Splunk Query: Processes Created & Terminated

This morn­ing I installed and con­fig­ured Snare on my AWS EC2 Win­dows 2012 Server to ship logs to my SplunkStorm project.

Below is a basic query for chart­ing the top processes that have started on the sys­tem:
Even­tID 4688 — A new process has been cre­ated. (Details)

4688  | rex field=_raw “Process Name: (?<Process_Name>.*) Token Ele­va­tion Type:”  | sort Process_Name | top limit=10000 Process_Name

Here is a mod­i­fied ver­sion of the query for processes that have ter­mi­nated:
Even­tID 4689 — A process has exited. (Details)

4689  | rex field=_raw “Process Name: (?<Process_Name>.*) Exit Sta­tus:”  | sort Process_Name | top limit=10000 Process_Name

More to come.…

PGP Whole Disk Encryption — Authentication Bypass

There has recently been some atten­tion to a bypass fea­ture in PGP Cor­po­ra­tion’s Whole Disk Encryp­tion prod­uct line. The gist of it seems to be that it is pos­si­ble for an encrypted vol­ume to be set so that the passphrase require­ment is waived (bypass­ing the authen­ti­ca­tion) for a sin­gle reboot.

While this comes across as con­cern­ing at first, after read­ing the PGP Knowl­edge­base Arti­cle #750, it appears that the risk is min­i­mal. I feel that if I were a gov­ern­ment orga­ni­za­tion, such as the CIA,NSA,FBI, DHS, etc, then I’d be wor­ried about the types of advi­sories the anony­mous author of securol­ogy men­tions. How­ever, most lap­top thefts are by com­mon crim­i­nals look­ing to make some money in a pawn shop or oth­er­wise. I doubt there will be many if any cases of a mali­cious tro­jan that not only replaces PGPs Boot­guard with a mali­cious one to extend the num­ber of unau­then­ti­cated bypasses ad infini­tum, but also infects machines that the attacker can get phys­i­cal access to. This would require being able to reverse engi­neer the PGP Boot­Guard code that so far even the fine folks over at Guid­ance Soft­ware haven’t been able to do.

As part of risk man­age­ment, there is a cer­tain level of risk that has to be accepted. We can not live in a world with­out risks and should only worry about the ones that have a rea­son­able chance of occurring.

The post­ing lists 4 points that he/she would like addressed.

  1. The fea­ture was doc­u­mented clearly, includ­ing a secu­rity warn­ing cov­er­ing the risks of its use/presence in such a way that admin­is­tra­tors must see it.
  2. The fea­ture could be per­ma­nently dis­abled– not just ignored or left seem­ingly unused.
  3. The intended use of the fea­ture did not require the cre­ation of a passphrase with cryp­to­graphic access to the Vol­ume Mas­ter Key.
  4. The intended use of the fea­ture did not require the dis­tri­b­u­tion of plain text scripts with an embed­ded passphrase to N clients each and every time that fea­ture is needed.

The first point I absolutely agree with. How­ever, it’s worth men­tion­ing that PGP doc­u­mented this fea­ture back on July 27th of 2007. I would like to see the secu­rity warn­ing though, as I per­son­ally had no knowl­edge of this fea­ture until I went look­ing for it. Could PGP have back­dated the doc­u­ment? Of course, but I’m hop­ing the com­pany mak­ing my encryp­tion solu­tion isn’t that shady.

PGP Bypass Document

The sec­ond point seems aca­d­e­mic in nature to me. There are plenty of pro­grams used in every com­pany of every nation that have fea­tures which would be inse­cure. For instance, Microsoft Active Direc­tory can allow user accounts to have blank pass­words. Shouldn’t we be sat­is­fied that in our envi­ron­ment the fea­ture is dis­abled? Demand­ing that Microsoft remove the fea­ture from the code base sim­ply because it would be unfa­vor­able if enabled is ridicu­lous. I feel like that’s what’s being demand­ing of PGP here. It might be a risk a 3 Let­ter Agency should worry about, but cer­tainly not your typ­i­cal business.

For the third point I’m inter­ested to see what his pro­posed solu­tion is that doesn’t allow cryp­to­graphic access to the Vol­ume Mas­ter Key. I may be mis­in­formed but I’d think that with­out access to the VMK the lap­top wouldn’t be able to decrypt any­thing and thus it would be impos­si­ble to boot.

I com­pletely agree with this fourth point. I’ve always been against devel­op­ers hard cod­ing pass­words into bina­ries, and espe­cially into plain text script files. PGP should allow an alter­nate form of authen­ti­ca­tion that doesn’t require dis­play­ing the pass­word. I have some thoughts on this but will likely post them later.

Over­all though I’m very impressed with the writ­ing style and depth of thought that the author behind Securol­ogy has shown. I plan to keep read­ing and keep learning.

CISSP: Study Notes — Security Management and Access Control

Secu­rity Management

  • Define com­pul­sory: manda­tory, enforced Ex. Fol­low­ing the secu­rity pol­icy is compulsory.

Access Con­trol

  • Eval­u­at­ing Bio­met­ric Devices
    The key con­cepts for this is mem­o­riza­tion of Type I error, Type II error, and CER. A Type I error is that of false rejec­tion. For exam­ple, Joe should be allowed in the data cen­ter. If Joe scans his retina and is denied access to the data cen­ter is it a false rejec­tion or Type I error. A Type II error is just the oppo­site. If Jill does not have access to the data cen­ter, scans her retina, and access is granted, that is a false accep­tance or Type II error.
  • DAC, MAC, and Secu­rity Labels
    The type of access con­trol sys­tem typ­i­cal com­puter users are accus­tomed to is called a Dis­cre­tionary Access Con­trol sys­tem. This means that a user’s right to read/write/execute an object is based soley on their need-to-know. Data own­ers are able to decide who can access the data via an Access Con­trol List (ACL). Because the mil­i­tary and other gov­ern­ment agen­cies want to con­trol access based both on clas­si­fi­ca­tion and need-to-know, they use the Manda­tory Access Con­trol sys­tem. A Secu­rity Label is an attribute of an object defin­ing it’s clas­si­fi­ca­tion level and need-to-know cat­e­gories. A per­son must have both a clear­ance equal to or greater than the object and have been granted a need-to-know for one or more of the cat­e­gories con­tained in the secu­rity label in order to access the object.
  • Capa­bil­ity Table
    This was a new term for me. Essen­tially a capa­bil­ity table is a list of per­mis­sions that is bound to a sub­ject whereas an ACL is a list of per­mis­sions bound to an object. I’m sure the term is wrong, but I like to think of it as an inverse of an ACL.
  • Traf­fic Analy­sis Attack
    Now to me, this attack is quite a stretch. basi­cally, it says that by watch­ing traf­fic pat­terns peo­ple can dis­cover infor­ma­tion. Now in that sim­ply form, yes, traf­fic mon­i­tor­ing can lead to all types of great infor­ma­tion. My prob­lem is with the book’s exam­ple: “For exam­ple, heavy traf­fic between HR and head­quar­ters could indi­cate an upcom­ing lay­off.” Maybe it’s just me, but that seems like a leap. I’m much more inclined to believe an upcom­ing lay­off could be revealed by look­ing at the email fly­ing by, not so much by the amount of traffic.

Configuring Port Forwarding

I recently acquired a Juniper NetScreen SSG5 and have been play­ing around with it. One task that took some time due to the fact that the mul­ti­ple online resources I found had out dated syn­tax was that of port forwarding.

The Goal

Take port 443 on my pub­lic IP via cable modem and for­ward traf­fic to a SUSE 10.2 vir­tual machine con­nected in bridged mode on my inter­nal net­work on port 22. (i.e. SSH on 443 –> Pub­lic IP –> SSH on 22 –> Pri­vate IP)

The Solu­tion

set inter­face ethernet0/0 vip untrust 21 “SSH” man­ual
set pol­icy id 10 from untrust to trust any vip(ethernet0/0) “HTTPS” per­mit log count


Syn­tax is everything!

Studying for the CISSP: Self Check (1–4)

I got away from study­ing for the CISSP a cou­ple months ago when I ran into some stress­ful life sit­u­a­tions. Now that things are back in order, I’m hit­ting the books again. Last week I read Chap­ters 3 and 4, cov­er­ing Secu­rity Mod­els & Archi­tec­ture and Phys­i­cal Secu­rity respec­tively. Tonight I took the self exam­ine for each of the first four chap­ters. Need­less to say, I’m not happy with my results. This does pro­vide a nice bench­mark for me though.

0.91 (10/11)    Secu­rity Man­age­ment
0.50 (6/12)     Access Con­trol
0.45 (5/11)     Secu­rity Mod­els &amp; Archi­tec­ture
1.00 (13/13)    Phys­i­cal Secu­rity
0.72 (34/47)    Total

Since I plan on using this blog mainly as a repos­i­tory of my thoughts below is my list of items that require fur­ther study and some quick thoughts about them.

  • Com­pul­sory — I missed the ques­tion not because I didn’t under­stand the topic and answers, but because I didn’t under­stand what com­pul­sory meant. I thought it meant “optional.” Nope, it actu­ally means: “manda­tory.” Oops!
  • Bio­met­ric Eval­u­a­tion — Here I need to know what Type I, Type II, and CER stand for.
  • Ker­beros — Even though I know it’s an authen­ti­ca­tion pro­to­col, I need to bet­ter under­stand the spe­cific weak­nesses it has.
  • Secu­rity Label — This is part of MAC (Manda­tory Access Con­trol) and is a con­cept where infor­ma­tion about an object includ­ing clas­si­fi­ca­tion level and need-to-know is main­tained.  A subject’s clas­si­fi­ca­tion and need-to-know are com­pared against the object’s before grant­ing access.
  • Capa­bil­ity Tables are the rows of an Access Con­trol Matrix that are bound to the subjects.
  • Access Con­trol Lists are the columns of an Access Con­trol Matrix that are bound to the objects.
  • RADIUS, TEMPEST, TACACS, Diam­e­ter — I must under­stand the what/when/why/how of each and their differences.
  • Brush up on the dif­fer­ences between Mul­ti­task­ing, Mul­ti­pro­cess­ing, Mul­ti­thread­ing, and Mul­ti­pro­gram­ming.
  • Ref­er­ence Monitor
  • Secu­rity Kernal
  • Clark Wil­son Model
  • Trusted Com­put­ing Base
  • Biba Model
  • Bell-LaPadula Model
  • Com­mon Cri­te­ria — Mainly TOE, EPL and Pro­tec­tion Profiles

I plan on going back through this con­tent dur­ing this week and writ­ing at least a para­graph on each con­cept I missed in order to drive the points home.

As some may have noticed I have begun to post longer more infor­ma­tive posts.  This is the trend I want to con­tinue and build on.  I believe writ­ing longer posts not only pro­vides prac­tice at com­mu­ni­ca­tion through the writ­ten word, but are more infor­ma­tive and less likely to be quick emo­tional reac­tions to other blog posts or news sto­ries. As always, I implore any­one read­ing this to leave com­ments.  I may have been in the field for 5 years now, but see­ing as how I’m at least 35 years away from retire­ment I have at a min­i­mum, 35 years more worth of learn­ing to do!

As Joseph Addi­son said, “The utmost extent of man’s knowl­edge, is to know that he knows nothing.”

Brain Dump: Ubuntu 7.04 Feisty Fawn, School, Giving Back, Blogging

I recently loaded up a new vir­tual machine with Ubuntu 7.04 Feisty Fawn (32-bit) run­ning on Vista Ulti­mate (64-bit) and have had no prob­lems thus far.  Every­thing works, dual mon­i­tors, sound, net­work­ing, etc…

I’m seri­ously impressed with the qual­ity of VMWare Work­sta­tion 6.  I’ve been a user of their prod­uct since ver­sion 4, and it’s done noth­ing but improve.  I’m also impressed with Ubuntu.  It took almost zero effort in order to get a work­ing sys­tem installed to disk. After the install a sim­ple sudo apt-get install build-essential was all I needed to get what I need for development.

My rea­sons for the linux vm are 2 fold. First of all I pre­fer it to win­dows as a “safer” plat­form to do my bank­ing and such on. Sec­ondly, I’ve started another class in my Master’s pro­gram at DePaul Uni­ver­sity, and it requires a linux sys­tem.  We’ll be learn­ing assem­bler from the programmer’s point of view; that is under­stand­ing what data struc­tures, con­trol state­ments, etc look like in assem­bler as well being able to take com­piled pro­grams and debug them at the assem­bler level to find/troubleshoot bugs.

I’ve also been spend­ing some time think­ing of ways to give to the secu­rity com­mu­nity.  One of my ways was recently men­tioned in a Secu­rity Cat­a­lyst Com­mu­nity forums post.  Basi­cally, cre­ate a matrix of secu­rity con­trols and com­mon imple­men­ta­tions cross ref­er­enc­ing them with all the dif­fer­ent secu­rity stan­dards out there. A per­son could for instance check all the con­trols they already have in place. The site would then list off the stan­dards they are already com­pli­ant with.  If they wanted, they could pick a stan­dard and it would list off both what they already have and what they are lack­ing. Not easy and not quick, but useful.

I’ve also been play­ing around with some type of more use­ful way to glean data from Check­Point fire­wall logs that have been exported to ASCII with the fwm log­ex­port –i <date> –o <date>.out –n –p –m raw com­mand. Specif­i­cally, I’m look­ing for ways to visu­ally make unusual activ­ity “jump” out at the ana­lyst. I’ve been able to cre­ate graphs of port usage over time, but haven’t got­ten the code into a state where com­par­i­sion against the stan­dard divi­a­tion is viable yet.  I also haven’t come up with a solid inter­face either.  Thus far its a hodge podge of perl scripts that can print graphs if STDOUT is redi­rected to a png file :) I’m debat­ing between open source, free soft­ware, web-based stuff and C# in a Win­dows App. The devel­oper in me wants to use C# since I’m very com­fort­able with the lan­guage, but the stu­dent in me wants to use perl, mysql, and php. Oh the choices!

Another inter­est­ing thing I’ve been mulling over is file carv­ing from libp­cap files. Often I find myself want­ing to grab a file that was sent over the net­work that I have a cap­ture of. I’ve been think­ing of 2 ways to solve this: (1) write my own parser for files as I need them or (2) con­tribute to the tcpx­tract project so that it works more accurately.

Well that’s my brain dump for now.  One of my goals is to use blog­ging as Richard Bejtlich has, and that’s as a per­sonal dump­ing ground to find thoughts, arti­cles, etc in case I need to refer back to them in the future. Let see how this works out!

Deobfuscating JavaScript at the Browser

The Web­sense Secu­rity Labs Blog has an inter­est­ing post up about one method of deob­fus­cat­ing JavaScript. As I’ve eluded to in pre­vi­ous posts, any code thats pushed to the client’s browser must even­tu­ally be under­stand­able by that browser. This is why the mali­cious scripts have to con­tain code to deob­fus­cate them­selves. The trou­ble of course is get­ting the script to run with­out actu­ally run­ning the mali­cious content.

My method has pri­mar­ily been repli­cate the scripts func­tion­al­ity and eval­u­a­tion of code with a perl script on a *nix com­mand line. If every­thing is get­ting printed to STDOUT instead of the source of an html file inside a browser there is no chance that the code could exe­cute. This has worked well be can often be tedious.

The method dis­cussed in the post above involves hook­ing the document.write func­tion of JavaScript inside the mshtml.dll. With this in place an ana­lyst can extract the deob­fus­cated code before it is fully processed by the browser. That’s clever!