! with Bitwise Operators Only

The screen­shot below is from a home­work assign­ment at school.  It’s basi­cally get­ting us to think out side the box a bit with regards to bit­wise oper­a­tors in C/C++.

Bang!

CISSP: Study Notes — Security Management and Access Control

Secu­rity Management

  • Define com­pul­sory: manda­tory, enforced Ex. Fol­low­ing the secu­rity pol­icy is compulsory.

Access Con­trol

  • Eval­u­at­ing Bio­met­ric Devices
    The key con­cepts for this is mem­o­riza­tion of Type I error, Type II error, and CER. A Type I error is that of false rejec­tion. For exam­ple, Joe should be allowed in the data cen­ter. If Joe scans his retina and is denied access to the data cen­ter is it a false rejec­tion or Type I error. A Type II error is just the oppo­site. If Jill does not have access to the data cen­ter, scans her retina, and access is granted, that is a false accep­tance or Type II error.
  • DAC, MAC, and Secu­rity Labels
    The type of access con­trol sys­tem typ­i­cal com­puter users are accus­tomed to is called a Dis­cre­tionary Access Con­trol sys­tem. This means that a user’s right to read/write/execute an object is based soley on their need-to-know. Data own­ers are able to decide who can access the data via an Access Con­trol List (ACL). Because the mil­i­tary and other gov­ern­ment agen­cies want to con­trol access based both on clas­si­fi­ca­tion and need-to-know, they use the Manda­tory Access Con­trol sys­tem. A Secu­rity Label is an attribute of an object defin­ing it’s clas­si­fi­ca­tion level and need-to-know cat­e­gories. A per­son must have both a clear­ance equal to or greater than the object and have been granted a need-to-know for one or more of the cat­e­gories con­tained in the secu­rity label in order to access the object.
  • Capa­bil­ity Table
    This was a new term for me. Essen­tially a capa­bil­ity table is a list of per­mis­sions that is bound to a sub­ject whereas an ACL is a list of per­mis­sions bound to an object. I’m sure the term is wrong, but I like to think of it as an inverse of an ACL.
  • Traf­fic Analy­sis Attack
    Now to me, this attack is quite a stretch. basi­cally, it says that by watch­ing traf­fic pat­terns peo­ple can dis­cover infor­ma­tion. Now in that sim­ply form, yes, traf­fic mon­i­tor­ing can lead to all types of great infor­ma­tion. My prob­lem is with the book’s exam­ple: “For exam­ple, heavy traf­fic between HR and head­quar­ters could indi­cate an upcom­ing lay­off.” Maybe it’s just me, but that seems like a leap. I’m much more inclined to believe an upcom­ing lay­off could be revealed by look­ing at the email fly­ing by, not so much by the amount of traffic.

Configuring Port Forwarding

I recently acquired a Juniper NetScreen SSG5 and have been play­ing around with it. One task that took some time due to the fact that the mul­ti­ple online resources I found had out dated syn­tax was that of port forwarding.

The Goal

Take port 443 on my pub­lic IP via cable modem and for­ward traf­fic to a SUSE 10.2 vir­tual machine con­nected in bridged mode on my inter­nal net­work on port 22. (i.e. SSH on 443 –> Pub­lic IP –> SSH on 22 –> Pri­vate IP)

The Solu­tion

set inter­face ethernet0/0 vip untrust 21 “SSH” 172.22.102.53 man­ual
set pol­icy id 10 from untrust to trust any vip(ethernet0/0) “HTTPS” per­mit log count

Thoughts

Syn­tax is everything!

Studying for the CISSP: Self Check (1–4)

I got away from study­ing for the CISSP a cou­ple months ago when I ran into some stress­ful life sit­u­a­tions. Now that things are back in order, I’m hit­ting the books again. Last week I read Chap­ters 3 and 4, cov­er­ing Secu­rity Mod­els & Archi­tec­ture and Phys­i­cal Secu­rity respec­tively. Tonight I took the self exam­ine for each of the first four chap­ters. Need­less to say, I’m not happy with my results. This does pro­vide a nice bench­mark for me though.

0.91 (10/11)    Secu­rity Man­age­ment
0.50 (6/12)     Access Con­trol
0.45 (5/11)     Secu­rity Mod­els & Archi­tec­ture
1.00 (13/13)    Phys­i­cal Secu­rity
————————-
0.72 (34/47)    Total

Since I plan on using this blog mainly as a repos­i­tory of my thoughts below is my list of items that require fur­ther study and some quick thoughts about them.

  • Com­pul­sory — I missed the ques­tion not because I didn’t under­stand the topic and answers, but because I didn’t under­stand what com­pul­sory meant. I thought it meant “optional.” Nope, it actu­ally means: “manda­tory.” Oops!
  • Bio­met­ric Eval­u­a­tion — Here I need to know what Type I, Type II, and CER stand for.
  • Ker­beros — Even though I know it’s an authen­ti­ca­tion pro­to­col, I need to bet­ter under­stand the spe­cific weak­nesses it has.
  • Secu­rity Label — This is part of MAC (Manda­tory Access Con­trol) and is a con­cept where infor­ma­tion about an object includ­ing clas­si­fi­ca­tion level and need-to-know is main­tained.  A subject’s clas­si­fi­ca­tion and need-to-know are com­pared against the object’s before grant­ing access.
  • Capa­bil­ity Tables are the rows of an Access Con­trol Matrix that are bound to the subjects.
  • Access Con­trol Lists are the columns of an Access Con­trol Matrix that are bound to the objects.
  • RADIUS, TEMPEST, TACACS, Diam­e­ter — I must under­stand the what/when/why/how of each and their differences.
  • Brush up on the dif­fer­ences between Mul­ti­task­ing, Mul­ti­pro­cess­ing, Mul­ti­thread­ing, and Mul­ti­pro­gram­ming.
  • Ref­er­ence Monitor
  • Secu­rity Kernal
  • Clark Wil­son Model
  • Trusted Com­put­ing Base
  • Biba Model
  • Bell-LaPadula Model
  • Com­mon Cri­te­ria — Mainly TOE, EPL and Pro­tec­tion Profiles

I plan on going back through this con­tent dur­ing this week and writ­ing at least a para­graph on each con­cept I missed in order to drive the points home.

As some may have noticed I have begun to post longer more infor­ma­tive posts.  This is the trend I want to con­tinue and build on.  I believe writ­ing longer posts not only pro­vides prac­tice at com­mu­ni­ca­tion through the writ­ten word, but are more infor­ma­tive and less likely to be quick emo­tional reac­tions to other blog posts or news sto­ries. As always, I implore any­one read­ing this to leave com­ments.  I may have been in the field for 5 years now, but see­ing as how I’m at least 35 years away from retire­ment I have at a min­i­mum, 35 years more worth of learn­ing to do!

As Joseph Addi­son said, “The utmost extent of man’s knowl­edge, is to know that he knows nothing.”

Brain Dump: Ubuntu 7.04 Feisty Fawn, School, Giving Back, Blogging

I recently loaded up a new vir­tual machine with Ubuntu 7.04 Feisty Fawn (32-bit) run­ning on Vista Ulti­mate (64-bit) and have had no prob­lems thus far.  Every­thing works, dual mon­i­tors, sound, net­work­ing, etc…

I’m seri­ously impressed with the qual­ity of VMWare Work­sta­tion 6.  I’ve been a user of their prod­uct since ver­sion 4, and it’s done noth­ing but improve.  I’m also impressed with Ubuntu.  It took almost zero effort in order to get a work­ing sys­tem installed to disk. After the install a sim­ple sudo apt-get install build-essential was all I needed to get what I need for development.

My rea­sons for the linux vm are 2 fold. First of all I pre­fer it to win­dows as a “safer” plat­form to do my bank­ing and such on. Sec­ondly, I’ve started another class in my Master’s pro­gram at DePaul Uni­ver­sity, and it requires a linux sys­tem.  We’ll be learn­ing assem­bler from the programmer’s point of view; that is under­stand­ing what data struc­tures, con­trol state­ments, etc look like in assem­bler as well being able to take com­piled pro­grams and debug them at the assem­bler level to find/troubleshoot bugs.

I’ve also been spend­ing some time think­ing of ways to give to the secu­rity com­mu­nity.  One of my ways was recently men­tioned in a Secu­rity Cat­a­lyst Com­mu­nity forums post.  Basi­cally, cre­ate a matrix of secu­rity con­trols and com­mon imple­men­ta­tions cross ref­er­enc­ing them with all the dif­fer­ent secu­rity stan­dards out there. A per­son could for instance check all the con­trols they already have in place. The site would then list off the stan­dards they are already com­pli­ant with.  If they wanted, they could pick a stan­dard and it would list off both what they already have and what they are lack­ing. Not easy and not quick, but useful.

I’ve also been play­ing around with some type of more use­ful way to glean data from Check­Point fire­wall logs that have been exported to ASCII with the fwm log­ex­port –i <date> –o <date>.out –n –p –m raw com­mand. Specif­i­cally, I’m look­ing for ways to visu­ally make unusual activ­ity “jump” out at the ana­lyst. I’ve been able to cre­ate graphs of port usage over time, but haven’t got­ten the code into a state where com­par­i­sion against the stan­dard divi­a­tion is viable yet.  I also haven’t come up with a solid inter­face either.  Thus far its a hodge podge of perl scripts that can print graphs if STDOUT is redi­rected to a png file :) I’m debat­ing between open source, free soft­ware, web-based stuff and C# in a Win­dows App. The devel­oper in me wants to use C# since I’m very com­fort­able with the lan­guage, but the stu­dent in me wants to use perl, mysql, and php. Oh the choices!

Another inter­est­ing thing I’ve been mulling over is file carv­ing from libp­cap files. Often I find myself want­ing to grab a file that was sent over the net­work that I have a cap­ture of. I’ve been think­ing of 2 ways to solve this: (1) write my own parser for files as I need them or (2) con­tribute to the tcpx­tract project so that it works more accurately.

Well that’s my brain dump for now.  One of my goals is to use blog­ging as Richard Bejtlich has, and that’s as a per­sonal dump­ing ground to find thoughts, arti­cles, etc in case I need to refer back to them in the future. Let see how this works out!

Password Guessing

One thing I enjoy doing is set­ting up fake ser­vices such as FTP and just col­lect­ing the user­names and pass­words that peo­ple (or more likely auto­mated scripts) are try­ing to gain access with.

One recent obser­va­tion showed that in addi­tion to the com­mon pass­words of abc123, pass­word, and let­mein. That com­mon key­board pat­terns were also tried, such as qwer­tyuiop, zxcvbnm, qazwsxedc, 1qa2ws3ed. Another attacker decided to try some more obscure passwords.By googling some of these, it looks like the script may have been look­ing for a machine infected with a back­door that was released in 2004! Those pass­words were: pulamea, mui­etie, n-am_prins_parola, and pulan­pizda.

Inter­est­ing choices!

Deobfuscating JavaScript at the Browser

The Web­sense Secu­rity Labs Blog has an inter­est­ing post up about one method of deob­fus­cat­ing JavaScript. As I’ve eluded to in pre­vi­ous posts, any code thats pushed to the client’s browser must even­tu­ally be under­stand­able by that browser. This is why the mali­cious scripts have to con­tain code to deob­fus­cate them­selves. The trou­ble of course is get­ting the script to run with­out actu­ally run­ning the mali­cious content.

My method has pri­mar­ily been repli­cate the scripts func­tion­al­ity and eval­u­a­tion of code with a perl script on a *nix com­mand line. If every­thing is get­ting printed to STDOUT instead of the source of an html file inside a browser there is no chance that the code could exe­cute. This has worked well be can often be tedious.

The method dis­cussed in the post above involves hook­ing the document.write func­tion of JavaScript inside the mshtml.dll. With this in place an ana­lyst can extract the deob­fus­cated code before it is fully processed by the browser. That’s clever!