Hackers (Not) Halted
45
Hackers (Not) Halted Techniques for doing things wrong Paula Januszkiewicz CQURE: CEO, Penetration Tester iDesign: Security Architect
-
Upload
microsoft-technet-belgium-and-luxembourg -
Category
Documents
-
view
995 -
download
0
description
More info on http://techdays.be.
Transcript of Hackers (Not) Halted
Hackers (Not) HaltedTechniques for doing things wrong
Paula JanuszkiewiczCQURE: CEO, Penetration TesteriDesign: Security Architect
Paula Januszkiewicz CQURE: CEO, Penetration Tester iDesign: Security Architect [email protected] | [email protected] http://idesign.net
Contact
Session Goals
Be familiar with the administrator’s mistakes that are:
… or just lack of knowledge issues
Indirectly or directly influencing security in the infrastructureWe are NOT talking about the hardening!
… but we are discussing some options
My goal: Define one of the problems in your network
Agenda
1
Introduction
Summary
2 3
Cases of Technology (NOT) Working
Agenda
1
Introduction
Summary
2 3
Cases of Technology (NOT) Working
Misunderstanding Passwords
Will you share your passwords with others? We do this every day!
How do services store passwords?
Passwords are often similar to your other passwordsAt least one of them can be easily accessed by the administrator of the service
Be prepared for password loss and service recovery
Passwords Never Sleep
I will steal your laptop anyway…
Ignoring Offline Access
Ignoring Offline AccessOffline access allows someone to bypass a system’s security mechanisms
Useful in critical situations
Almost every object that contains information can be read offline
It is a minimal privilege for the person with good intentionsIt is a maximum privilege for… everybody else
Simplified offline access is acceptable if you do not value your information
Ignoring Access to Your Hardware
(Not) Known Data in the Network
(Not) Known Data in the Network
Violation of the one well known rule:Do not allow traffic that you do not know
Most of the protocols have space for dataWhy not put the sensitive information there and send it out?
Malicious traffic can be easily connected to the process
It can happen once a month
You need context based tools: Network Monitor, Network Miner etc.
Monitoring Network Traffic
(Not) Too Much Control
(Not) Too Much Control
Services When used as a part of software that was not installed in %systemroot% or
%programfiles% Installed in a folder with inappropriate ACLs
Permissions Should be audited Should be set up as a part of NTFS, not as a part of shares
BackupRead / BackupWrite Copy operation that is more important than ACLs Used by backup software
Why (Not) to Use Granularity?
Cool and still working (Not)…
Using Old Technology
Hacker’s role here is very valuable
It is hard to be up to date with technologyBut some of the antiques like NT4.0 should be thrown on the scrap heap!
Perform periodic revisions
Even old technology requires updatesSometimes it is not possible (f.e. LNK vulnerability in W2K)
Old Technology a Little Bit Too… Old
Trust (Not) One Network Layer
1-Layer EncryptionData Encryption
Protects from offline access – stolen laptops, tapes
Transmission EncryptionProtects from outsiders testing the network sockets
HTTPS – Man-In-The-Middle
Encryption is problematic for usersLet’s use the lower layer encryption (BitLocker, IPSec)
Encrypt when you can!
Easy and Useful Encryption
(Not) Signed Software
Installing Pirated Software& My Small Research
Installation of software is performed on the administrative account
Malformed installation files are not necessary recognized by antivirus software
UAC is not the protection method as everybody is used to giving Installer high privileges
Keep your toolbox up to date and keep the checksums in a different place
No…
20 of 20 IT admins said:
Do you check for the file’s signatures
before installation?
Do you perform periodic security checks of your folder with installation
files?
No?
17 of 20 IT admins said:
Malware Around the Corner
What You See Is (Not) What You Get
What You See Is NOT What You Get
Explorer.exe is owned by user
Lack of the NTFS permissions does not mean that somebody cannot access the file
Troubleshooting after the injection is difficultRootkits influence the operating system behavior
Conclusion: Always have at least two methods of troubleshooting the same issue
Blinded Operating System
Too Much Trust In People
Too Much Trust in People
The cheapest and most effective attacks are often nontechnical
People tend to take shortcutsIt is hard to control their intentions
They should not be a part of a security chain
Monitor them… and show that you’re doing it
Perform periodical audits of your infrastructure
Too Much Trust… (Not)
Lack of Documentation
Lack of Documentation & Training
Is this really the admin’s sin?
The negative side of this sin is that you need to trust peopleMost companies are not prepared for the IT Staff going on a… vacation
Set up the rules before creating the solutions
Agenda
1
Introduction
Summary
2 3
Cases of Technology (NOT) Working
Be Proactive!Split and rotate tasks between admins
Eliminate at least one of the sins in your organizationPeriodically attend trainings and organize themAudit your environment
Use the legal code
Source: Heard.TypePad.com
Areas of Focus
Problem: Too much information to control
Solution: Select areas with high probability of infection
DLLsServicesExecutablesDrivers
This attitude works as a first step
Dirty Games: Protection Mechanisms
Introduced in Windows VistaPart of Digital Rights Management
Protection is provided in two waysExtension to the EPROCESS structureSigning policy
ProtectedProcess bit
Protected Processes
Hooks
http://www.lukechueh.com/
Allow to run our code instead of the system oneWork on running code
Allow to intercept API CallsDoes not require special privileges
Useful for developers… and for the ‘bad guys & girls’
Hooking
