Dangerous Creepy Crawlies

It’s important to keep perspective when talking about Snakes, Spiders and Scorpions. After all, what have they got to gain from biting you, they can’t eat you ! If they bite or sting it’s because they are defending themselves (some are more aggressive than others) and feel that you are a threat to them, which you could be, we can kill them, even by accident, far easier than they can hurt us.

Spiders

Many spiders can give a painful bite but there are only four species that are dangerous to humans:

Sydney Funnel Web
Black Widow / Redback
Recluse Spider
Brazilian Wandering Spider

Although anyone who is allergic can die from a reaction to a bite, whether it be from a spider or anything else, the four listed above are the only ones that can kill humans due to the strength of their venom and our bodies reaction to it. As far as I can ascertain their have been no deaths from these spider bites since the easy availability of antivenom. If you are bitten:

Clean the wound
Apply a cold pack
Take a painkiller
Go to hospital - quickly !

It’s an interesting fact that the ‘big daddy’ of scary spiders, the Tarantula is actually harmless to humans and can make a great pet. A bee sting is likely to hurt more than the bite from this beast !

Snakes

Snake bites are extremely rare and hardly ever fatal. Even the most deadly snakes rarely inject enough poison to cause death. The most deadly snake, and the most dangerous snake are two entirely different concepts. Some of the snakes with the most toxic venom, ie: the most deadly, rarely bite people.

The Most Dangerous Snakes are those that kill the most people. Asian Cobra and Russell's Viper probably kill most of the people who die of snake bite annually in the world

If you are bitten:

Be Calm
Cover the wound
Bandage the limb tightly, starting nearest the heart
Immobilise the limb with a splint
Take painkillers, not aspirin
Get to hospital quickly

Scorpions

The chances of a scorpion bite being deadly is almost zero. For the worst cases antivenom is available. Some experts say there is no need to even visit a hospital following a scorpion sting. If you are bitten follow the same procedures as for a spider bite.

Summary

Despite what I have said many people have an irrational fear of Spiders, Snakes and Scorpions. Personally I have a slight fear of spiders, but scorpions fascinate me (I’ve spent time in the Sahara searching under rocks and bushes for them !) and snakes don’t bother me either way. Understanding is the way to enlightenment some guy once said (was it Budda ?) and I hope the above was of interest to someone, and maybe dispelled a few myths ☺

Mr. Burns: Quick Smithers. Bring the mind eraser device!
Smithers: You mean the revolver, sir?
Mr. Burns: Precisely.

Sending Email via Telnet

Pull up your Terminal program and run Telnet, I am using Terminal on my Mac but on Windows XP use the CMD Shell. At the prompt type the following:

>telnet mailserver 25 (mailserver is the name of your mailserver and may look something like this: mailgate.chollie.com)

After receiving the answer prompt, type:

>helo domainname (for example: helo chollie.com)

Following the response enter your email address:

>mail from: emailaddress (mail from sjc@chollie.com)

After the ‘250’ response you need to enter the recipients email address:

>rcpt to: emailaddress (rcpt to barney@rubble.com)

You’ll see a message confirming that the recipient is OK, you can now input your message.

>data (then press enter)

Type your email message and end it with a blank line followed by a single period (.) on a line by itself. The email server will conform with a message that says something similar to ‘Message Accepted for Delivery’

Type ‘quit’ to exit Telnet.

This may not be the most elegant way of sending an email but it is useful to know and can be used anywhere on any device that supports Telnet. It is also very useful to understand how the process works behind the scenes.

"Enquire not what boils in another's pot." - Thomas Fuller

Computer Crime, UK Laws

Here in the UK computer crime is covered by The Computer Misuse Act of 1990. You can read the details here.

As of November 2006 an update to this law has been passed that makes it illegal to launch a DOS (Denial of Service) attack within the UK. Details of the update can be found here.

Further interesting details on UK Computer Law can be found by following this link.

The Data Protection Act of 1998 and the Regulation of Investigative Powers Act 2000 may also be of interest.

"It is not giving children more that spoils them; it is giving them more to avoid confrontation." - John Gray

Pen Testing Methodologies

There are three methodologies that are used by Penetration Testers. The methodology is usually selected by the client depending on their requirements. The three methodologies are:

White Box Model
Black Box Model
Grey Box Model

With the White Box Model the Pen Tester is given details of the technology in use by the company, the network topology etc. and given permission to interview and liaise with the employees and IT staff.

The Black Box Model is the exact opposite, the tester is usually given no information other than the name of the company, and the staff of the company are not even told that the Pen Tests are being conducted.

The Grey Box Model is a hybrid of the two previous models, some information will be given to the Pen Tester but not a lot. This will depend on the client as to what information they wish to give.

"So, let us not be blind to our differences - but let us also direct attention to our common interests and to the means by which those differences can be resolved." - John F Kennedy

OOP Classes and Inheritance

A Class is a user defined reference type that encapsulates data and is controlled through programming constructs called Properties, Constructors, Methods and Events. The Class encapsulates data such as Constants and Fields.

To work with a Class you create an *Instance* of a Class called an *Object*. An Object can be thought of as a ‘live’, ‘active’ version of a Class. A Class can effectively be thought of as the blueprint of an Object.

Generally you work with members of the Object, Methods, Events etc. you can however work with some members of the Class itself, these are called Static Members.

From the one Class many Objects can be created, each is totally self contained and has it’s own values. The members of an object are:
        Properties
        Methods
        Fields
        Events

The members are stored on the *Heap* and a pointer within the Object contains a *Reference* ,the memory location of that particular piece of data.

Inheritance allows you to create a new Class using an existing Class as a template. The inherited Class is called the Derived Class and the original Class is called the Base Class. The Derived Class can then be extended to include additional functionality that was not available within the Base Class.

Inheritance is one of the cornerstones of Object Oriented Programming.

"The shoe that fits one person pinches another; there is no recipe for living that suits all cases." - Carl Jung

SSCP: Quantitative Risk Analysis

Here are some terms and calculations for Quantitative Risk Analysis as used with the Risk, Response and Recovery Domain of the SSCP CBK.

EXPOSURE FACTOR
(EF)
(% Percentage)
Harm or Loss by Presumed Successful Attack/Threat

SINGLE LOSS EXPECTANCY
(SLE)
(£ Monetary Value)
ASSET VALUE * EF

ANNUAL RATE OF OCCURRENCE
(ARO)
(Probability)
Probability of Risk, 1.0 = Guaranteed to Happen

ANNUAL LOSS EXPECTANCY
(ALE)
(£ Monetary Value)
ALE = ARO*SLE

RETURN ON INVESTMENT
(ROI)
(*100 = ROI %)
Annualised Cost of Countermeasures (Risk Mitigation) / ALE

"The best way to keep one's word is not to give it." - Napoleon Bonaparte

Some Notes on IP Addressing ...

I have cobbled together these notes that explain some of the finer points regarding IP Addressing.

IP Addresses

An IP Address is split into a Network Portion and a Host Portion

Host Numbers cannot be Zero or 255. All Zeros in the Host Area refers to the network itself: 54.0.0.0. All Host bits to 255 is the Broadcast Address. For Network 203.176 the Broadcast Address is 203.176.255.255.

A Class A Network allows 16,777,216 Hosts
A Class B Network allows 16,384 Hosts
A Class C Network allows 254 Hosts

Looking at the first octet of the 32 bit address you can determine what class of address it is: A value of 126 or less means that you are looking at a Class A address, 127 is the loopback address, 128 through 191 is a Class B address and 192 through 223 is a Class C address. Numbers above 223 are reserved.

The chart below shows this in an easily digestible format:

1 > 126 Class A
128 > 191 Class B
192 > 223 Class C

RFC 1918 gives the address range 192.168.XXX.XXX as available to anybody to use for private LAN networking. In addition the 10.XXX.XXX.XXX network and 172.16.XXX.XXX networks are also available for private use. These addresses will not work on the internet as they are non routable.

Subnet Masks:

255.0.0.0 Class A
255.255.0.0 Class B
255.255.255.0 Class C


Classless Internetwork Domain Routing (CIDR)

CIDR Networks are described as Slash X Networks. X is the number of bits in the IP Address range that ICANN controls, you get what's left. For example a Class C is known as a Slash 24 Network since ICANN has the left most 24 Bits and you have the right most 8 Bits. See examples below:

ICANN Subnet Mask
Slash 8         255.0.0.0
Slash 16 255.255.0.0
Slash 24 255.255.255.0
Slash 28 255.255.255.248

"Do not trust all men, but trust men of worth; the former course is silly, the latter a mark of prudence." - Democritus

Securing the Network: 14

Securing The Network
The Final Post on Corporate Security Issues for the Non Technical

This post covers:
                Employee Education
                Security Testing
                Summary

Employee Education
Good security is impossible to implement without the cooperation of the users and employees.

To this end investment in security training and briefings is likely to pay dividends. Posters should be placed around the working area highlighting key information relating to security threats and reminding users of their responsibilities.

Security cannot be delegated to one department and each and every user should understand that they have a part to play. Training and education for the users in basic security threats should be mandatory.

A lot of excellent material including leaflets and posters are available from the Department of Trade and Industry (DTI) website.

Security Testing
To ensure that your security policies are enforced it will be necessary to implement Security Testing. Security Testing can be carried out in any and all of the following ways:

Drills
Penetration Testing
Query Employees
Review the Procedures

In many cases the only way to adequately test you security is through the use of a third part company.

Summary
In this series of posts I have attempted to explain many of the Network Security concepts in layman’s terms, and to cover the majority of relevant topics.

I hope the information presented in this series of posts is of benefit to someone.

"If you can find a path with no obstacles, it probably doesn't lead anywhere." - Frank A Clark

Securing the Network: 13

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Disposal and Destruction
                Employee Exit Procedures

Disposal and Destruction
It is a little known fact that even following a format, data can be recovered from your computers hard disk by a determined hacker. This makes it essential that when disposing of old computers, unless you physically destroy them, you must go to some lengths to make sure that the data that was contained on the computer cannot be recovered.

There are various methods that can be used to securely wipe the data from a hard disk. It is important that you select a method that offers the level of protection you require and then use it. Always.

Employee Exit Procedures
When an employee leaves the company, or announces their intention to leave, this should trigger a sequence of documented events that are related to the job they do or did. For example the series of steps to be taken when the IT Manager leaves are different to the series of steps to be taken when a Production Operative leaves.

This series of steps should incorporate the removal of their access card, token, key or any other device they have that can be used to gain physical access to your premises.

Their access to the computer network via remote means should also be removed and any access to confidential data prior to their departure should be logged.

Each and every employee should have an exit interview where their responsibilities to the company are discussed as are any restrictions that are placed upon them contractually.

"You're only given a little spark of madness. You mustn't lose it." - Robin Williams

Securing the Network: 12

Securing The Network
A Post on Corporate Security Issues for the Non Technical

This post covers:
                Social Engineering
                Disaster Recovery and Business Continuity

Social Engineering

‘The art and science of getting people to comply to your wishes’ (Source: Bernz 2), ‘an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system’ (Source: Palumbo), or ‘getting needed information (for example, a password) from a person rather than breaking into a system’ (Source: Berg).

In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (Source: Sarah Granger)

Social Engineering is probably one of the biggest threats we face in security and the one we can protect against the least. We have to rely on our employees to question and be vigilant. To do that we need to make them aware of security and the issues surrounding it. See the section on Employee Education.

Reverse Social Engineering.
This is where the attacker assumes a position of authority and gets the victim to freely offer information and ask advice. This requires a high level of skill, preparation and research.

Disaster Recovery and Business Continuity

A Disaster Recovery and Business Continuity plan is essential. If the worst happens you want to be able to refer to a document that covers the steps to take to enable you to be back up and running without delay.

The scope of DR and BS could encompass everything from a server crashing and data being lost, to the building going up in flames.

Many companies have a ‘cold’, ‘warm’ or ‘hot’ site standing by to be used in the eventuality of the main place of work being destroyed through fire, flood, terrorist activity or something similar.

A Cold Site generally refers to an empty building, a Warm Site refers to a building with maybe desks and networking and a Hot Site refers to a building that is fully fitted with everything including computer systems, ready to have the backups loaded and be up and running in a very short space of time.


Definitions

Disaster Recovery Plan: Provides procedures for recovering from a disaster after it occurs and also documents how to return the normal IT functions back to the business.

Business Recovery Plan: Addresses how business functions will resume after a disaster, preferable at an alternate site.

Business Resumption Plan: This addresses how critical systems and the functions of the business will be maintained.

Contingency Plan: This addresses what actions can be performed with regard to the normal business activities after a disaster.

"Live neither in the past nor in the future, but let each day's work absorb your entire energies, and satisfy your widest ambition." - Sir William Osler