Sunday, 31 December 2006

Computer Crime, UK Laws

Here in the UK computer crime is covered by The Computer Misuse Act of 1990. You can read the details here.

As of November 2006 an update to this law has been passed that makes it illegal to launch a DOS (Denial of Service) attack within the UK. Details of the update can be found here.

Further interesting details on UK Computer Law can be found by following this link.

The Data Protection Act of 1998 and the Regulation of Investigative Powers Act 2000 may also be of interest.

"It is not giving children more that spoils them; it is giving them more to avoid confrontation." - John Gray

Pen Testing Methodologies

There are three methodologies that are used by Penetration Testers. The methodology is usually selected by the client depending on their requirements. The three methodologies are:

White Box Model
Black Box Model
Grey Box Model

With the White Box Model the Pen Tester is given details of the technology in use by the company, the network topology etc. and given permission to interview and liaise with the employees and IT staff.

The Black Box Model is the exact opposite, the tester is usually given no information other than the name of the company, and the staff of the company are not even told that the Pen Tests are being conducted.

The Grey Box Model is a hybrid of the two previous models, some information will be given to the Pen Tester but not a lot. This will depend on the client as to what information they wish to give.

"So, let us not be blind to our differences - but let us also direct attention to our common interests and to the means by which those differences can be resolved." - John F Kennedy

Friday, 22 December 2006

OOP Classes and Inheritance

A Class is a user defined reference type that encapsulates data and is controlled through programming constructs called Properties, Constructors, Methods and Events. The Class encapsulates data such as Constants and Fields.

To work with a Class you create an *Instance* of a Class called an *Object*. An Object can be thought of as a ‘live’, ‘active’ version of a Class. A Class can effectively be thought of as the blueprint of an Object.

Generally you work with members of the Object, Methods, Events etc. you can however work with some members of the Class itself, these are called Static Members.

From the one Class many Objects can be created, each is totally self contained and has it’s own values. The members of an object are:
        Properties
        Methods
        Fields
        Events

The members are stored on the *Heap* and a pointer within the Object contains a *Reference* ,the memory location of that particular piece of data.

Inheritance allows you to create a new Class using an existing Class as a template. The inherited Class is called the Derived Class and the original Class is called the Base Class. The Derived Class can then be extended to include additional functionality that was not available within the Base Class.

Inheritance is one of the cornerstones of Object Oriented Programming.

"The shoe that fits one person pinches another; there is no recipe for living that suits all cases." - Carl Jung

Friday, 15 December 2006

SSCP: Quantitative Risk Analysis

Here are some terms and calculations for Quantitative Risk Analysis as used with the Risk, Response and Recovery Domain of the SSCP CBK.

EXPOSURE FACTOR
(EF)
(% Percentage)
Harm or Loss by Presumed Successful Attack/Threat

SINGLE LOSS EXPECTANCY
(SLE)
(£ Monetary Value)
ASSET VALUE * EF

ANNUAL RATE OF OCCURRENCE
(ARO)
(Probability)
Probability of Risk, 1.0 = Guaranteed to Happen

ANNUAL LOSS EXPECTANCY
(ALE)
(£ Monetary Value)
ALE = ARO*SLE

RETURN ON INVESTMENT
(ROI)
(*100 = ROI %)
Annualised Cost of Countermeasures (Risk Mitigation) / ALE

"The best way to keep one's word is not to give it." - Napoleon Bonaparte

Tuesday, 12 December 2006

Some Notes on IP Addressing ...

I have cobbled together these notes that explain some of the finer points regarding IP Addressing.

IP Addresses

An IP Address is split into a Network Portion and a Host Portion

Host Numbers cannot be Zero or 255. All Zeros in the Host Area refers to the network itself: 54.0.0.0. All Host bits to 255 is the Broadcast Address. For Network 203.176 the Broadcast Address is 203.176.255.255.

A Class A Network allows 16,777,216 Hosts
A Class B Network allows 16,384 Hosts
A Class C Network allows 254 Hosts

Looking at the first octet of the 32 bit address you can determine what class of address it is: A value of 126 or less means that you are looking at a Class A address, 127 is the loopback address, 128 through 191 is a Class B address and 192 through 223 is a Class C address. Numbers above 223 are reserved.

The chart below shows this in an easily digestible format:

1 > 126 Class A
128 > 191 Class B
192 > 223 Class C

RFC 1918 gives the address range 192.168.XXX.XXX as available to anybody to use for private LAN networking. In addition the 10.XXX.XXX.XXX network and 172.16.XXX.XXX networks are also available for private use. These addresses will not work on the internet as they are non routable.

Subnet Masks:

255.0.0.0 Class A
255.255.0.0 Class B
255.255.255.0 Class C


Classless Internetwork Domain Routing (CIDR)

CIDR Networks are described as Slash X Networks. X is the number of bits in the IP Address range that ICANN controls, you get what's left. For example a Class C is known as a Slash 24 Network since ICANN has the left most 24 Bits and you have the right most 8 Bits. See examples below:

ICANN Subnet Mask
Slash 8         255.0.0.0
Slash 16 255.255.0.0
Slash 24 255.255.255.0
Slash 28 255.255.255.248

"Do not trust all men, but trust men of worth; the former course is silly, the latter a mark of prudence." - Democritus

Monday, 11 December 2006

Securing the Network: 14

Securing The Network
The Final Post on Corporate Security Issues for the Non Technical

This post covers:
                Employee Education
                Security Testing
                Summary

Employee Education
Good security is impossible to implement without the cooperation of the users and employees.

To this end investment in security training and briefings is likely to pay dividends. Posters should be placed around the working area highlighting key information relating to security threats and reminding users of their responsibilities.

Security cannot be delegated to one department and each and every user should understand that they have a part to play. Training and education for the users in basic security threats should be mandatory.

A lot of excellent material including leaflets and posters are available from the Department of Trade and Industry (DTI) website.

Security Testing
To ensure that your security policies are enforced it will be necessary to implement Security Testing. Security Testing can be carried out in any and all of the following ways:

Drills
Penetration Testing
Query Employees
Review the Procedures

In many cases the only way to adequately test you security is through the use of a third part company.

Summary
In this series of posts I have attempted to explain many of the Network Security concepts in layman’s terms, and to cover the majority of relevant topics.

I hope the information presented in this series of posts is of benefit to someone.

"If you can find a path with no obstacles, it probably doesn't lead anywhere." - Frank A Clark

Sunday, 10 December 2006

Securing the Network: 13

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Disposal and Destruction
                Employee Exit Procedures

Disposal and Destruction
It is a little known fact that even following a format, data can be recovered from your computers hard disk by a determined hacker. This makes it essential that when disposing of old computers, unless you physically destroy them, you must go to some lengths to make sure that the data that was contained on the computer cannot be recovered.

There are various methods that can be used to securely wipe the data from a hard disk. It is important that you select a method that offers the level of protection you require and then use it. Always.

Employee Exit Procedures
When an employee leaves the company, or announces their intention to leave, this should trigger a sequence of documented events that are related to the job they do or did. For example the series of steps to be taken when the IT Manager leaves are different to the series of steps to be taken when a Production Operative leaves.

This series of steps should incorporate the removal of their access card, token, key or any other device they have that can be used to gain physical access to your premises.

Their access to the computer network via remote means should also be removed and any access to confidential data prior to their departure should be logged.

Each and every employee should have an exit interview where their responsibilities to the company are discussed as are any restrictions that are placed upon them contractually.

"You're only given a little spark of madness. You mustn't lose it." - Robin Williams

Securing the Network: 12

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Social Engineering
                Disaster Recovery and Business Continuity

Social Engineering

‘The art and science of getting people to comply to your wishes’ (Source: Bernz 2), ‘an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system’ (Source: Palumbo), or ‘getting needed information (for example, a password) from a person rather than breaking into a system’ (Source: Berg).

In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (Source: Sarah Granger)

Social Engineering is probably one of the biggest threats we face in security and the one we can protect against the least. We have to rely on our employees to question and be vigilant. To do that we need to make them aware of security and the issues surrounding it. See the section on Employee Education.

Reverse Social Engineering.
This is where the attacker assumes a position of authority and gets the victim to freely offer information and ask advice. This requires a high level of skill, preparation and research.

Disaster Recovery and Business Continuity

A Disaster Recovery and Business Continuity plan is essential. If the worst happens you want to be able to refer to a document that covers the steps to take to enable you to be back up and running without delay.

The scope of DR and BS could encompass everything from a server crashing and data being lost, to the building going up in flames.

Many companies have a ‘cold’, ‘warm’ or ‘hot’ site standing by to be used in the eventuality of the main place of work being destroyed through fire, flood, terrorist activity or something similar.

A Cold Site generally refers to an empty building, a Warm Site refers to a building with maybe desks and networking and a Hot Site refers to a building that is fully fitted with everything including computer systems, ready to have the backups loaded and be up and running in a very short space of time.


Definitions

Disaster Recovery Plan: Provides procedures for recovering from a disaster after it occurs and also documents how to return the normal IT functions back to the business.

Business Recovery Plan: Addresses how business functions will resume after a disaster, preferable at an alternate site.

Business Resumption Plan: This addresses how critical systems and the functions of the business will be maintained.

Contingency Plan: This addresses what actions can be performed with regard to the normal business activities after a disaster.

"Live neither in the past nor in the future, but let each day's work absorb your entire energies, and satisfy your widest ambition." - Sir William Osler

Wednesday, 6 December 2006

Securing the Network: 11

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                IDS (Intrusion Detection Systems)
                Encryption

IDS (Intrusion Detection Systems)

ID stands for Intrusion Detection, which is the art of detecting inappropriate, incorrect, or anomalous activity. ID systems that operate on a host to detect malicious activity on that host are called host-based ID systems, and ID systems that operate on network data flows are called network-based ID systems.

Sometimes, a distinction is made between misuse and intrusion detection. The term intrusion is used to describe attacks from the outside, whereas, misuse is used to describe an attack that originates from the internal network. However, most people don't draw such distinctions.

The most common approaches to ID are statistical anomaly detection and pattern-matching detection.

Intrusion Prevention Systems
Quite often discussed in the same context are IPS (Intrusion Prevention Systems). Intrusion prevention systems were invented in the late 1990s to resolve ambiguities in passive network monitoring by placing detection systems in-line. A considerable improvement upon firewall technologies, IPS make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done. As IPS systems were originally a literal extension of Intrusion Detection Systems, they continue to be related.

An IPS is very similar to an Application Layer Firewall.

Encryption
IPSec
IPSec (IP Security) is based on the concept of a shared secret. The encoding and decoding of the information can only be done if the two devices share a piece of key information. This means that the data can be captured but not understood unless the third party shares the secret.

IPSec was designed to support the secure exchange of packets at the IP Layer. IPSec supports two modes of operation, Transport and Tunnel. Tunnel is the most secure and is the one we are most likely to be familiar with as it is widely used in the VPN (Virtual Private Network) domain.

The primary protocol used by IPSec for exchanging the secret is called Internet Key Exchange (IKE). Most of the IKE exchange process is based on a mechanism called OAKLEY, which works with assorted key exchange modes. Another similar mechanism also used by IKE is SKEME, this supplies IKE with the method of Public Key Encryption and its fast re-keying facility.

RSA
RSA was developed by three mathematicians, Ron Rivest, Adi Shamir and Lee Adleman. This system used a Public and Private Key. It is probably the most popular method for Public Key Encryption, and digital signatures, in use today.
RC4
RC4 was also invented by Ron Rivest and is used in certain commercial systems such as Netscape and Lotus Notes. It has a bit size of 2048 which makes it a fast and strong cypher.
AES
AES (Advanced Encryption Standard) is a block cipher that has been adopted by the US Government. Two Belgian cryptographers Joan Daeman and Vincent Rijden developed AES as Rijndael. AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. As a new encryption standard, it is currently being deployed on a large scale.

In June 2003, the US Government announced that AES may be used for classified information:
"The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use."

"You can't turn back the clock. But you can wind it up again." - Bonnie Prudden

Saturday, 2 December 2006

Securing the Network: 10

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Malware
                Pod Slurping
                Instant Messaging

Malware
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a blend of the words ‘malicious’ and ‘software’. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Many normal computer users are however still unfamiliar with the term, and most never use it. Instead, ‘Virus’ is used in common parlance and often in the general media to describe all kinds of Malware.

Software is considered Malware based on the perceived intent of the creator rather than any particular features. It includes computer Viruses, Worms, Trojan horses, Spyware, Adware, and other malicious and unwanted software.

(Source: WikiPedia)

Pod Slurping
The most popular MP3 player, the Apple iPOD has sold 60 Million units since 2001. In addition to the iPOD there are many different and competing products in the portable music player space.

From a security standpoint the one thing they have in common is the ability to be plugged into a computer and copy huge amounts of data, (possibly confidential data) onto the device in a matter of a few minutes. This can be done very discreetly and easily.

A common misconception is that if the outside perimeter of your network is secured, with Firewalls and Routers, then your network is safe. Very little thought is given to the security of computers and data inside the perimeter and yet around 50% of all security breaches occur from inside the corporate firewall.

This is a very real problem, with no easy solution. If you are in charge of security for your organisation then it’s a problem you will want to address as it will not go away. These portable devices are getting smaller and their capacity is increasing.

Instant Messaging
Instant Messaging using tools such as MSN Messenger, Windows Live Messenger, Skype, AOL IM and ICQ, have become standard applications for many of us. They do however have their risks.

It is important that a policy is in place that covers the use of Instant Messaging within your organisation, a policy that should be rigorously enforced by the IT Department.

Content sent through to your employees via IM tools completely bypass your perimeter network defenses and due to the ignorance of most people where these matters are concerned, they pose a very real threat.

"He who promises more than he is able to perform, is false to himself; and he who does not perform what he has promised, is a traitor to his friend." - George Shelley

Friday, 1 December 2006

Securing the Network: 9

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Penetration Testing

Penetration Testing is an attempt to break the security of a computer system or network, under instruction from the owners or maintainers of that facility. It is an attempt to simulate an attempted break in by a computer savvy criminal. A Penetration Test gives a snapshot of the security at a moment in time, and is not a full security audit.

If a criminal attempts to breach your computer network they will generally follow a sequence of five steps:
        Reconnaissance
        Scanning
        Gain Access
        Maintain Access
        Cover Tracks

It therefore makes sense that a Penetration Test follows a similar, although obviously not identical, sequence of events.

Planning and Preparation
This stage involves a meeting between the Penetration Tester and the Client. Key areas to be covered are: Scope, Objective, Timing and Duration. In addition documents must be signed to cover the Penetration Tester and the Client, generally in the form of a Non Disclosure Agreement (NDA).

Information Gathering and Analysis
This next stage involves the Penetration Tester finding as much information as possible about the company he will be asked to target. His first stop will probably be the companies own website, from there he may consult services such as www.netcraft.com. The information he is looking for is Domain Names, Server Names, ISP Information, Host Addresses and anything else that will help him build a picture of the target. The second part of this process involves Port Scanning and OS (Operating System) Fingerprinting.

Vulnerability Detection
If Stage 2 has been successful then the Penetration Tester now has all the information he needs to make the decision as to what hosts to target, and with what vulnerabilities. Some techniques he may use at this stage include Password Cracking, SQL Injection, Rootkit, Social Engineering and Physical Security.

Analysis and Reporting
This is where the Penetration Tester reports back to his Client. The information he is going to present to the client, includes the following:
        An Overview of the work done
        Detailed Analysis of all Vulnerabilities
        Summary of Successful Penetration Attempts
        Suggestions for the next step

Finish Up
This is where the Penetration Tester makes sure that anything he has done in the course of his work will have no effect when he has finished. For example he will remove any backdoors and additional user accounts that he has created, leaving the system how he found it.

The above is a quick overview only of the procedures that may be followed by a Penetration Tester while undertaking their assignment.

"There are no secrets to success. It is the result of preparation, hard work, and learning from failure." - Colin Powell

Thursday, 30 November 2006

Securing the Network: 8

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Auditing
                Separation of Duties

Auditing
It is important that part of your security initiative involves auditing your systems. A lot of important information is contained in logs that are scattered around your servers and devices.

It is necessary to look at what devices produce logs that are important and need regular monitoring, and then ensure that you do monitor them. It will be beneficial to introduce some mechanism so that the logs are sent to you on a regular basis, rather than you having to go and get them each time.

You should set up a document that details all your important logs along with the schedule for checking and auditing them.

Separation of Duties
Am important part of corporate security is Separation of Duties. This basically means that no one individual should be able to control a process from beginning to end.

Separation of Duties allows for checks to be made by a different individual which helps eliminate mistakes and minimises the risks of fraud.

"How much easier it is to be critical than to be correct." - Benjamin Disraeli

Wednesday, 29 November 2006

Securing the Network: 7

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Workstations
                Laptops / Portable Devices

Workstations
Employee workstations can be the most difficult device to secure properly. For a start the employee has unrestricted physical access to the computer and (hopefully) restricted access to the network.

As much data and information as possible should actually be stored on the server with limited facilities for the employee to download and copy the data via his computer.

Ideally technologies such as server based profiles, Active Directory, Terminal Services and SMS (Systems Management Server) should be used to lock down employee access as much as possible without restricting them to the point of severe inconvenience.

Features of the operating system that the user does not need on a day to day basis, such as access to the Command Prompt on Windows, should be locked down and access restricted.

Users should never logon to their computers with the Administrator or Root account. See the sub-section on Least Privilege.

Laptops / Portable Devices
Data that is installed on a device that is going to be used in the field, must be encrypted. Under Windows a superb solution is Truecrypt.

Truecrypt allows you to set up a ‘container’ in which the contents are heavily encrypted, an encryption key must be entered every time the computer is turned on. This ensures that if the device is lost, you data will remain secure.

"What we say is important for in most cases the mouth speaks what the heart is full of." - Jim Beggs

Security Primer: Authentication

Authentication
Authentication is the act of confirming that someone is who they say they are. From the perspective of computer or network security the device needs to be able to cross reference the data that is input as the data that is expected in order to be able to allow access to controlled resources.

Authentication comes before, and is different to Authorisation. Once you are authenticated with a system, you can then be Authorised to access agreed system resources. Access criteria is the crux of Authorisation.

There are generally thought to be three ways to authenticate:

        Something a person knows
        Something a person has
        Something a person is


Something a person knows:
Password, Pass Phrase or Pin Number Etc.

Something a person has:
ID Card, Security Token, Mobile Phone Etc.

Something a person is:
Fingerprint, DNA, Retina Scan, Voice Scan Etc.

"Know the true value of time; snatch, seize, and enjoy every moment of it. No idleness; no laziness; no procrastination; never put off till tomorrow what you can do today." - Lord Chesterfield

Sunday, 26 November 2006

Securing the Network: 6

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Wireless Networks

Wireless Networks
Wireless networks are a major potential security breach. The following are some ideas on what you can do to minimize your exposure.

Change Your SSID
A SSID is the public name of your wireless network. SSID stands for Service Set IDentifier. Many people leave this set to the factory default, which may be LINKSYS or 3COM or similar. Change the SSID to something that describes your own network, this will at least ensure that people do not accidentally connect to your network instead of their own.

TECH NOTE: AP (Access Point): This is transmitter / receiver which connects your wireless network to you LAN (Local Area Network).

Turn off the Access Point Beacon
When you have setup your wireless network there is no further need for your AP to transmit it’s beacon that basically says ‘I AM LINKSYS. I AM HERE’. So within the administration software or webpage that you use to administer your AP, turn off the beacon. This will make your wireless network invisible to somebody who is just scouting around. If they know you have a network already or if they know the SSID they can still see and/or connect to you.

Restrict Access to specific MAC Addresses
Each network card within a computer contains a Mac Address that is (to all intents and purposes) unique. With some AP’s you can restrict access to your wireless network to computers of a known MAC Address. The procedures differ for each AP and some do not even support this, but if your AP does support this it is worth pursuing. This assumes that you do not regularly have new computers needing to connect to your network. Also be aware that valid MAC Addresses can be sniffed from your network and the attacker can spoof his MAC Address so that it looks like yours ...

TECH NOTE: MAC (Media Access Control) Address: This is a unique identifier attached to most sorts of networking equipment and consists of two parts, the first part related to the manufacturer of the device and the second part is a serial number.

Change the Admin Password on your Access Point
This one goes without saying.

Implement Encryption
At a minimum, enable WEP. However if possible WPA should be setup and used. Use the maximum encryption length.

TECH NOTE: WEP (Wired Equivalent Privacy)
TECH NOTE: WPA (WI-FI Protected Access)


"Nature magically suits a man to his fortunes, by making them the fruit of his character." - Ralph Waldo Emerson

Friday, 24 November 2006

Securing the Network: 5

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Servers
                Service Packs / Updates
                
Servers
If somebody has physical access to your servers then all further security is completely compromised. Your servers should be located in a secure location, i.e. safe from theft, tampering, fire and flood and ideally accessed only remotely using tools such as Remote Desktop and VNC.

TECH NOTE: VNC (Virtual Network Computing): This is a desktop sharing system ideal for use when attempting to administer a computer that is located inconveniently.


Service Packs / Updates
As with anything else concerning security, the installation of Service Packs and Updates is a compromise.

Install them quickly when released and you may secure your servers from a current threat, however if you have not had time to test the updates then they may cause serious problems on your systems.

Personally I lean towards installing them quickly on machines that may be exposed to the external threat and taking my time on machines that are unlikely to be threatened.

"When you play, play hard; when you work, don't play at all." - Theodore Roosevelt

Thursday, 23 November 2006

New Addition to My Collection !

Well, I didn’t realize that I had a collection of watches until my wife asked me to count them before deciding whether I *really* needed another one ... when the count surpassed a dozen I decided that I was in fact a collector, which means I have a need to add to my collection ...

This one is an MTM Blackhawk and it arrived today. This is an excellent watch. It’s solid, heavy and virtually indestructible, if you need a tough watch for outdoor use, I doubt this can be beaten. Here’s a picture.

I purchased the watch from nightgear.co.uk and received it the following day, how’s that for service !

Here’s some information I found that describes the background:

The US Special Forces wanted a new watch (one that was more rugged and reliable) about 18 years ago. They approached a company in California (MTM) and asked them to design a sort of Swiss Army Knife watch.

Over the next two years the company spent some time talking to NASA and MIT (Mass' Institute of Technology). Together they came up with a watch that would be one of the most accurate watches in the world.

They did all sorts of searches and tests to find the best materials for it (carbon fibre, diamond hardened quartz glass etc). The battery electro-magnetic recharging system originally existed as something developed for NASA (meant you could generate more efficient electricity in space via spacial object discharges). MIT played with it and got it into a stand which recharges the battery.

The way they designed the shielding around the battery meant that it would survive an EMP (electro-magnetic pulse) such as can be caused by a nuclear explosion or an EMP generator. This meant that the watches became virtually indestructible. They are water resistant to 300m. They can resist pressures of up to 15 atmospheres (which would have killed a human after about two and a half seconds).

They were issued (officially) to the Special Forces (Delta Force, Army Rangers, SWAT Teams, Navy Seals). After a year the civilian forces (FBI, DEA and CIA) wanted them and about six months after that the Army, Navy and USAF ordered them.

The British got hold of them a while ago and the SAS and SBS got them. Several Army, Navy and RAF officers got hold of them and they spread. Now even the Israeli Mossad use them now, along with the British MI5 and MI6 Intelligence Agencies.

I just need to see whether it is tough enough to survive the average day in my IT Department ...

"Help others get ahead. You will always stand taller with someone else on your shoulders." - Bob Moawad

Securing the Network: 4

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Routers
                The Administrator Account
                Resources

Routers
Your internet router should be setup so that it does not respond to an ICMP query from the Internet, i.e. disallow external pings.

In addition UPNP (Universal Plug and Play) should also be switched off.

Unless you desperately need access to remotely configure your router then you should also disable the remote access facility.

TECH NOTE: ICMP (Internet Control Message Protocol) Query: This is generally known as a ‘Ping’. One computer can Ping another as a way of saying ‘hello, are you there ?’. A reply is expected from the computer that receives the message.

TECH NOTE: UPNP (Universal Plug and Play): This is a set of protocols designed to simplify device configuration by attempting to automatically configure them for you.


The Administrator Account
The Administrator account on each server should be setup with a large and complex password and then disabled. Changing the name of the Administrator account will not fool a decent hacker, under Windows the Administrator account always has the ID of 500, even if you do choose to rename it to BilboBaggins or BartSimpson.

Each Administrator should then be given their own Admin account and password, no Admin should know the password for another Admins account. This ensures that you are able to Audit the Administrator level access to the servers and tie it down to a specific individual.

Resources
When considering the resources that you provide for your users you should look at them in the context of:

        Confidentiality
        Integrity
        Availability

The general rules to use when setting up access to resources are:

        Need to know
        Least Privilege

Need to Know
This applies to users and the information they need. There is nothing to be gained by passing on information to users regarding server and router IP addresses, DNS and DHCP if they do not need to be told these things to so their job.
Least Privilege
Basically what we are saying here is that users and employees should be given the lowest and most restrictive access possible, whilst still enabling them to do their job. It is easier to control the escalation of access rights than it is to try reducing them at a later date!

"For today and its blessings, I owe the world an attitude of gratitude." - Clarence E Hodges

Tuesday, 21 November 2006

Securing the Network: 3

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Used ID
                Passwords

User ID
Traditionally access to many computer systems has been via a ‘username’. Some examples are shown below:

Bilbo
Bilbobaggins
Bilbo.baggins

The problem with this of course is that an attacker can utilise employee information gained from many sources to guess the logons names to the computer system. If they know the logon name they are 50% of the way there to getting access.

Even worse, many people use the same ‘username’ as their email address, see below:

Bilbo@hobbit.com
Bilbobaggins@hobbit.com
Bilbo.baggins@hobbit.com

This means that an attacker has only to learn the name of an employee to have a good idea as to both their computer logon and their email address, or alternatively they only need the email address to learn an individuals computer logon and name.

TECH NOTE: Email SPAM: An additional problem with using name as an email address is the fact that some spammers now use code to churn out millions of emails to a domain name ie: hobbit.com using variations of peoples names. This in itself is a potentially massive problem.

My suggestion is that systems designed or re-engineered nowadays should use logons and email addresses that bear no relation to the name of the individual. For example:

M7071@hobbit.com

This may not be as simple or as intuitive as previous methods but it is a lot more secure, and anything we can do to secure ourselves that little bit more, is worth doing.

Passwords
User passwords should conform to the following criteria:

        Minimum Length, 9 Characters
        Combination of Letters, Numbers and Special Characters
        Mixed Case
        Does not form Proper Word

To ensure that the user remembers her password and does not stick it underneath the keyboard on a Post-It note, you may implement the following suggestions:

        Let the user choose her own password
        Build the password from a phrase, such as a line from a song.

The system should be setup so that after a given number of password attempts the account is locked, this helps prevent against Brute Force password attacks.

In addition the policy should be enforced so that passwords are changed at least twice a year, quarterly or more often would be better.

"If you're creative, if you can think independently, if you can articulate passion, if you can override the fear of being wrong, then your company needs you now more than it ever did. And now your company can no longer afford to pretend that isn't the case." - Hugh MacLeod

Sunday, 19 November 2006

Securing the Network: 2

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Threats
                Physical Security
                Firewalls

Threats
The main threats that we face as a business if our network or computer or security systems are compromised, are listed below:

Data Loss
Data Theft
Identity Theft

The main ways in which these threats can be realised are listed below:

Malware / Trojans
Viruses
Pod Slurping
Social Engineering
Physical Destruction
Employee Dishonesty

Physical Security
Physical Security in the context of this document can be split into two areas, security of your building/office and security of your computers/servers.

The security of your building or office is covered in this document because if it is possible for somebody unauthorised to gain access to your building or office then the best computer security in the world will not help. They could steal your computer, plug a laptop into your network, put a tap on your phone, steal confidential information etc. etc.

Gaining access, even to a secure establishment can be as simple as ‘piggy backing’. This involves walking into a building close to a group of others, if this is done casually enough then you are extremely unlikely to be questioned. One way around this, typically used in high security installations, is the idea of a ‘man trap’, basically an enclosed ‘chicane’ type area which allows one person through at a time.

At the very least anybody visiting your establishment should be made to wear a ‘Visitors Badge’ displayed prominently, which should be handed in when leaving the premises.

Secondary entrances and Fire Exit’s should be kept closed and secured as far as possible.

Physical security of your computers and servers means paying particular attention to the CD/DVD Drives, USB Ports, Firewire Ports Etc. There items can all be used to apply Malware/Trojans/Viruses to a computer and in most cases can also be used to take data off the computer, and out of your control.

Any electrical device of value should be attached to a secure point via an armoured cable, available from many suppliers. Many desktop and laptop computers now have points that are designed to be used with the armoured cable and padlocks currently available.

Firewall
A Firewall is a device connected between your internal computer network and the external internet. A Firewall can either be software running on a computer or a dedicated hardware device.

The purpose of a Firewall is to stop undesirable access to the machines on your network and at the same time allow access and capabilities that you deem desirable.

A Firewall is not a guaranteed safeguard. Nevertheless it is an important item in your security portfolio. Without some sort of Firewall between you and the internet it is likely that your computer would be compromised within minutes.

"Life is too complicated not to be orderly." - Martha Stewart

Sunday, 12 November 2006

Securing the Network: 1

This next series of posts is entitled:

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Introduction
                What is a Hacker
                The Security Triad
                The Laws of Security

Introduction
Security can be likened to Insurance. Most people and organisations never really consider it worthwhile until the worst happens. Today we live in an age where computer and network security has to be at the top of the CIO’s agenda. There is too much at stake for security to be an afterthought.

Unfortunately security and convenience/practicality are at opposite ends of the user experience. As such security will always be a compromise. To give a contemporary example: It is extremely easy to stop terrorists getting on commercial flights. Use airplanes for cargo only. Problem Solved. This however is not a practical solution and so a compromise between security and practicality is necessary.

This document looks at the computer and network security that is needed within the modern enterprise and explains in layman’s terms the policies, procedures and settings that are essential to ensure that if security is going to be compromised then somebody is going to have to work hard to do it.

This is not a comprehensive security document and it does not cover every eventuality. The suggestions it makes however, if followed, are likely to lead to more comprehensive security than what your competitors and most other companies have.

After all, you don’t always have to be able to run fast, as long as you run faster than the other person when you are both being chased by a bear …

What is a Hacker ?
You will see references to the word ‘Hacker’ throughout this document. I have used the word ‘Hacker’ as it should be used, not as it is often used in modern literature or in Hollywood films.

A Hacker is someone who likes to know, in depth, about a subject. Someone who is willing to study and tinker until they gain mastery of their craft. Generally accepted to be gifted Programmers or System Administrators they can I believe be categorised by their belief that if the knowledge is worth pursuing they won’t necessarily let laws or restrictions stop them. The average Hackers attitude is probably a bit ‘Grey’ as opposed to either ‘Black’ or ‘White’.

A Hacker , like anybody else can have either good or bad intentions, and be capable of either good, bad or indifferent acts. In this document you should understand the type of Hacker I am describing by the context of the paragraph in which they are mentioned.

The Security Triad
The three cornerstones of information security are:

Confidentiality
Integrity
Availability

Confidentiality is concerned with information being accessible to only the intended recipient. This may be documents, database information, emails or even instant messages.

Integrity is concerned with the fact that for information to be trusted we must know that it has only been modified by those who are authorised to do so. In addition the data must be 100% accurate.

Availability is making sure the information is available to the right person(s) when it is needed. Factors that affect this delivery of information such as incorrect permission settings or denial of service attacks are examples of how availability may be compromised.

TECH NOTE: Denial of Service Attack: This is when several hundreds or thousands of computers are commandeered by a Hacker and all set to send requests to a targeted website simultaneously. This can often cause the targeted website to crash or become otherwise unusable.

The concept of security in the enterprise involves considering and balancing these three concepts, every step of the way.

The Laws of Security
Client side security does not work.
You cannot securely exchange encryption keys without a shared piece of information.
Malicious code cannot be 100% protected against.
Any malicious code can be completely altered to bypass signature detection.
Firewalls cannot protect you 100% from attack.
Any Intrusion Detection System (IDS) can be evaded.
Secret cryptographic algorithms are not secure.
If you don’t have a key, you don’t have encryption, you have encoding.
Passwords cannot be securely stored on the client, without password protection.
For a system to be considered secure, it must undergo an independent security audit.
Security through obscurity does not work.

Source: INFOSEC Career Hacking, Syngress 2005.

"I want freedom for the full expression of my personality." - Mahatma Gandhi

Tuesday, 7 November 2006

SQL 101 7: SQL Background

This is the seventh and final post in my series designed to teach people the basics of SQL and it’s use in interrogating databases.

SQL Background Information
SQL is a declarative language, not a procedural language.  This effectively means that you tell the database what you want doing, not specifically how to actually do it. This is a similarity shared by several general fourth generation languages. Examples of procedural languages are Pascal, C++ and Basic, as well as old timers such as COBOL and FORTRAN.

The SQL Language consists of three parts:
                DDL:                Data Definition Language
                (Used to Design the tables and columns)
                DML:                Data Manipulation Language
                (Insert, Delete, Update & Query the database)
                DCL:                Data Control Language
                (Controls database security and permissions)

The DBA (Data Base Administrator) is concerned with the DDL & DCL, whereas the programmer or reasonably sophisticated end-user is responsible for the DML.

SQL differs from other procedural languages in that other languages handle data in FILES. A FILE is a container of data in which data is stored sequentially. There is a concept of last record and first record, this fits in well with the way files work in the real world with paper forms and filing cabinets and the like.

SQL however handles data in TABLES. A TABLE is a set, a set is a mathematical abstraction, sets are ordered and all of their members are of the same type. When you perform an operation on a set the operation happens all at once and to the entire membership. Tables can be permanent (base views) or virtual (views). An operation on an SQL table always returns a RESULTS TABLE.

Cardinality of a table
(The number of rows in a table, Zero or Greater)
Degree of a Table
(Number of columns in a table, One or Greater)

A foreign key is the column which links to another (primary) key in another table.

OR (When using an OR within the search string, the OR'd items must be bracketed for a successful search.)
NOT
AND
LIKE 'xxx%' %=wildcard of one or more characters, the like command is however CASE SENSITIVE.
IN
BETWEEN (= can be used for an exact match type search)

GROUP BY can be more than one field separated by a comma, both columns must also be in the actual columns displayed. DO NOT include a primary key in a GROUP BY command, as the primary key is unique. Fields other than the grouping fields cannot be in the display columns, as to do so would make zero sense.

NORMALISATION is the process where by a database designer attempts to minimise the amount of duplicate data stored within his database.

"If you have made mistakes, even serious ones, there is always another chance for you. What we call failure is not the falling down but the staying down." - Mary Pickford

SQL 101 6: DISTINCT & Functions

This is the sixth in my series of posts designed to teach people the basics of SQL and it’s use in interrogating databases.

The DISTINCT Option
This option removes duplicate rows from the Results Table. The result of the query will only include each distinct selected set of Columns, even though there may be many more such occurrences in the Table.   NOTE:  Only rows where ALL columns are the same will be removed.

One example of use is where you wish to query the stock file to see if you have ever sold a particular product, you only wish a row to be returned as confirmation, you do not need a row for every occurrence of the sold stock record. This query would use the DISTINCT option to return only the required data.

Calculated Columns
The value of a Column can have a calculation applied to it. This calculation can be in the form of a numeric calculation or a calculation based on the value of another Column.

Functions
It is possible that instead of displaying the contents of a Column in the Results Table, you can display the result of performing certain operations on the Column contents. The functions available are as follows:

AVG(COLUMN)
This function calculates the average value of the specified Column. The name of the Column to be averaged must be enclosed in parentheses.

SUM(COLUMN)
This function operates exactly as the average function, but produces the SUM of the selected Columns.

MIN(COLUMN)
This function operates exactly as the average function, but produces the minimum of the selected Columns.

MAX(COLUMN)
This function operates exactly as the average function, but produces the maximum of the selected Columns.

COUNT(*)
This function operates exactly as the average function, but produces a COUNT of the number of Columns that have met the selected criteria.

Next: SQL Background Information

"If you really do put a small value upon yourself, rest assured that the world will not raise your price." - Anonymous

Sunday, 5 November 2006

SQL 101 5: ORDER and GROUP

This is the fifth in my series of posts designed to teach people the basics of SQL and it’s use in interrogating databases.

The Optional ORDER Clause
The ORDER clause provides an optional method of sorting the rows that have been returned to the Results Table. Please Note that using a sort can sometimes take longer for the query to execute, and require more memory on the Server. An example of the ORDER clause is as follows:

ORDER BY CUS_NAME, CUS_PRIMARYKEY

The order of sorting is determined by the order of the Columns within the ORDER section of the statement. The sort is carried out in ascending order of field value.

Below are some examples of queries with the optional ORDER clause in use.

SELECT SOH_NUMBER, SOH_DATE, SOH_NET, SOH_OWNER
FROM GUSER.F_SOHDR
WHERE (SOH_OWNER = 'JOHN CLARK' OR SOH_OWNER = 'PETER OAKDEN') AND SOH_NET > 3000
ORDER BY SOH_NET

SELECT SOH_NUMBER, SOH_DATE, SOH_NET, SOH_OWNER
FROM GUSER.F_SOHDR
WHERE (SOH_OWNER = 'JOHN CLARK' OR SOH_OWNER = 'PETER OAKDEN') AND SOH_NET > 3000
ORDER BY SOH_NET DESC


The Optional GROUP Clause
The GROUP clause is used to sort the output not as individual records, but as groups of records that have the same value in a specified field. This optional clause is only used when the query is applying one of the functions (AVERAGE, SUM, MIN, MAX or COUNT) to the groups.

The SELECT clause is limited to the Column that appears in the GROUP clause, with one or more functions of other Columns. For Example:

SELECT HIS_USER, COUNT(*)
FROM GUSER.F_SYSHISTORY
WHERE HIS_USER LIKE ‘%’
GROUP BY HIS_USER


This query returns a row containing the amount of system history records against each user.

Next: DISTINCT Option, Calculated Columns and Functions

"Don't join the book burners. Don't think you're going to conceal faults by concealing evidence that they ever existed. Don't be afraid to go in your library and read every book..." - Dwight D Eisenhower

Saturday, 4 November 2006

SQL 101 4: The WHERE Clause

This is the fourth in my series of posts designed to teach people the basics of SQL and it’s use in interrogating databases.

The WHERE Clause
The WHERE clause is used to specify the conditions that must be met for the record to be selected. In the query, each record in the Table named in the FROM clause is read and tested for the condition specified in the WHERE clause. If the condition evaluates to True the Columns specified in the SELECT clause are included in the Results Table. Otherwise the record is not returned to the Results Table.

SELECT CUS_PRIMARYKEY,CUS_CODE
FROM GUSER.F_CUSTOMER
WHERE CUS_CODE LIKE '%'


This returns a Results Table containing all your Customers. (Of course the same could have been achieved in this case by eliminating the WHERE clause entirely.)

In its simplest form the WHERE clause consists of four parts: The word WHERE, a Columns name, an operator, and a value or another Column name. Several examples of a full SQL statement containing a simple WHERE clause are shown below:

SELECT SOH_NUMBER, SOH_DATE, SOH_NET, SOH_CUCODE
FROM GUSER.F_SOHDR
WHERE SOH_DATE BETWEEN ‘2004 MAR 01’ AND ‘2004 MAR 31’

SELECT SOH_NUMBER, SOH_DATE, SOH_NET, SOH_CUCODE
FROM GUSER.F_SOHDR
WHERE SOH_NET > 1000.00

SELECT CUS_CODE, CUS_NAME, CUS_BALANCE
FROM GUSER.F_CUSTOMER
WHERE CUS_NAME LIKE ‘Bathroom%’

SELECT CUS_CODE, CUS_NAME, CUS_BALANCE
FROM GUSER.F_CUSTOMER
WHERE CUS_NAME NOT LIKE ‘Bathroom%


SELECT SOH_NUMBER, SOH_DATE, SOH_NET, SOH_OWNER
FROM GUSER.F_SOHDR
WHERE (SOH_OWNER = ‘JOHN CLARK’ OR SOH_OWNER = ‘PETER OAKDEN’) AND SOH_NET > 3000


Parentheses are used to alter the sequence in which conditions are evaluated. Normally conditions are evaluated multiplication/division, left to right, however parentheses cause the condition inside the parentheses to be evaluated first and to pass the results of that evaluation to the outer part of the condition (or the next outer set of parentheses if using nested parentheses)

An example of the use of parentheses, consider the following two expressions:

7 + 5 * 4        =        27
(7 + 5) * 4        =        48

The final part of the WHERE clause is the element that follows the operator. This can either be a data value, or the name of another column. If the data is alphanumeric, the data must be enclosed in quotation marks. Numeric data must not be enclosed in quotation marks. Dates are treated as alphanumeric fields and the form ‘01 JAN 06’ is commonly used.

Note: The ‘%’ symbol is a wildcard. As the query executes this is evaluated to mean ‘one or more characters’. Effectively allowing a simple ‘contains’ search. Another wildcard than can be used is the underscore character (_) , this represents one character only.

If using the wildcards then you cant use the equality operator (=), instead you must use the LIKE statement. See the examples earlier.

Tomorrow: The ORDER BY and GROUP BY Clauses.

"Good communication is as stimulating as black coffee and just as hard to sleep after." - Anne Morrow Lindbergh

Friday, 3 November 2006

SQL 101 3: SELECT and FROM

This is the third in my series of posts designed to teach people the basics of SQL and it’s use in interrogating databases.

The SELECT Clause
The SELECT clause is used to define the columns that are to be displayed in the Results Table for each record that satisfies the query conditions. If more than one Column is specified the field names must be separated with commas. If only one Column is specified, no separator is required. For example:

SELECT CUS_PRIMARYKEY,CUS_CODE
or
SELECT CUS_CODE


The FROM Clause
The FROM clause is used to define the Table from which the records are to be selected. The FROM clause normally follows the SELECT clause, and in order to keep the structure of the query clear, it can often be found entered on a separate line. For Example:

SELECT CUS_PRIMARYKEY,CUS_CODE
FROM GUSER.F_CUSTOMER


This means that the Columns Primary Key and Customer Code are to be retrieved from the table F_CUSTOMER. If more than one Table is to be used in a query (using a SQL ‘Join’ which is a technique for linking related tables),  the Table names must be separated by a comma. For Example:

SELECT CUS_PRIMARYKEY,CUS_CODE,SOH_NET
FROM GUSER.F_CUSTOMER, GUSER.F_SOHDR
WHERE


Tomorrow: The WHERE Clause.

"Most folks are about as happy as they make up their minds to be." - Abraham Lincoln

Thursday, 2 November 2006

SQL 101 2: Relational Joins

This is the second in my series of posts designed to teach people the basics of SQL and it’s use in interrogating databases.

Relational Joins
Data can be linked to other data. A sales order is linked to it’s lines, it is also linked to a customer. These links are known as relational joins. When attempting to retrieve linked data you have to tell the computer what are the key fields that you want to use to establish the link.

The link is established through Primary and Foreign Keys. In my own databases I generally provide a second and arguably more intuitive link. More on this later.

Consider the following Example, which shows a simplified Sales Order Header Table, and a simplified Customer Table:

Table: GUSER.F_SOHDR
SOH_PRIMARYKEY                        Sales Order Primary Key
SOH_NUMBER                        Sales Order Number
SOH_DATE                                Date
SOH_DELIVDATE                        Delivery Date
SOH_CUCODE                        Customer Code
SOH_FK_CUSTOMER                Foreign Key to Customer Table

Table: GUSER.F_CUSTOMER
CUS_PRIMARYKEY                        Customer Primary Key
CUS_CODE                                Customer Code
CUS_NAME                                Customer Name

As you can see the customer name is not stored against the sales order header record. (There is a very valid reason for this and it concerns normalisation, see elsewhere in this document for an explanation of normalisation.)

Now if you wish to produce a SQL Query that shows all sales orders for the first week in March, that shows the order number, order date, customer code, customer name and net value, then you need to pull in the customer name from the customer table. This means that you have to apply a join in your query, and for this first example we are going to do the join via the sales order foreign key to customer (SOH_FK_CUSTOMER) and the customer primary key (CUS_PRIMARYKEY). The query looks like this:

SELECT SOH_NUMBER,SOH_DATE,SOH_CUCODE,CUS_NAME,SOH_NET
FROM GUSER.F_SOHDR,GUSER.F_CUSTOMER
WHERE SOH_FK_CUSTOMER = CUS_PRIMARYKEY
AND
SOH_DATE BETWEEN '2004 MAR 01' AND '2004 MAR 05'

The Important things to notice here are that we have had to specify in the FROM section the fact that we wish to pull in data from more than one table. The other thing we have had to do is specify that the way we want to link the sales order to the customer is through the Primary Key / Foreign Key mechanism, you can see this as the first part of the WHERE section.

As I mentioned earlier, within my own databases I generally provide a second way of linking the data between tables, through the use of a Common or Convenient code. In this example we could have used the Customer Code stored against the order (SOH_CUCODE) and the Customer Code stored in the customer table (CUS_CODE), to link the records. This is demonstrated in the example shown below, it returns exactly the same data as the first example.

SELECT SOH_NUMBER,SOH_DATE,SOH_CUCODE,CUS_NAME,SOH_NET
FROM GUSER.F_SOHDR,GUSER.F_CUSTOMER
WHERE SOH_CUCODE = CUS_CODE
AND
SOH_DATE BETWEEN '2004 MAR 01' AND '2004 MAR 05'


The only difference between the two examples is the in the first part of the WHERE section, where I have specified the column names used to join the two tables.

NOTE: If you specify more than one table in the FROM section of your query and do not specify how to link the tables in your WHERE section, then you end up with what is know as a Cartesian Product. (THIS IS A BAD THING). A Cartesian Product is mathematically a binary operation in which two objects are combined in an ‘everything in combination with everything’ fashion. This can cause a serious system slowdown, and will return nonsensical data.

An understanding of joins is essential for you to progress to more advanced SQL Queries, and to allow you to collate and interrogate data successfully.

"Temptation rarely comes in working hours. It is in their leisure time that men are made or marred." - W N Taylor

SQL 101 1: Intro / Overview

This is the first in a series of posts designed to teach somebody the basics of SQL. It is adapted from a training course I originally wrote around 10 years ago, revamped again in 2000 and then again in 2006. The syntax has been tested against Oracle but in the vast majority of cases should work fine against any version of SQL. Have Fun !

Introduction
Information is data organised in a way that is useful. What we give you within database software is Information, what we actually store is Data.

Obviously the data is not stored in a totally random fashion. The data is stored in a structured fashion, this structure is represented by Tables and Columns.

A Table is a collection of related data. For example the table F_CUSTOMER contains all the Customer data. The table F_SUPPLIER contains all the Supplier data. A column represents a particular portion of the data, for example a column within the customer table might be called CUS_NAME. This column will contain the customers name. You can liken this structure to a spreadsheet worksheet, where each row represents a single customer and each column represents a particular type of data stored. See this diagram for clarification.

For this tutorial we are going to be concentrating on using a SQL Query Tool to retrieve data from the database and present it to you on your screen.

Overview
‘SQL’ is an abbreviation for ‘Structured Query Language’. It provides a programming language for accessing selected records from a relational database. SQL often (and possibly incorrectly) pronounced ‘Sequel’ is actually pronounced ‘ess que ell’. This confusion stems from the fact that ‘SQL’ is the successor of a language called ‘Sequel’ developed by IBM in the late 1960’s.
For even the most simple of database inquiries there are three elements that you must communicate to the system to perform the inquiry:
You must specify the Table or Tables that you wish to search.
You must specify the Columns of data you wish to retrieve.
You must specify the search conditions for the data you require.
In SQL this is achieved using the SELECT ..  FROM .. WHERE ..  clauses.
The SELECT clause is to tell the system which Columns you want to select for the inquiry. The FROM clause is used to tell the system which Table contains the records which are to be selected. The WHERE clause is used to specify the conditions that must be met for a record to be selected.
These three clauses are all that is a necessary to perform a simple query from the SQLQuery Engine. The system reads the specified Tables(s) and checks each row against the condition, if the condition is met the selected records are returned into the Results Table.
Another feature of SQL is the ability to request not the contents of the selected fields, but a function of those contents, such as the average value, sum total, maximum or minimum value, or just a count of the number of records that meet the selection criteria.

"Aim at the sun, and you may not reach it; but your arrow will fly far higher than if aimed at an object on a level with yourself." - Joel Hawes

Tuesday, 31 October 2006

Pod Slurping

The most popular MP3 player, the Apple iPOD has sold 60 Million units since 2001. In addition to the iPOD there are many different and competing products in the portable music player space.

From a security standpoint the one thing they have in common is the ability to be plugged into a computer and copy huge amounts of data, possible confidential data, onto the device in a matter of a few minutes. This can be done very discreetly and easily.

A common misconception is that if the outside perimeter of your network is secured, with Firewalls and Routers, then your network is safe. Very little thought is given to the security of computers and data inside the perimeter and yet around 50% of all security breaches occur from inside the corporate firewall.

This is a very real problem, with no easy solution. If you are in charge of security for your organisation then it’s a problem you will want to address as it will not go away. There portable devices are getting smaller and their capacity is increasing.

One solution I am currently looking at is EndPointSecurity from GFI. It is not cheap, but then it probably costs a lot less than trying to fix the problems caused by your confidential data getting into the hands of your competitors.

“There’s a 4:30 in the morning now?” - Bart Simpson

Monday, 30 October 2006

Penetration Testing: An Overview

Introduction
Penetration Testing is an attempt to break the security of a computer system or network, under instruction from the owners or maintainers of that facility. It is an attempt to simulate an attempted break in by a computer savvy criminal. A Penetration Test gives a snapshot of the security at a moment in time, and is not a full security audit.

If a criminal attempts to breach your computer network they will generally follow a sequence of five steps:
        Reconnaissance
        Scanning
        Gain Access
        Maintain Access
        Cover Tracks

It therefore makes sense that a Penetration Test follows a similar, although obviously not identical, sequence of events.

Planning and Preparation
This stage involves a meeting between the Penetration Tester and the Client. Key areas to be covered are: Scope, Objective, Timing and Duration. In addition documents must be signed to cover the Penetration Tester and the Client, generally in the form of a Non Disclosure Agreement (NDA).

Information Gathering and Analysis
This next stage involves the Penetration Tester finding as much information as possible about the company he will be asked to target. His first stop will probably be the companies own website, from there he may consult services such as www.netcraft.com, and Google Groups. The information he is looking for is Domain Names, Server Names, ISP Information, Host Addresses and anything else that will help him build a picture of the target. The second part of this process involves Port Scanning and OS Fingerprinting.

Vulnerability Detection
If Stage 2 has been successful then the Penetration Tester now has all the information he needs to make the decision as to what hosts to target, and with what vulnerabilities. Some techniques he may use at this stage include Password Cracking, SQL Injection, Rootkit, Social Engineering and Physical Security.

Analysis and Reporting
This is where the Penetration Tester reports back to his Client. The information he is going to present to the client, includes the following:
        An Overview of the work done
        Detailed Analysis of all Vulnerabilities
        Summary of Successful Penetration Attempts
        Suggestions for the next step

Finish Up
This is where the Penetration Tester makes sure that anything he has done in the course of his work will have no effect when he has finished. For example he will remove any backdoors and additional user accounts that he has created, leaving the system how he found it.

The above is a quick overview only of the procedures that may be followed by a Penetration Tester while undertaking their assignment.

Research
Conducting a Penetration Test on an Organisation: Chan Tuck Wai 2002
Penetration Testing and Network Defence: Andrew Whitaker and Daniel Newman 2005

“Don’t eat me! I have a wife and kids. Eat them!” - Homer Simpson

Tuesday, 17 October 2006

Skype Home Security !

Here’s a tip I picked up from Lifehacker.

How to use Skype as a ‘Dial In Home Security System’

1) Open two New Accounts.

2) On Account 1 add NewUser2 as your ONLY contact.

3) Login again as Account 1 and set as follows:
        Go to Tools-->Options-->Advanced-->(tick) Automatically Answer Incoming Calls-->

then go to Tools-->Options-->Video-->(tick) Start Video Automatically and Only People in My Contacts-->Save.
Leave this account online.

4) Log in as Account 2 from another Computer.
Call Account 1, this will now answer and start the video running, any one else calling this account, will not get activated or see your private Web Cam.

Pretty Cool

"It is difficult to say what is impossible, for the dream of yesterday is the hope of today and the reality of tomorrow." - Robert H Goddard

Sunday, 15 October 2006

Living Congruently

Apparently, according to Steve Pavlina, the key to living congruently is aligning yourself so that the following four questions all produce the same answer:

        What do you want to do ? (Desire)
        What can you do ? (Ability)
        What should you do ? (Purpose)
        What must you do ? (Need)

It’s a little like searching for the Holy Grail !

"It is best to do things systematically, since we are only human, and disorder is our worst enemy." - Hesiod

Sunday, 24 September 2006

Netstat, Built in SuperTool !

Netstat is a command line utility that is built into pretty much all the currently popular Operating Systems, Windows, OSX, Linux, Unix etc. Netstat literally shows you your NETwork STATus, including information such as what ports and programs are doing what and to whom ! In this post I intend to give a brief description of Netstat as it applies to Windows XP and Mac OSX.

As a command line program on XP you need to run Netstat within the MSDOS Prompt (Command Prompt) and on the Macintosh you need to open the Terminal program. To run the basic Netstat program on XP you need to type ‘netstat’ at the command prompt and on the Mac ‘netstat -f inet’. This difference is because on the Mac being Unix based you see a lot of additional (and in most cases unnecessary) information relating to Unix sockets unless you restrict the Mac to just the Internet related information.

The key information displayed by Netstat is as follows:
Protocol (TCP / UDP)
Socket (Local Address and/or Port)
Remote Address
State

Its worth nothing that under OSX you can use the ‘man netstat’ command to see detailed information relating to the Netstat program and under XP ‘netstat /?’.

Under XP if you would like to see information regarding what process or program is using a given connection, you can do this by using the ‘-b’ parameter. When looking at the output from Netstat the IP address 127.0.0.1 or the word localhost both mean your local machine, if 0.0.0.0 is shown, this relates to any IP address.

By default Netstat shows only current connections and connections that were recently closed. To see ports that are LISTENING, ie: Open Ports then start Netstat with the ‘-a’ parameter. This parameter works on both XP and OSX, on OSX the open ports are shows with a state of LISTEN and on XP as LISTENING. Note that these are open ports on your own machine and because the majority of people are behind a NAT router this does not necessarily mean that these ports are exposed to the internet. For information about what ports are exposed to the internet by your router then point your browser at www.grc.com and select the shields up option.

Netstat is a very powerful and useful program. Look at the help and play with the options, take control of your machine and understand what’s going off in the background.

"When you get to the end of your rope, tie a knot and hang on." - Franklin D Roosevelt

Saturday, 23 September 2006

Splitting a Key for Security

You may wish at some point to issue a key, maybe the passkey that unlocks some encrypted information, in such a way that it is only by two individuals coming together and agreeing to exchange their unique information that the key can be determined, and the information unlocked.

The obvious solution is, in the case of a 128 bit key, to split the key in half and give each individual 64 bits. This solution is of course not good as then each half of the key is now only half the strength of the original key and 64 bits is no longer strong enough. You are effectively halving the strength of your encryption.

A useful solution is to envisage a graph, the key is a point on that graph. The information that is given to each of the ‘key holders’ is a coordinate on that graph. Only when in possession of both coordinates can a line be drawn between the two. Continuing that straight line through the Y axis reveals the full key.

Simple and ingenious. Credit to Steve Gibson at www.grc.com for discussing this issue.

Marge: Homer! There’s someone here who can help you…
Homer: Is it Batman?
Marge: No, he’s a scientist.
Homer: Batman’s a scientist!
Marge: It’s not Batman!

Thursday, 14 September 2006

Wiretapping, No Warrant Needed !

Only In America. Surely. I Hope.

The Senate Judiciary Committee approved a bill that not only authorizes, but extends, US warrentless wiretapping. No accountability. No oversight. No definition of 'terrorist.'

See the full story here.

My opinion? The beginning of a very slippery slope ...

Barney: Hello, my name is Barney Gumble, and I’m an alcoholic.
Lisa: Mr Gumble, this is a girl scouts meeting.
Barney: Is it, or is it you girls can’t admit that you have a problem?

Thursday, 7 September 2006

Bump Keys

It seems that the public in the US and the UK are now becoming aware of ‘Bump Keys’. This information has been public knowledge in countries such as Germany for quite a while, I personally was first exposed to then a few months ago during a security training course. Basically a Bump Key is a key that is cut shorter and with the cuts deeper than normal. The key can then be inserted in a lock, tapped with a hammer and the door opens.

There are two major issues here: Firstly the fact that these Bump keys can open almost any lock, and secondly the fact that there is no evidence of them being used. This could mean that your insurance company believes that the original key was used to open the lock and then refuses to pay out.

Here is a link to the video that shows how Bump Keys work. It’s the one that I saw myself a while ago, I believe it is German in origin but it is subtitled in English.

Apparently locks made by Medeco and Abloy are resistant to the Bump Keys. I am not sure if these are available in the UK however. I guess it just goes to show that the criminals are always one step ahead and all we can do is play catch up as best we can ...

I believe the first time this technique was published was in the Chaos Computer Club magazine in 2005. Certainly this is the earliest reference I can find. The best article I can find on this subject is by Security Expert Mark Weber Tobias and is available on this link.

"Books are the quietest and most constant of friends; they are the most accessible and wisest of counsellors, and the most patient of teachers." - Charles W Eliot

Monday, 4 September 2006

Incredible Guitar Playing

Have a look at this. Awesome. This is the same song played by the guy who composed the arrangement. Even more Awesome !

“You know, the courts may not be working any more, but as long as everyone is videotaping everyone else, justice will be done.” - Marge Simpson

Thursday, 31 August 2006

Secure Session Keys

When setting up a secure connection across the internet, for example between your browser and your online banking site, the key used to create the encryption has to be negotiated ‘in the clear’. What would be the point of setting up an encrypted secure channel when the key had previously been send across the network for anyone to see ? Of course the key isn’t sent across the network and the following document describes *very simply* how this key negotiation is done without the actual key being sent over the network, where of course it could be seen by anybody running Ethereal or similar network sniffing software.

The method shown below is based on the Diffie-Hellman Key Exchange which was first published in 1976. See NOTE at the end of this document.


The exchange that can is transmitted openly across the network is shown in bold.

Client tells Server the starting number. This is a prime number generated at random

Client Tells Server:                                STARTNUM = 5

Client then picks another random number that is not disclosed.

Client Secret Number:                                CLI_SECNUM = 6

Client does the following maths:                STARTNUM^CLI_SECNUM = 15625
        
Client tells the Server:                                CLI_PUBNUM = 15625

Server picks a random number that is not disclosed.

Server Secret Number:                                SVR_SECNUM = 3

Server does the following maths:                STARTNUM^SVR_SECNUM = 125

Server tells the Client:                                SVR_PUBNUM = 125

Client does the following maths:        
SVR_PUBNUM^CLI_SECNUM = 3814697265625

Server does the following maths:        
CLI_PUBNUM^SVR_SECNUM = 3814697265625


The Client and Server now have a number (3814697265625), a key, that can be used to encrypt any further transmissions between them.

So the key that was calculated in public is secret and known only to the Client and Server. This works because exponential maths in not affected by the order in which the multiplications are done (power associative), and it is virtually impossible for the 3rd Party using the data available to it (5, 15625 and 125) to calculate the secret key as it is missing the equally important data of 6 and 3 (the secret numbers).

In reality though the real strength of this method lies in the size of the numbers that are used. Our example uses very small numbers so that the maths are easily checked, a real world example would use numbers that were into the billions, depending on the bit length of the encryption used. The typical length of encryption used for this type of key exchange would be at least 512 bits.

NOTE: In actual fact the Diffie-Hellman Key Exchange works as shown above with the addition of a second prime number being used in conjunction with the STARTNUM, this second number is a primitive root modulo. I have avoided this in the calculations shown above for the sake of clarity.

“So then I said to the cop, ‘No, you’re driving under the influence … of being a jerk.’” - Lenny Leonard