Information Security all in one place!

Networking

Kaspersky Labs: New Generation of Ultimate PC Protection; for Home


Kaspersky Lab, a leading developer of secure content and threat management solutions today announced a new version of its flagship product for at-home PC protection — Kaspersky PURE 2.0 Total Security. Using Kaspersky Lab’s award-winning anti-malware protection and an array of additional security tools, Kaspersky PURE 2.0 Total Security is the easiest way to keep multiple PCs secure, irreplaceable digital assets protected, and children safe and responsible online.

Central Home PC Management

Ideal for households with multiple computers, including families with children, Kaspersky PURE uses Home Network Management to easily protect, manage and monitor every PC in the household from a single machine.

From one PC, you can:

— Run all scans, updates, and backup tasks on every PC in the house automatically or on-demand

— Fix security issues without getting up from your desk

— Manage parental controls from anywhere in the house, so your kids are protected even when they’re out of view

— Conveniently update the Kaspersky PURE licenses throughout your home

Total Package of Security Tools

Kaspersky PURE also includes everything you need to secure your online identity and protect your irreplaceable digital property. When you install Kaspersky PURE, our extra layers of security mean you can say good-bye to overpriced and inefficient niche products.

This is great work. I am demoing the product now and will post my review shortly. Very excited about how this will shape the home and small business central management landscape. Will vendors pile on?

 

More on this breaking news can be found here: http://www.marketwatch.com/story/kaspersky-lab-announces-new-generation-of-ultimate-pc-protection-for-your-home-2012-03-26

Advertisements

Network Scanning: Concerns and Countermeasures


 

Network Scanning Concerns and Countermeasures

Daniel Saucier (Student of the InfoSec Industry, March 2012) – Network vulnerability scanning can not be more important than it is, right now in this day and age of internet computing. As technology grows the architectures are not catching up quite as fast as most would like. This article written below assumes you have basic networking knowledge, and assumes no responsibility for actions taken from this article. It’s sole purpose is to educate the savvy portion of the internet community with different protection types and threat preventive measures for today’s networking environments.

Different IP network scanning methods allow you to test and effectively identify vulnerable network components. Here is a list of effective scanning techniques and there applications: These options can be found in most advanced configuration options on most downloadable network scanners.

ICMP scanning and Probing:

>| By launching an ICMP ping sweep, you can effectively identified poorly protected hosts ( as security conscious administrator such as myself, filter inbound ICMP messages) and perform a degree of OS fingerprinting and reconnaissance by analyzing responses to the ICMP probe.

Half-open SYN flag TCP port scanning:

>| A SYN port scan is often the most effective type of port scan to launch directly against a target IP network space. SYN scanning is very fast, which allows large networks to be scanned rather quickly.

Inverse TCP port scanning:

>| Inverse scanning types (particularly FIN, XMAS, and NULL) take advantage of idiosyncrasies in certain TCP/IP stack implementations. This scanning type is not useful for large networks. Use this scan type for testing individual host or small network segments‘ security. Make sure your code is as up to date as possible and apply any manual workarounds to protect gear from this type of scan. Some if not all of these type of scans identify weak components because of the cost of business.

Third-party TCP port scanning:

>| Using a combination of vulnerable network components and TCP spoofing, third-party TCP port scans can be effectively launched. Scanning in this fashion has two benenfits: hiding the true source of the TCP scan and assessing the filters and levels of trust between hosts. Although time-consuming to undertake, this can be proved to be very effective when applied correctly.

UDP port scanning:

>| Identifying accessible UDP services can be undertaken easily, only if ICMP type 3 Code 3 (“Destination port unreachable”) messages are allowed back through filtering mechanisms that protect target systems. UDP services can sometimes be used to gather useful data or directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in particular). Make sure you are locking these down!!

IDS evasion and filter circumvention:

>| Intrusion detection systems and other security mechanisms can be rendered ineffective by using multiple spoofed decoy hosts when scanning or by fragmenting probe packets using Nmap or fragroute. Filters such as firewalls, routers, and even software (IPsec) can sometimes be bypassed using specific source TCP or UDP port, source routing, or stateful attacks.

Using the different scanning methods mentioned above you can harden you network pretty well, however. Change is always a factor, what if you need to undertake a major network overhaul and start exposing different types of protocols to the network. The following list will help you when considering modifications to your components and minimize risk of re-exposing vulnerable services.

>| This list could be used as a baseline, guideline in some cases on any network configuration.

  1. Filter inbound ICMP message types at the border, or perimeter if you DMZ any servers on any routers and firewalls. This will force an attackers to use full-blown out TCP scans against all of your IP addresses to map effectively.
  2. Filter all outbound ICMP type 3 “unreachable” messages at the edge routers and firewalls to prevent UDP port scanning and firewalking from being effective. Firewalking – process of identifying firewalls in the scanning enumerations
  3. Consider configuring Internet firewalls so they can identify ports scans and throttle the connections accordingly. You can configure such as Check Point, NetScreen, and Watchguard appliances to name a few to prevent fast port scans and SYN floods from being launched against your network. However, this can back fire if the attacker is using a spoofed source address, resulting in DoS. PortSentry as an Open Source option is pretty effective as well in identifying scanns against your network.
  4. Asses the way that your network firewall or IDS devices handle fragmented IP packets by using tools such as fragtest and fragroute. Such devices can be taken down by being flooded with high volumes of fragments being processed. Bring your findings to the vendors attention……
  5. Ensure that your routing and filtering appliances (both routers and firewalls) can’t be bypassed using specific source ports or source routing techniques.
  6. If you run FTP services; ensure that your firewalls aren’t vulnerable to stateful circumvention attacks relating to malformed PORT and PASV commands
  7. If a commercial firewall is being used, ensure the following:
  • Latest code is installed, consider replacement is you can not comply
  • Antispoofing rules have been correctly defined so that the device doesn’t accept packets with private spoofed source addresses on its external interfaces

8.  Investigate the use of reverse proxy services if high security is a must. Fragments and malforms are not getting  by these guys, thus mitigating low level recon.

Wrapping up this article I would like to mention; be aware of your own network configurations and its publicly accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space. It really is surprising how many companies large and small still do not undertake proper scanning exercises.

Happy Hardening!

-DS


RSA Conference 2012: On the Agenda


This is the first RSA Conference since 2011’s high-profile security breaches. How did those incidents influence this year’s agenda? Hugh Thompson explains in an exclusive event preview.

By any account, 2011 was a banner year for prominent information security attacks.

“We’ve seen the rise of hactivism; we’ve seen just a huge amount of these highly-targeted, sophisticated attacks,” says Thompson, RSA Conference’s program committee chair. And these incidents have fundamentally influenced the conference agenda.

“If you look at many of the breaches over the past 12 months, most of them ended with some type of sensitive data leaving the enterprise,” Thompson says. “But it’s interesting to look at how many of [the incidents] began. A lot of them began with a person – a smart, well-intentioned person inside the company, making a choice. And the choice was either to install an executable, open a file, and I think you’ll see that play out in a fascinating way in this year’s agenda. We’ve got quite a few talks on the human element of security.”

Read More Here: http://www.bankinfosecurity.com/interviews.php?interviewID=1404


Cisco Security Advisory: Cisco Small Business SRP 500 Series


Cisco Releases Security Advisory for Cisco Small Business SRP 500 Series

Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities:

* Cisco SRP 500 Series Web Interface Command Injection
Vulnerability
* Cisco SRP 500 Series Unauthenticated Configuration Upload
Vulnerability
* Cisco SRP 500 Series Directory Traversal Vulnerability

These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. These vulnerabilities could be exploited from the local LAN side of the SRP
device by default configuration and the WAN side of the SRP device if remote management is enabled.  Remote management is disabled by default.

Cisco has released free software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities are available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500

The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26:

 * Cisco SRP 521W
 * Cisco SRP 526W
 * Cisco SRP 527W

The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4:

 * Cisco SRP 521W-U
 * Cisco SRP 526W-U
 * Cisco SRP 527W-U

The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4:

 * Cisco SRP 541W
 * Cisco SRP 546W
 * Cisco SRP 547W

To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status.  The Firmware Version field indicates the current running version of firmware on the Cisco SRP 500 Series device.

More information regarding these vulnerabilities:

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

The latest Cisco SRP 500 Series Services Ready Platforms firmware can

be downloaded at:
http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm


Love and Security: Microsoft Sends us Both


Happy Patch Day

Instead of giving you the same breakdown of the recent critical fixes I have decided to go a different route. NSIT has compiled a list of websites that discuss the vulnerabilities in depth. Microsoft has release fixes for some critical exploits, know what they are is just half of what you need to know. How applying these updates affects your current environment is critical. Read On and keep patching!!

Microsoft’s Security Websitehttp://technet.microsoft.com/en-us/security/bulletin/ms12-feb

CIO Today:

Andrew Storms, director of security operations at nCircle, quipped that IT security teams are not getting any candy hearts from Microsoft for Patch Tuesday. Instead, every version of Internet Explorer gets a security update. Another analyst pointed to the HTML Layout and GDI Access Violation vulnerabilities as particularly important patches.

Read More: http://www.cio-today.com/news/No-IT-Valentines-on-Patch-Tuesday/story.xhtml?story_id=0320013QGOXS&full_skip=1

CSO Blogs:

English: Windows Internet Explorer 9 wordmark

Microsoft has just released its February 2012 security updates. Here’s some analysis from the folks at Symantec, McAfee and Qualys.

Read More: http://blogs.csoonline.com/network-security/2031/patch-tuesday-notes-february-2012

InfoPackets:

Microsoft will be offering fixes for a wide range of flaws affecting the company’s Internet Explorer (IE) web browser, every version of its Windows operating system (OS), as well as Microsoft Office.

Read More: http://www.infopackets.com/news/business/microsoft/2012/20120213_microsoft_patch_tuesday_fixes_21_security_flaws.htm

Your feedback is encouraged http://feedback.netsecurityit.com

Related articles


Defense of Enterprise Architecture Cloud Computing


English: EA Domains: An enterprise architectur...

Image via Wikipedia

It’s more than an academic question now that the age of the cloud is upon us. For one thing, it would seem to be a moot point for most data users, and data managers for that matter, considering resources, infrastructure and architectures will soon be available in multiple forms at the touch of a button (and the payment of fees). And secondly, the data center industry is quickly gravitating toward open platforms, open fabrics and dynamic data infrastructures that aim to suit all manner of requirements at any given time.

So the question remains: With unlimited scalability, flexibility and operability at our disposal, do we really need to worry about how data environments are designed and built anymore?

To some data experts, like Ofcom’s Adrian Grigoriu, the more appropriate question is, did any of this ever matter in the first place? Enterprise architecture (EA) has always been more of an art form than a science anyway. With no real EA framework in place, most data architectures remain a loose collection of components, so the architect is free to define his own goals at the start and then determine for himself if they have been achieved. Tools like TOGAF provided a process template, but there is and never has been a formalized EA framework in which discrete parts are integrated into a cohesive whole.

Too often, says MIT’s Jeanne Ross, what usually passes for architecture is simply a few key systems or managers who maintain responsibility for the most essential business processes. As data centers become tasked with meeting an increasingly diverse set of requirements, however, this approach starts to break down. The end result is that without a proper grasp of architecture, organizations will find their data environments to be less responsive and more expansive than their properly designed peers.

A key concept in future architectures will be agility, according to Todd Drake, VP of technology at digital marketing firm Organic. As enterprises are hit with everything from virtualization to mobile applications, the ability to adapt and respond to changing environments will be crucial. The problem is there is no set way to measure architectural agility with different organizations factoring in various mixtures of speed flexibility, adaptability and other hard-to-quantify parameters. His own approach is built largely on costs where agility becomes a ratio of the complexity of a given change over the effort required to implement it.

The term “holistic” is also getting more buzz around the architectural water cooler. As the University of North Texas’ Dr. Leon Kappelman describes it, the tendency to compartmentalize data center resources results in ever diminishing results — like trying to understand a living being by analyzing its component chemicals. Much better to embrace a “counter-reductionist approach” by viewing the interactions and interconnections of various components, rather than the raw capabilities of the components themselves. In that way, you get a fully optimized data center, as opposed to optimized networks, storage systems or operating platforms.

So in the end, what are we left with? Should we concern ourselves with architecture or not? It would seem that in the old days of static data silos and one-to-one user-desktop-server relationships, the answer would have been no, at least not to any significant degree.

Going forward, however, as the dynamic infrastructure of the cloud starts to take hold and former rules governing data, systems, resources and infrastructure break down, enterprise architecture will start to matter a great deal.


Boardrooms prey for Hackers


One afternoon recently, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms: videoconferencing equipment.

With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

In this case, the hacker was HD Moore, a chief security officer at Rapid 7, a Boston-based company that looks for security holes in computer systems that are used in devices like toaster ovens and Mars landing equipment. His latest find: Videoconferencing equipment is often left vulnerable to hackers.

Businesses collectively spend billions of dollars each year beefing up security on their computer systems and employee laptops. They agonize over the confidential information that employees send to their Gmail and Dropbox accounts and store on their iPads and smartphones. But rarely do they give much thought to the ease with which anyone can penetrate a videoconference room where their most guarded trade secrets are openly discussed.

Moore has found it easy to get into several top venture capital and law firms, pharmaceutical and oil companies and courtrooms across the country. He even found a path into the Goldman Sachs boardroom.

“The entry bar has fallen to the floor,” said Mike Tuchen, chief executive of Rapid 7. “These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

Ten years ago, videoconferencing systems were complicated and erratic, and ran on expensive, closed high-speed phone lines. Over the past decade, videoconferencing — like everything else — migrated to the Internet. Now, most businesses use Internet protocol videoconferencing — a souped-up version of Skype — to connect with colleagues and customers. Most of these new systems were designed with visual and audio clarity — not security — in mind.

Rapid 7 discovered that hundreds of thousands of businesses were investing in top-quality videoconferencing units, but were setting them up on the cheap. At last count, companies spent an estimated $693 million on group videoconferencing from July to September of last year, according to Wainhouse Research.

The most popular units, sold by Polycomand Cisco, can cost as much as $25,000 and feature encryption, high-definition video capture, and audio that can pick up the sound of a door opening 300 feet away. But administrators are setting them up outside the firewall and are configuring them with a false sense of security that hackers can use against them.

Polycom

Image via Wikipedia

Whether real hackers are exploiting this vulnerability is unknown; no company has announced that it has been hacked. (Nor would one, and most would never know in any case.) But with videoconference systems so ubiquitous, they make for an easy target.

With videoconferencing, companies have seemingly gone out of their way to make themselves vulnerable. In many cases, they are not only putting their systems on the Internet, but setting them up in a way that allows anyone to listen in unnoticed.

New systems are outfitted with a feature that automatically accepts inbound calls so users do not have to press an “accept” button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera.

Two months ago, Moore wrote a computer program that scanned the Internet for videoconference systems that were outside the firewall and configured to automatically answer calls. In less than two hours, he had scanned 3 percent of the Internet.

In that sliver, he discovered 5,000 wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers. He stumbled into an attorney-inmate meeting room at a prison, an operating room at a university medical center and a venture capital pitch meeting where a company’s financials were being projected on a screen.

Among the vendors that popped up in Moore’s scan were Polycom, Cisco, LifeSize, Sony and others. Of those, Polycom — which leads the videoconferencing market in units sold — was the only manufacturer that ships its equipment — from its low-end ViewStation models to its high-end HDX products — with the auto-answer feature enabled by default.

In an email, Shawn Dainas, a Polycom spokesman, said the auto-answer feature had several safety elements built in that could be activated by a customer, including password protections, auto-mute and camera control lockup, adding that Polycom also offered a camera lens cover. He said the “security levels have been designed to make it easy for our customers to enable security that is appropriate to their business.”

Of the Polycom videoconference systems that popped up in Moore’s scan, none blocked control of the camera, asked for a password or muted sound.

“Many Polycom systems are sold, installed and maintained without any level of access security, with auto-answer enabled by default,” Moore said. “It boils down to whether organizations are aware of the risk, and our research indicates that many, even well-heeled venture capital firms, were not aware and do not implement even the most basic of security measures.”

Tuchen of Rapid7 said that as a shortcut, businesses put their videoconference systems outside the firewall, allowing them to receive calls from other companies without having to do any complex network configuration. The safer way to receive calls from other companies, Tuchen said, is to install a “gatekeeper” that securely connects calls from outside the firewall. But this process “is complex to configure properly,” he said, and “is often skipped.”

In some cases, Moore discovered he could leap from one open system into its address book and dial into the conference rooms of other companies, even those companies that put their system behind the firewall.

That was the case with Goldman Sachs. The bank’s boardroom did not show up in Moore’s initial scan but an entry labeled “Goldman Sachs Board Room” popped up in the directory of a law firm that Goldman Sachs videoconferenceswith. Moore did not disclose the name of the law firm and said that because he was afraid of “crossing a line,” he did not dial into Goldman Sachs.

Said Tuchen, “Any reasonably computer literate 6-year-old can try this at home.”

Here is a short video on video conference. By watching this video you can see how vulnerable these systems really are when left on and unattended

Video Conferencing Systems

Related articles