Information Security Summit

Reprint from announcement:

7^th Annual Information Security Summit

October 29-30, 2009

Pre-Summit Training October 26-28, 2009

Registration is now open for the 2009 Information Security Summit. This year’s event features pre-Summit training opportunities and 2 days of talks, presentations, hands-on workshops, a vendor trade-show fair and much more! Information Security Technology, Business/Management, Law Enforcement, Career Development, Compliance and Legal issues will be featured. Joel Snyder of Opus One will be our Thursday Keynote Speaker. Our theme this year is Information Security on a Shoestring Budget.

Pre-Summit training opportunities include:

Forensics from Len Drinkard

Open Source Technologies from Bill Mathews

NACS – Joel Snyder

Malware Analysis from Tyler Hudak

Incident Response from Mandiant

Keynote speakers scheduled:

Joel Snyder from Opus One

John O'Leary from O'Leary Management Education

Grady Summers & Richard Bejtlich from General Electric

Check our website at http://www.informationsecuritysummit.org for a complete list of training options and other conference details.

Check out the flyer at http://www.informationsecuritysummit.org/2009_summit_flyer.pdf

Our event this year will be held at:

Corporate College East.

4400 Richmond Road

Warrensville Heights, Ohio.

This facility is a quarter of a mile from Tri-C's Eastern Campus and is easily accessible from Interstate 271. Our recommended hotel for overnight guests is the Embassy Suites at 3775 Park East Drive in Beachwood as they offer complimentary shuttle service to and from Corporate College.

Register at https://www.informationsecuritysummit.org/register.php. We look forward to seeing you at the Summit!

The 2009 Summit Planning Committee

Network Access Control (NAC) and You

This month I've been doing a lot of work with various network access control (NAC) solutions for various customers. The bottom line is most, if not all of them are horribly flawed. Some assume that the computer is the user and authorize the MAC (media access control) address requiring no authentication on the part of the user. In this scenario if an attacker gets control of a machine (or more likely a user leaves their machine unlocked and walks away) then the unauthorized person has full access as if they were the legitimate user. This is probably the most popular sort of NAC solution as it doesn't really require an agent to be installed and is fairly transparent to the user base.

The second type I've run across requires an agent to be installed and run on the client side which then checks with some sort of server piece for authorization. This can be a better solution but becomes a support headache as you install 1,000s of clients and what happens when you have a workstation that isn't support by the client? You then have to make an exception for that workstation and defeat the whole purpose of your NAC project. There are probably several other issues with this one but in my limited testing I didn't get to run across many others.

The final type I've run across is popularly referred to as a "captive portal". Essentially a server piece picks up (ususally from a switch) when you connect, moves you to an isolation VLAN where you can only get to a portal page. Typically this portal page can be integrated with Active Directory or any other authentication mechanism of choice and allows a user to login which authorizes them to be on the network and do whatever they wish and are allowed to do. The drawbacks here is you give over control of your switch to some automated device which can be scary and you have to trust it to do its job 100% effectively. Out of all these NAC "solutions" I've been testing this is by far my favorite one even though it makes users aware of the system. To be fair though a lot of vendors (and Open Source NAC projects) allow for some hybrid of these so as always your mileage may vary.


Have any different experiences with NAC? Let me know about them with a comment here!

Virtualization Clustering: The IT Pipe Dream

Written by: Steve McMaster

We’ve recently started looking into various types of clustering. We would like to build ourselves a “cloud” that we can run VMware (or some other type of virtualization) on top of. After a couple weeks of investigation, though, there doesn’t really seem to be anything out there that does what we want, and actually works.

We started by looking at some of the actual “cloud” implementations out there. We’re big fans of Ubuntu, so we started by looking at Eucalyptus, which is the cloud implementation included with Ubuntu starting with 9.04. Eucalyptus, however, doesn’t do any sort of load balancing of the virtual machines. It is promising, but right now it’s not quite what we’re looking for.

We also looked at Enomalism. Due to hardware constraints, we don’t have support for “hardware virtualization”. Recent Intel and AMD processors have support for accelerating full virtualization of unmodified guest operating systems. The servers we are using for this do not have support for this extension. Therefore, our virtualization options are somewhat limited. Enomalism has support for KVM/Qemu and Xen. However, the Ubuntu 8.04 support for Xen seems to be broken, KVM requires the hardware virtualization extensions, and Qemu is known to be weak on the performance side. So Enomalism is not really an option for us, either.

We found an interesting project, that also looked fairly promising, called Kerrighed. Kerrighed is a set of patches for the Linux kernel that allow a network of computers to appear as one large multi-processor computer. It also supports migration of processes from one “node” to another. We were initially very excited by this project. However, it seems to have several short comings. Namely, if one member fails, you have to reboot the entire cluster. Also, you can’t add a new member while the cluster is running. Kerrighed shows a lot of promise, and I’d like to try it out as an option again once its gotten a little more mature.

As much as we love open source, we understand that there is a place for commercial software too. So, we took a look at VMware’s Infrastructure 3 stuff. Now I must say, VI3 looked really cool. It has a lot of features, like the load balancing we were looking for (called “VMware DRS”), live migration (“Vmotion”), built-in HA stuff. It was really quite a comprehensive product. However, “enterprise” products like that always come with “enterprise” price tags. For just a couple servers, the price was climbing into the tens of thousands of dollars. This included 24x7 support, though.

What it comes down to is that there is no reasonably priced, effective, stable answer to the clustered virtualization question. We’re probably going to be looking into all of this again in the future. If you’re reading this and you’re a developer of clustering software, I challenge you to make this dream a reality.

NOC Infragard Presentation

I attended a meeting of the Northern Ohio chapter of Infragard today (along with Matt - see the prior post). Here are a few ideas I found interesting from the main presentation (State of the Hack by Kris Harms) that Matt didn't already mention.

Often when his company investigates intrusions, they find that the perimiter, public web servers are not compromised themselves. Rather, SQL injection attacks are performed on vulnerable websites hosted on them and these are used to exploit database servers (via the xp_cmdshell MSSQL stored procedure, for instance). In addition to containing actual valuable data, the database servers are often less isolated from the rest of the network and easily facilitate deeper intrustions.

Another point that I found interesting from the presentation is that these days very few intrusions use a vulnerable service as the initial attack vector. This situation is certainly a drastic change from several years ago when IIS exploits were once very common. These days the most common initial attack vectors (when they're known at all) are SQL Injection and client application exploits.

In addition, very few of these intrusions that Kris's company responded to were discovered via anti-virus software or IDS systems. More often than not, a company's IT staff discover the intrusions via complaints from customers, other victoms, or law enforcement. The IDS systems often produce vast quantities of unimportant information for actual attacks to get lost within if they see the attack at all. It is vital to configure an IDS system to only cause alarm when true attacks occur and not to "cry wolf" and encourage ignorance of IDS output.

Infragard Update

Today I attended the quarterly meeting of the Northern Ohio chapter of Infragard and have to say that I enjoyed it very much. The speaker was Kris Harms from MANDIANT, an information security firm based out of Alexandria, VA. At MANDIANT, Kris is a Senior Consultant whose primary experience is in incident response.

Kris was an excellent speaker, very engaging, and really showed that he was interested and knowledgeable in what he was talking about. He mostly discussed incident response including a couple of real world case studies (the data had been sanitized obviously). In both cases the companies in question had been the victims of malware that had stolen credit card information. One of the companies were actually PCI compliant. Just goes to show that compliance does not equal security.

Another thing he touched on that I think goes unnoticed is the need for more stringent egress filtering. We take for granted that we drop unwanted connections at the front door but what happens when an attacker is able to sneak in. Instead of trapping him inside with our data we often let the data walk out the front door because “what does outbound access hurt?”. It is common for us to review a firewall configuration and find locked down inbound access but wide open access in the other direction. A little word of advice, if the servers in your DMZ are allowed uninhibited outbound access to the Internet please feel free to stop reading this right now and go fix it.

In wrapping up, Kris had a slide on how to defend against these new types of attacks and I was pleased to see someone else echoing the same things that we preach here at Hurricane Labs. Know your network, have it well segmented, and be monitoring and watching everything possible. Granted these ideas are not new but are often ignored because it takes too much effort / time / money. How are you going to win the battle for your network? Constant vigilance!!!

Vote for WiKID

Okay since I really like this particular project, I'm enlisting you all to help me help it. Vote for WiKID in Sourceforge's Community Choice Awards.



Thanks!!

DRM and License Schemes

In the interest of full disclosure I'll open with two points. First I am an Open Source Software Advocate but occasionally I will use proprietary software if I enjoy the experience better or if an equivalent piece of open software is not available. Second this is a rant so it doesn't have to make sense, right? On with the show.

A couple weeks ago (20 days actually) I downloaded a piece of software I wanted to try out. It was a password manager that passed all of my "sniff" tests for proprietary software. I had every intention of buying it and had one day left on my trial. Today I decided "hey, I'll click on that "purchase" button and get it over with" well that was a mistake. Anytime I launched FireFox it just hung there. So I killed it and launched again, this time clicking on "not now" so I could get on with my work. No luck, same deal, FireFox just hung. Since the software integrates with any browser you have I decided to launch Safari (yes I'm a Mac user, told you I use proprietary stuff when I just like it better), which then proceeded to hang when I clicked "not now". I then just uninstalled the software which I figured should at least let me use my browsers again. No such luck, the "License Me NOW!" window just made it all hang. Finally I emailed their tech support and they told me (within minutes) the magic files I had to remove to make my browsers function again. The reason this doesn't uninstall when you remove the program? "Well we need to make sure you aren't trying to work around the license so we install our license engine separately." The core software wasn't having a problem, it was the license engine! This made me FURIOUS!

I won't embarrass the company by naming them because they were quite helpful in resolving the issue but the problem is systemic in how commercial software houses treat their customers. Customers are presumed guilty because a few knuckleheads won't pay for software. I won't get into how unquanitifiable the numbers regarding piracy are or how angry it makes me that we have these rogue, unannounced pieces of software installed on our systems basically just to make sure we're doing what that particular company wants us to do. The problem is these companies are treating their customers as if they're criminals BEFORE any crime was committed. I would argue that most customers wouldn't think twice about paying for some software they're using but these companies have become so frightened about piracy they respond as if all customers are criminals-in-waiting. It's nonsense, it's an overreaction and it's yet another reason to use Free and Open Source Software every chance you get.