.

In short (I'm lying):

DHS and President
In '96, Clinton enacted Executive Order 13010 commissioning a report on the President's Commission on Critical Infrastructure Protection. Which noted that cyber practices of the day offered poo poo as far as security and we, as a Nation, would totally be screwed if it wasn't addressed. It also added some high level concepts.

Commercial cybersecurity before that (and really not until the mid-2000's) didn't exist as we know it because there wasn't really a demand. Back then if you were capable of cybersec/sigint/opsec/infoass you were either working for the gov, a researcher, or a hacker.

In '98, Clinton issued Presidential Decision Directive 63 which would try to implement said concepts from the PCCIP. PDD-63 enabled the creation of the National Infrastructure Protection Plan (NIPP), National Infrastructure Protection Center (NIPC) now known as the National Cyber Incident Command (NCIC), and Information Sharing and Analysis Centers (ISACs).

Okay, now we fast forward to Bush and Sept. 11. poo poo has hit the fan and fingers are being pointed everywhere, agency's and departments aren't speaking to each other. Bush put's his big boy pants on and issues Executive Order 13231 on Critical Infrastructure Protection in the Information Age as well as signing the USA PATRIOT Act in to law. Both serve to legally define critical infrastructure and coordinate Federal cyber efforts in its protection. Bush also issues Executive Order 13228 which shoves 22 separate agencies into one Department of Homeland Security which oversees all National Security efforts from border patrol to cyber protections of critical infrastructure.

In '03, Bush issues Homeland Security Presidential Directive 7 (it's an Executive Order, they're the same thing) and DHS releases the National Strategy for a Secure Cyberspace. HSPD7 updates the exiting critical infrastructure policy including the roles and responsibilities of agencies as well as finally getting around to create that NIPP that Clinton said we should have done back in '98. US-CERT (cyber security portion of DHS) is also created in 2003.

It's about at this time (mid-2000's) that we start seeing commercial cybersecurity in it's infancy. There are little to no network or operating standards as well as security certification standards much less a known need by commercial business as to why they should spend money on fixing a nightmare of a network or develop hardware/software with security in mind.

In '06, the NIPP was finalized but revised in '09 because the cyber part was awful. Again in '09, Obama issues Presidential Policy Directive 1 institutes the National Security Council and PPD5 which addresses incidence management and cyber contingency plans. In '10, DHS releases the National Cyber Incident Response Plan (NCIRP) as well as instituting the National Incident Management System (NIMS). Falalala, there is a bunch of other stuff in this time frame like CSA2012, CISPA, PPD 19&20.

As you can see it's a fairly complicated history, but it's very important to understand.

Department of Defense
Basically the DoD serves as an operational model for DHS. They have the most secure networks and best policies and operating practices as well as the fanciest toys, however they act under a totally different umbrella.

Here we get to dive in to the fun pool of USCode Titles. What you need to know is the difference between Title 6, 10, & 50 (Domestic Security, Armed Forces, and "Intelligence"). Although the EFF would have you think we live in 1984, we do, the Government does operate under very strict guidelines. That's more than can be said about commercial privacy practices.

There has always been a cyber component to the DoD and, within the past few years, there have been some pretty exciting developments such as CyberCommand in '09 and a bunch of strategies. Our operating domains are the now the land, air, sea, space and cyberspace which holds quite a bit of significance. Within the DoD there are plenty of other cyber related agencies such as DISA, DIA, SPAWAR, etc.

Cyber Law
Someone mentioned FISMA which is fine and dandy but you also need to know ECPA and FISA. Keeping up to date on current rulings would be a good step too, especially the Supreme Court rulings. Cyber law is in constant flux and formerly "common acceptable practices" keep getting challenged, and for good reason.

Mount Desert fucked around with this message at Dec 13, 2012 around 06:58

# ? Dec 13, 2012 06:54

Mount Desert: Jan 14, 2010

So, Cybersecurity generally arose from our Government focusing on Critical Infrastructure. Through the DoD, policy as well as "secure" technical and operating procedures were developed. DHS works on implementing those policies as well as building public-private partnerships in an effort to promote cybersecurity practices to private commercial businesses.

The NIST 800 series sets the standards for Government cyber policy and network and DoDD 8570 implements required certifications for cyber positions. Both of which influence the general cyber practices at a commercial level.

# ? Dec 13, 2012 07:07

Drunk Badger: Aug 27, 2012

Dazzo posted:

I can talk about some useful forensic artifacts if there is an interest in it. I'll talk about one in this post and if people are still interested I can keep on posting more.

Please do, this is interesting.

I'll probably organize some of the useful posts into the OP this weekend.

# ? Dec 13, 2012 15:51

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

Mount Desert posted:

These posts are going all over the place with no real starting point. If you want to know more about Cybersecurity and Information Assurance then you need to understand the history of cyber as far as National Security as well as current Cyber Law.

In short (I'm lying):

DHS and President
In '96, Clinton enacted Executive Order 13010 commissioning a report on the President's Commission on Critical Infrastructure Protection. Which noted that cyber practices of the day offered poo poo as far as security and we, as a Nation, would totally be screwed if it wasn't addressed. It also added some high level concepts.

Commercial cybersecurity before that (and really not until the mid-2000's) didn't exist as we know it because there wasn't really a demand. Back then if you were capable of cybersec/sigint/opsec/infoass you were either working for the gov, a researcher, or a hacker.

In '98, Clinton issued Presidential Decision Directive 63 which would try to implement said concepts from the PCCIP. PDD-63 enabled the creation of the National Infrastructure Protection Plan (NIPP), National Infrastructure Protection Center (NIPC) now known as the National Cyber Incident Command (NCIC), and Information Sharing and Analysis Centers (ISACs).

Okay, now we fast forward to Bush and Sept. 11. poo poo has hit the fan and fingers are being pointed everywhere, agency's and departments aren't speaking to each other. Bush put's his big boy pants on and issues Executive Order 13231 on Critical Infrastructure Protection in the Information Age as well as signing the USA PATRIOT Act in to law. Both serve to legally define critical infrastructure and coordinate Federal cyber efforts in its protection. Bush also issues Executive Order 13228 which shoves 22 separate agencies into one Department of Homeland Security which oversees all National Security efforts from border patrol to cyber protections of critical infrastructure.

In '03, Bush issues Homeland Security Presidential Directive 7 (it's an Executive Order, they're the same thing) and DHS releases the National Strategy for a Secure Cyberspace. HSPD7 updates the exiting critical infrastructure policy including the roles and responsibilities of agencies as well as finally getting around to create that NIPP that Clinton said we should have done back in '98. US-CERT (cyber security portion of DHS) is also created in 2003.

It's about at this time (mid-2000's) that we start seeing commercial cybersecurity in it's infancy. There are little to no network or operating standards as well as security certification standards much less a known need by commercial business as to why they should spend money on fixing a nightmare of a network or develop hardware/software with security in mind.

In '06, the NIPP was finalized but revised in '09 because the cyber part was awful. Again in '09, Obama issues Presidential Policy Directive 1 institutes the National Security Council and PPD5 which addresses incidence management and cyber contingency plans. In '10, DHS releases the National Cyber Incident Response Plan (NCIRP) as well as instituting the National Incident Management System (NIMS). Falalala, there is a bunch of other stuff in this time frame like CSA2012, CISPA, PPD 19&20.

As you can see it's a fairly complicated history, but it's very important to understand.

Department of Defense
Basically the DoD serves as an operational model for DHS. They have the most secure networks and best policies and operating practices as well as the fanciest toys, however they act under a totally different umbrella.

Here we get to dive in to the fun pool of USCode Titles. What you need to know is the difference between Title 6, 10, & 50 (Domestic Security, Armed Forces, and "Intelligence"). Although the EFF would have you think we live in 1984, we do, the Government does operate under very strict guidelines. That's more than can be said about commercial privacy practices.

There has always been a cyber component to the DoD and, within the past few years, there have been some pretty exciting developments such as CyberCommand in '09 and a bunch of strategies. Our operating domains are the now the land, air, sea, space and cyberspace which holds quite a bit of significance. Within the DoD there are plenty of other cyber related agencies such as DISA, DIA, SPAWAR, etc.

Cyber Law
Someone mentioned FISMA which is fine and dandy but you also need to know ECPA and FISA. Keeping up to date on current rulings would be a good step too, especially the Supreme Court rulings. Cyber law is in constant flux and formerly "common acceptable practices" keep getting challenged, and for good reason.

So this sounds like a lot of bureaucracy, but is it actually useful for anything besides having a job that exists because a president was told the internet was 'a thing?'

Court rulings should have no impact on your security policy. If you have a good security policy you are already way ahead of the bureaucracy. Let the auditors tell you what they want, then you tell them how you have already done it 10 years ago. DO NOT let them tell you how to do it.

# ? Dec 13, 2012 15:56

QuiteEasilyDone: Jul 1, 2010; Won't you play with me?

By the time something makes it through the paper work mill, it's likely been years since the initial incident / publicized correction in the behavior / procedure that addresses it. It will literally be too little too late. The new standards coming out should be the bare minimum by which you test your policies and vulnerabilities against.

# ? Dec 13, 2012 20:33

FreelanceSocialist: Nov 19, 2002

Sorry if this isn't the best thread for this, but it seems like a good place to ask.

I start at a new job next week that will require full-disk encryption if I intend to use my laptop for work-related stuff while traveling (and I do, since I am technically going to be on-call 24/7).

I currently have a standard 7200rpm drive w/ full-disk encryption via TrueCrypt, but I am itching to swap in an SSD. TrueCrypt doesn't place nice with SSD's, I heard. What are my options for FIPS 140-2 compliance with an SSD?

FreelanceSocialist fucked around with this message at Dec 14, 2012 around 00:29

# ? Dec 14, 2012 00:16

Dazzo: Jun 22, 2006

Alright here's another one.

Forensics: Registry Shellbags

The very rough description of registry shellbags is that it is what windows uses to keep track of certain properties of folders when using Windows Explorer. If you want to get more info on shellbags I recommend Willi Ballenthin's page on shellbags or this really in depth white paper.

The forensic advantage to shellbags is that it could be used to figure out where and often when someone browsed to using Windows Explorer. As an added bonus, shellbags will still contain information even if the directory that was browsed to was deleted or if a volume accessed (whether it be a thumb drive or a network share) isn't mounted anymore.

So to put it into simple terms. If you suspect unauthorized access to a system, you can use shellbags to figure out what locations they browsed to with Windows Explorer. Perhaps that someone browsed to benign locations or perhaps they browsed to a network share containing source code to your company's closed source software product. Shellbags may have the answer.

Like last time I used a freely available tool on my local system to show what you would be looking at if you were to run the tool against a specific user's NTUSER.DAT (for XP or Server 2003) or USRCLASS.DAT (for Win7 or Server 2008) registry hive. Two really good tools to use are Willi Ballenthin's Shellbags.py or TZWorks sbag.exe. In this example I used sbag.exe. Also please note I removed several columns from the output so as to prevent table breaking. The columns I removed were directory modified, created, and accessed timestamps. From personal experience, the most reliable timestamp to use to determine when a directory was accessed would be the registry key modified time. Here is a random sampling of shellbags from my local machine:

code:

regdate    | regtime[UTC] | type  | bag  | file size  | full path                                                                                                                                  | source subkey/value name  
12/11/2012 | 01:00:57.624 | dir   |  305 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\                                                | Shell\BagMRU\0\0\0\3\0\0\28          
12/02/2012 | 21:14:30.172 | dir   |  320 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\localisation\                                   | Shell\BagMRU\0\0\0\3\0\0\28\3        
12/02/2012 | 21:14:30.172 | dir   |  319 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\map\                                            | Shell\BagMRU\0\0\0\3\0\0\28\2        
12/02/2012 | 21:14:30.172 | dir   |  307 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\                                            | Shell\BagMRU\0\0\0\3\0\0\28\0        
12/11/2012 | 01:04:34.896 | dir   |  807 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\A Game of Thrones\                          | Shell\BagMRU\0\0\0\3\0\0\28\0\6      
12/11/2012 | 01:04:34.896 | dir   |  368 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\CK2 Heraldry\                               | Shell\BagMRU\0\0\0\3\0\0\28\0\3      
12/11/2012 | 01:04:34.896 | dir   |  431 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\CK2Plus - No Empires\                       | Shell\BagMRU\0\0\0\3\0\0\28\0\5      
12/11/2012 | 01:04:34.896 | dir   |  920 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\CK2Plus No Assaults\                        | Shell\BagMRU\0\0\0\3\0\0\28\0\7      
12/11/2012 | 01:04:34.896 | dir   |  427 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\CK2Plus\                                    | Shell\BagMRU\0\0\0\3\0\0\28\0\4      
11/29/2012 | 02:43:00.205 | dir   |  903 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\CK2Plus\common\                             | Shell\BagMRU\0\0\0\3\0\0\28\0\4\0    
12/11/2012 | 01:04:34.896 | dir   |  344 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\mod\                                        | Shell\BagMRU\0\0\0\3\0\0\28\0\2      
12/11/2012 | 01:04:34.896 | dir   |  340 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\PMM\                                        | Shell\BagMRU\0\0\0\3\0\0\28\0\1      
12/11/2012 | 01:04:34.896 | dir   |  309 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\                                     | Shell\BagMRU\0\0\0\3\0\0\28\0\0      
02/21/2012 | 19:10:44.799 | dir   |  318 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\common\                              | Shell\BagMRU\0\0\0\3\0\0\28\0\0\7    
02/21/2012 | 19:10:44.799 | dir   |  316 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\decisions\                           | Shell\BagMRU\0\0\0\3\0\0\28\0\0\5    
02/21/2012 | 19:10:44.799 | dir   |  315 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\events\                              | Shell\BagMRU\0\0\0\3\0\0\28\0\0\4    
02/21/2012 | 19:10:44.799 | dir   |  314 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\gfx\                                 | Shell\BagMRU\0\0\0\3\0\0\28\0\0\3    
02/21/2012 | 19:10:44.799 | dir   |  313 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\history\                             | Shell\BagMRU\0\0\0\3\0\0\28\0\0\2    
02/21/2012 | 18:52:34.965 | dir   |  334 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\history\characters\                  | Shell\BagMRU\0\0\0\3\0\0\28\0\0\2\0  
02/21/2012 | 18:52:34.965 | dir   |  335 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\history\provinces\                   | Shell\BagMRU\0\0\0\3\0\0\28\0\0\2\1  
02/21/2012 | 18:52:34.965 | dir   |  336 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\history\titles\                      | Shell\BagMRU\0\0\0\3\0\0\28\0\0\2\2  
02/21/2012 | 19:10:44.799 | dir   |  317 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\interface\                           | Shell\BagMRU\0\0\0\3\0\0\28\0\0\6    
02/21/2012 | 19:10:44.799 | dir   |  311 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\localisation\                        | Shell\BagMRU\0\0\0\3\0\0\28\0\0\0    
02/21/2012 | 19:10:44.799 | dir   |  312 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\mod\WizMOD\map\                                 | Shell\BagMRU\0\0\0\3\0\0\28\0\0\1    
12/02/2012 | 21:14:30.172 | dir   |  310 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\music\                                          | Shell\BagMRU\0\0\0\3\0\0\28\1        
12/02/2012 | 21:14:30.172 | dir   |  881 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crusader kings ii\sound\                                          | Shell\BagMRU\0\0\0\3\0\0\28\4        
12/11/2012 | 01:00:57.624 | dir   |  301 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\cryostasis\                                                       | Shell\BagMRU\0\0\0\3\0\0\24          
12/11/2012 | 01:00:57.624 | dir   |  880 |            | Desktop\{CLSID_MyComputer}\C:\Program Files (x86)\Steam\steamapps\common\crysis warhead\                                                   | Shell\BagMRU\0\0\0\3\0\0\86                                                          | Shell\BagMRU\0\0\7\0\2\6

# ? Dec 14, 2012 00:44

devmd01: Mar 7, 2006; SEE MORE NOW at hinchtown.com

WARNING! Web Content Unrated!

Just sat though the informal review of our yearly pentest conducted by an outside company. It wasn't quite the

that it was last year, and the major jumping-off point for their success was a machine with vnc that the network team was responsible for.

Everything they discovered that affects the areas i'm responsible for, can be fixed in 5 minutes with group policy.

# ? Dec 14, 2012 15:02

Ninja Rope: Oct 22, 2005; Wee.

Who doesn't love hash key collision attacks? Hopefully no one is running btrfs in production (for more reasons than just this, of course).

# ? Dec 14, 2012 18:56

Powercrazy: Feb 15, 2004; *~I'm Back Boyz~*
_{If you can read this your style sheet is a PoS.}

Ninja Rope posted:

Who doesn't love hash key collision attacks? Hopefully no one is running btrfs in production (for more reasons than just this, of course).

That's a cool attack.

# ? Dec 14, 2012 20:01

Drunk Badger: Aug 27, 2012

OP's been updated with some things I've found interesting, if you see something that isn't there but should be, let me know.

Also, it seems AlienVault got an update that makes it run less terribly. I finally got it set up and it's giving me useful information.

# ? Dec 19, 2012 18:48

taremva: Mar 5, 2009

This was posted in one of the ranting threads at one point, some of you might enjoy it: Infosec reactions

# ? Dec 19, 2012 20:24

Ninja Rope: Oct 22, 2005; Wee.

Any idea why Google is using a Thawte SSL cert now? Google is their own CA and I haven't seen them use anyone else's SSL cert in... years.

# ? Dec 20, 2012 08:15

ming-the-mazdaless: Nov 30, 2005; Whore funded horsepower

Anyone here used Nuix for e-discovery? Used it for anything else? What are you experiences? Is the real life ingestion rate as good as advertised?

# ? Jan 10, 2013 14:14

fivre: Nov 7, 2011; This is my side of the lint; that's your side of the lint.

So I have my nice Linux VPS sitting around with that has basically up-to-date Linux and nothing running other than sshd and bitlbee, and probably a web server of some sort later. iptables drops everything coming from outside directed at anything other than port 22 and sshguard is running. What should I be worrying about/trying beyond that and is there any interesting visualiztion of the iptables drop logs?

# ? Jan 30, 2013 12:37

Nystral: Feb 6, 2002; Every man likes a pretty girl with him at a skeleton dance.

Dazzo posted:

I can talk about some useful forensic artifacts if there is an interest in it. I'll talk about one in this post and if people are still interested I can keep on posting more.

As a IR geek at my current company this is the type of stuff I really like. 95% of my job is log analysis and starting at lines of text looking for anything interesting that pops up when i load the thing in vi and start to cut extra crap. Given i work for a software developer and we allow our beautiful and unique snowflakes local admin rights makes life... fun when poo poo hits the fan.

# ? Jan 30, 2013 18:42

XakEp: Dec 20, 2002; Amor est vitae essentia

This is a handy thread, as I'm starting to transition my career focus from Network Engineering to security/pentesting. Been doing plenty of reading and practicing. Good stuff!

# ? Jan 30, 2013 20:46

Varkk: Apr 17, 2004

fivre posted:

So I have my nice Linux VPS sitting around with that has basically up-to-date Linux and nothing running other than sshd and bitlbee, and probably a web server of some sort later. iptables drops everything coming from outside directed at anything other than port 22 and sshguard is running. What should I be worrying about/trying beyond that and is there any interesting visualiztion of the iptables drop logs?

There are a few hints here for securing SSH, in particular shifting the port SSH uses will help cut down on people who scan for open port 22 and then try to break in. Sure sshguard will protect against bruteforce attacks, but this will provide a little bit more protection. In addition disabling password logins and using key based authentication will also provide a bit more security as well as limiting remote logins to only a very limited number of accounts. Certainly disable root from logging in via SSH.

# ? Jan 30, 2013 21:06

luminalflux: May 27, 2005

Varkk posted:

in particular shifting the port SSH uses will help cut down on people who scan for open port 22 and then try to break in.

Feels like that won't fool anyone with nmap or Nessus that's more dedicated than "scan net for open port 22", but actually pays attention to the services on various ports

# ? Jan 30, 2013 22:26

Adbot: ADBOT LOVES YOU

# ? May 26, 2013 09:41

Varkk: Apr 17, 2004

It will help with the script kiddies who setup a scan of an IP range looking for vulnerable SSH boxes. They won't spend much time scanning every single port on every IP instead go for a few highly likely ones on each IP. Considering people who have SSH listening on the default port on the open internet are also more likely to have an outdated SSH or a weak password etc. Sure if someone does a full port scan of your IP they will find SSH listening on port 34561 or whatever but by the time they hit that port hopefully your firewall has already detected the port scan attempt and started dropping their packets.

# ? Jan 30, 2013 22:33

«‹›8 »

The Something Awful Forums > Discussion > Serious Hardware / Software Crap > The InfoSec Megathread