Blog: Security and Compliance

When people have cables with combination locks for securing their laptops at their workstation they always remember to turn the tumblers when they secure the laptop. But what happens when they unsecure the laptop? Many people won't turn the tumblers on the opened lock because it is much easier to lock the laptop later if the combination is already set.

In one instance, laptops were stolen by someone who came by when the laptops were not there and noted the combination. They came back later when the laptops were there and used the combination they had noted earlier.

Steve Gibson, one of the hosts of the popular "SecurityNow!" podcast, has created a tool that allows the checking of DNS servers for spoofability. This tool works by asking the user's browser to retrieve an image located at a uniquely named subdomain of the type xxxxxxxxxxxxx.dns.grc.com, "where the “xxxxxxxxxxxxx” is replaced with a unique 13-character string of characters that has never been used before."*

Then, in order to know the IP address for this special domain, the browser sends a DNS query to its DNS server, which then forwards this query to a special nameserver located at grc.com. This nameserver tells the DNS server that the location of that image is actually an "'alias' of the real domain name, which is a good deal longer and more complex."* The nameserver instructs the DNS server to look up the name of the "real" location of the image which looks like "...a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.xxxxxxxxxxxxx.dns.grc.com"* (with about 50 preceding 'a''s) [more]

The DNS server sends queries to the GRC nameserver, attempting to resolve the IP address of the given domain name one sub-domain at a time , causing the DNS server to send hundreds of requests which are collected by the GRC nameserver. As the nameserver collects these requests, it creates a scatter plot of both the Source Port and the Query Transaction ID of each request. Then, the data is analyzed to see the randomness of the Source Port and the Query Transaction ID which reveals the spoofability of the used DNS servers.

This tool is quite interesting, and shows that even as vulnerabilities arise on these critical systems, many do not fix the vulnerabilities, leaving the users at risk to visit a malicious web site believing that it is the site they were looking for which potentially places their private data at risk.

*A more thorough and detailed analysis of how this tool works can be found by reading GRC's article on how the DNS Nameserver Spoffability Test works.

On January 3rd, 2011 Rick Regan reported on his blog Exploring Binary that the following statement causes PHP to hang in an infinite loop.

               <?php $d = '2.2250738585072011e-308'; echo $d; ?>

The problem occurred when the string '2.2250738585072011e-308' is converted to a double precision floating point number in a subroutine named zend_strtod().  The code takes a string that represents a floating point number and tries to return the nearest double precision floating point number.  A standard double precision floating point number is 64 bits wide: 1 bit for the sign, 11 bits for the exponent, and 52 bits for the fractional part.  The problem number written as a hexadecimal floating point constant looks like 0x0FFFFFFFFFFFFFp-1022.  This means the number is almost the smallest number that can be represented in 64 bits that is close to zero without being zero and the fractional part is all 1’s.  The routine zend_strtod() works by converting the string into an approximate floating point number and then tries to refine the approximation in successive loops.  The problem comes when the routine uses the 80 bit floating point registers in most Intel processors.  The 80 bit floating point registers are a legacy from the 8087 Floating Point Coprocessor that Intel introduced in 1980.  With the wider 80 bit hardware registers, the processor can represent more values between the problem number and zero.  The unwanted precision ended up causing the routine to loop endlessly trying to refine the approximate floating point number.  This “unwanted precision” has been at the root of many floating point bugs and it’s likely to show up again in other programs and operating system libraries. [more]

The solution chosen by the PHP committers was to mark the variables used in the refinement to be “volatile”. This causes the compiler to keep the values in memory and not use the hardware registers for comparison or arithmetic operations.

This bug has been fixed in PHP version 5.3.5 and 5.2.17 on January 6th, 2011.  Here is a link to a test script to determine if your version of PHP is affected by this bug http://www.php.net/archive/2011.php#id2011-01-06-1.

It’s a pain to make sure that every site you enter credentials or nonpublic information (such as credit card info) into is encrypted.  I’d be willing to bet that even security aware people get complacent sometimes and assume that since amazon.com was encrypted the last time I used it, it’s probably still encrypted. 

Now there’s an add-on for Firefox that makes it much more obvious when the site you’re looking at is or isn’t encrypted.  It’s called “SSLPersonas”.  Despite its name, you’ll need to look for it under add-ons/extensions, not themes/personas.  It dynamically changes the entire web browser theme depending on what kind of page you’re on.  By default, it uses your current theme for unencrypted websites (i.e. HTTP).  It switches to a blue theme with a lock for HTTPS sites with a traditional certificate (i.e. not extended validation (EV)).  It switches to a green theme with locks and a certificate for HTTPS sites with an EV certificate.  And, finally, it switches to an orange them with a triangle and exclamation mark for HTTPS sites that have a broken/expired certificate.  The themes it uses are customizable, so you could make the broken certificate use a McDonald’s Hamburgalar theme if you wanted.

Quite frequently on information security audits we find machines where group policies have been applied incorrectly or not at all.  The IT administrator swears the policy is working, but the policies haven’t always taken on machines.  What we can do in that situation for Windows XP machines is use GPupdate.exe, Rsop.msc, and GPresult.exe to find out more information. [more]

GPupdate

After you make changes to group policies, you may want the changes to be applied immediately, without waiting for the default update interval (90 minutes on domain members and 5 minutes on domain controllers) or without restarting the computer. To make this update, at a command prompt, run the Gpupdate.exe utility.

RSoP

The Resultant Set of Policy MMC snap-in has a nice interface and is easily used. Just go to Start, Run and enter rsop.msc. This will flash up a quick screen with a summary of the environment it’s processing.

When the progress reaches 100%, it will pull up a report for the policies upon which the computer and the user are having applied. You can browse the list, which mirrors the Group Policy Management Console, and see which policies the machine is seeing, which might not quite match what you’ve set in the Active Directory server.

You can also use this to diagnose any errors. For example, if a software deployment isn’t coming through for some reason, you can verify that it has access to the policy and has received the command. You can also see any related errors to help your troubleshooting.

GPResult

Starting with Vista SP1, RSoP no longer shows all of the group policies that a computer might have being applied to it. Instead, Microsoft recommends that you use the command line tool GPResult. Just open the Command Prompt and type:  gpresult

Being a command line tool, it opens up the possibilities to include it in scripting. There are a large number of options you can use with GPResult to get exactly what you want. You can use it to create a nicely formatted HTML or XML report and you can also use it to run remotely on another system and as a different user (provided you know the password).

Just as IT departments are finally locking down the use of removable media, a new threat may make existing technical controls irrelevant.  The “Teensy” is a USB microcontroller that plugs into a PC in the same manner as a USB thumbdrive.  But, the technical controls that are able to neutralize the use of thumbdrives and other USB storage have no effect on the Teensy.  That is because the Teensy emulates a human interface device, such as a keyboard.  Since USB keyboards are restricted by very few, if any companies, the Teensy is able to connect undetected.  The tiny microcontroller can be programmed with virtually any code- including code useful in an exploit.

Teensy devices are available online for relatively low cost- under $10 US.  It looks like IT administrators have another thing to keep them awake at night.

When I logged onto a customer’s terminal server/dc, the c: was completely out of space.  I loaded Space Monger and saw that most of the files taking up room were in c:\program files\sav in .xdb files.  I ran disk cleanup and compressed old files which freed up about 5 GB.

I then started researching what was downloading the xdb files.  I saw that they were dating back to almost 60 days ago and every day since.  Each file was approximately 100 MB. 

I looked at all of the Symantec products on their system and talked with the person who had updated Symantec Antivirus (SAV) to Symantec Endpoint Protection (SEP).  He asked me to check the scheduled tasks, and I discovered that there was a scheduled task that ran to download definitions to the old SAV program before they were upgraded to SEP.  I disabled the scheduled task and deleted the xdb files to finish cleaning up an additional 4 GB space.

If you have ever stayed at a Hampton Inn, you are probably very familiar with the Internet intercept website they use to ask for the Internet access code.  That intercept page also includes a checkbox asking if you are an advanced VPN user.  I have alternated between checking and not checking this box without any noticeable effects on the performance of the CoNetrix VPNs.  Without doing much research into it, I made the assumption that it was probably opening VPN-related ports.  However, on my last audit, I was working with a virtual system on my laptop that we use often at banks, but I had never needed to turn on at a hotel.  I had some IP address problems with the virtual machine and, during the troubleshooting process, discovered my laptop had been given a public IP address by the hotel’s wireless Internet connection. 

After some tests, I verified that it was a real public IP address that was directly accessible by anyone on the Internet.  A coworker was on the audit with me, so we checked his IP config, but he had a private IP address.  Checking the “advanced VPN user” option on the hotel’s website had assigned me a public IP address, presumably to avoid any NAT issues that might foul up a VPN connection. [more]

The experience was a good reminder to me to make sure my laptop security is up to date whenever I use a public network.  We don’t always know how public connections are configured or who else is connected.  At any hotel, our laptops and network traffic are exposed to any system connected to the hotel’s local LAN.  However, at least in this one case, my laptop was also directly exposed to the entire Internet.  In either case, a strong firewall policy (block all inbound connections, make sure the network connection is designated as “Public” and not “Private” or “Domain”) and a fully patched system are very important.

Windows 2008 and IIS 7.0 installs with Secure Sockets Layer (SSL) version 2 and “weak” cryptography ciphers turned on by default.  Having that turned on will likely turn up some problems in a penetration test.  Here are some common vulnerabilities names that might be identified in your penetration test results:

• SSL Server Supports Weak Encryption
• SSL Server Allows Cleartext Encryption
• SSL Server May Be Forced to Use Weak Encryption
• SSL Server Allows Anonymous Authentication [more]

Disabling 

Unfortunately, there is not currently an intuitive way to enable/disable the protocols and ciphers built into the Windows GUI.  You must edit your systems registry to get the job done.  Some of the registry keys and DWORDs will likely not be in the registry, so you will need to add them. It’s always a good idea to back up your registry before making changes just in case something goes wrong.  Click Start, click Run, Type regedit32 or type regedit, click OK, and then add/modify the keys listed below.

Here are the registry keys to turn off PCT 1.0 and SSL 2.0 and leave SSL 3.0 and TLS 1.0 turned on:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
  • DWORD = 1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
  • DWORD = 1

Here are the keys to turn off “weak” SSL ciphers:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
  • DWORD = 0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128
  • DWORD = 0

Testing

The easiest way I’ve found to verify the protocols and ciphers are turned off is to use the free OpenSSL toolkit.  Here are some instructions for installing Cygwin with OpenSSL on Windows 7: https://www.conetrix.com/Blog/post/How-to-Install-OpenSSL-on-Windows-7.aspx.  Here are some instructions for installing OpenSSL on Ubuntu: https://help.ubuntu.com/community/OpenSSL#Practical OpenSSL Usage.  If you are using a Mac OpenSSL should already be installed.  Once you get it installed you can verify your registry changes worked.

Once you get it installed here is the commands you can use to verify that SSLv2 is turned off:

# openssl s_client –ssl2 –connect YOURSERVERNAME:443

If server does not support SSLv2 then you should see an error like the following two examples:

CONNECTED<00000003>
Write:errno=113

Or

CONNECTED<00000003>
1324:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Here is the command to test for weak ciphers:

# openssl s_client -connect SERVERNAME:443 -cipher LOW:EXP

If the server does not support weak ciphers then an error will be displayed similar to the error examples given above.