Wednesday, March 28, 2007

Another Cup of Cocoa: Responsibility

MySpace, YouTube, Web 2.0 there is so much happening and available out there. It is all exciting and there are so many possibilities opening up.

The freedom of the Internet and web works both ways. The same technology lets you explore web sites on the other side of the world allows anyone in the world to attack your system and steal from you.

In the real world people choose where to go and can avoid areas where the "criminal element" tend to hang out, or if in a less reputable neighborhood one can always be aware of the surroundings. On the Internet it isn't quite as intuitive, but there are steps that should be taken.

First everyone must take responsibility for them selves. Just like when we lock our doors and put safety belts on in the car.

As stated before hardware firewalls, software firewalls, and anti malware software should be installed and kept updated.

Mcafee Site Adviser works on both Internet Explorer and Firefox and can provide a warning when you wander into a "bad" site, and better yet will post warning on Google search listings to warn you prior to an actual visit.

Javascript has contributed greatly to the look and feel of the web today, but while many sites use it on many it is not necessary. Javascript is so powerful that it is used for malicous purposes as well including drive-by-downloading. With Internet explorer script control is an all or nothing option turn it on for a site or turn it off for the site. Firefox with the NoScript add-on allows more granular control and allows controls within the web page.

Stay tuned for the next Cup Of Cocoa post about "sand boxing" to help contain malware. Until next time remember:
In view of all the deadly computer viruses that have been spreading lately, Weekend Update would like to remind you: when you link up to another computer, you're linking up to every computer that that computer has ever linked up to.
— Dennis Miller

Tuesday, March 27, 2007

A Travel Cup of Hot Cocoa: Defense in depth

Everyone likes to keep their hot Cocoa hot. So travel mugs are insulated, and have a lid to help keep it hot. Yes it keeps it in the mug as well, but you can argue that keeping more in the mug helps keep the heat in ;-)

Which brings me to the topic at hand defense-in-depth for the PC.
If it was made by man, it can be hacked and cracked by man.
- Anonymous
Absolutely nothing is foolproof! On the other hand several good defenses layered will slow down or dissuade an attacker.

Hardware Firewall

A hardware firewall configured to only allow outgoing traffic and responses to the outgoing traffic. Fortunately this is the default. Any wireless should be configured for security, which is not the default. You don't want your neighbor unintentionally, or intentionally, causing you harm. Then there are the war drivers looking for free access or anonymity while committing crimes, that point back to you.

Software Firewall

Yes this should be running even if it is not a laptop that travels outside your network. One area of concern with Windows firewalls. For ease of use and compatibility there is much greater trust on the local network that could be used against your machine while you enjoy your Cup of Cocoa at the local WiFi hotspot.

Anti-Malware

Both anti-spyware and anti-virus should be running and kept up to date.

Windows work Both Ways

The average web browser shows off the babels of the internet, but at the same time, by default and for your viewing pleasure, lets remote sites into your computer.

Internet Explorer is infamous for being the weak link used by many exploits. Firefox has a better default security stance, but is not perfect. Firefox also has a quicker response for security fixes.

Mcafee Site Adviser
(http://www.siteadvisor.com) will flag sites that can cause grief if visited. It has an icon that shows the current site rating, and access to the details available. Additionally google searches will show the site adviser graphic next to each search result.

There is still has a free version and is available for no cost. There are plug-ins for both IE (http://www.siteadvisor.com/download/ie.html) and Firefox (http://www.siteadvisor.com/download/ff.html)

NoScript (http://noscript.net/) is a Firefox add-on that provide granular control to scripts. IN a nutshell any web page that is visited may pull content, and scripts from other web sites and servers. Without NoScript there are only two options are allow all scripts on the page, or do not allow any scripts. NoScript allows or disallows scripts based on URL. It is quite flexible and even allows temporary rights to run scripts, in addition to white listing and black listing.

NoScript (http://noscript.net/) is highly recommended.

Monday, March 26, 2007

Credit vs. Debit

Is a credit card better than a debit card, or vise-versa.

In the US the credit card wins hands down, by federal law the credit card is responsible for fraudulent charges to your account. No such protection for debit cards exist, even if they are used as a "credit card."

A short, and unfortunately true, story to illustrate the issues with a debit card.

A man goes through a fast-food drive through and pays with his debit card. The cashier hands back his debit card, which is put back into his wallet for safe keeping.

The next day the man receives a call from his bank. His account is over drawn by several hundred dollars. After a brief discussion it becomes apparent that there where multiple purchases made with his debit card after the man nused his card at the fast food drive through window.

The bank explains that the card was stolen, the man disagrees, but finally takes his card out of his wallet. Right bank debit card, but not his name or number. It is a card reported stolen. The cashier at the fast food place switched the cards...

An expensive way to learn that debit cards are not protected by law.

Best Practices:

  • Only use your debit card at your banks ATM.
  • Use your credit card for purchases.
  • Your spouse or significant other should use a credit card with a different account/card number* on it.

* Most banks will issue a different card number for each card issued for an account. This allows tracking who spent what, and replacing one lost or stolen card while still being able to use the other card(s).

The Band-aid Approach

There was a comment posted asking why I was against the approach of shuffling buffers around in my post entitled Exploit Longevity (http://sec-soapbox.blogspot.com/2007/03/exploit-longevity.html).

Before I can answer I need to make sure that we have a common understanding of buffers and buffer overflows.

What is a Buffer?

A buffer is a portion of memory where a program stores information that changes. Every time a web site address is typed into a web browser the address is stored in a buffer.

What is a Buffer Overflow?

Buffers do not have an unlimited size, and that fact can be exploited. By providing too much information to the program and overflowing the buffer. When a buffer is overflowed one of two things happen the program crashes or runs what the perpetrator wants it to.

When the program crashes that is a Denial of Service (DoS) attack.

When the program executes what the attacker intended that is an exploit. For a little more meat, e.g. technical explanation. The attacker will usually uses a series of NoOp* instructions to create a "NoOp slide"before the exploit code. Once the program tries to execute the code that was after the buffer it will "slide down" the NoOps to the exploit.

Is Moving the Buffer a Cure?

Consider finding out that someone with the right tool, a "slim jim," can open your car door and steal the car. The manufacture sends has all the cars modified to move the "weak link" over 5 inches, but not protect it. Since everyone knows the fix it simply takes car thieves a short time to adjust and continue stealing cars.

Of course its different with software patches... Not.

For the exploiter the patch is simply the instruction manual for finding the new location of the buffer.

In essence this type of patch is a band-aid not a cure.

* A single byte machine code that performs no operations. Originally used to remove code from machine code with out having to rewrite major portions of the program.

What is a buffer overflow

What prevents a buffer overflow

Why moving a buffer isn't a fix

With securely written programs buffer overflows can't happen.

Tuesday, March 20, 2007

Exploit Longevity

Ever notice how some exploits just seem to stay around forever?

There is actually a simple, but in my opinion ugly, explanation for this. As usual an example can be worth a thousand words, and I’m going to use rpc18.c as an example:

//////////////////////////////////////////////////////
//
// Windows RPC DCOM Remote Exploit with 18 Targets
// by pHrail and smurfy + some offsets by teos
//
// Targets:
// 0 Win2k Polish nosp ver 5.00.2195
// 1 Win2k Polish +sp3 ver 5.00.2195
// 2 Win2k Spanish +sp4
// 3 Win2k English nosp 1
// 4 Win2k English nosp 2
// 5 Win2k English +sp1
// 6 Win2k English +sp2 1
// 7 Win2k English +sp2 2
// 8 Win2k English +sp3 1
// 9 Win2k English +sp3 2
// 10 Win2k English +sp4

// 11 Win2k China +sp3
// 12 Win2k China +sp4
// 13 Win2k German +sp3
// 14 Win2k Japanese +sp2
// 15 WinXP English nosp ver 5.1.2600
// 16 WinXP English +sp1 1
// 17 WinXP English +sp1 2
// 18 WinXP English +sp2

//
/////////////////////////////////////////////////////////

Notice targets 3-10 are all English versions of Windows 2000 and 16-18 are all Windows XP. Now each target has a different patch level so it must be exploiting the exact same issue, but wait there is more. The next section below shows the offset where the exploit is located.

The text on each line in quotes is the location where the exploit is located in the program. The troubling issue is that for each patch level the location has changed. In other words instead of fixing the problem with the patch the location of the vulnerability is moved, and obviously, as rpc18.c shows, this is not an effective method.

/* Myam add OFFSETS*/
char win2knosppl[] = "\x4d\x3f\xe3\x77"; /* polish win2k nosp ver 5.00.2195*/
char win2ksp3pl[] = "\x29\x2c\xe4\x77"; /* polish win2k sp3 - ver 5.00.2195 tested */
char win2ksp4sp[] = "\x13\x3b\xa5\x77"; /* spanish win2k sp4 */
char win2knospeng1[] = "\x74\x16\xe8\x77"; /* english win2k nosp 1 */
char win2knospeng2[] = "\x6d\x3f\xe3\x77"; /* english win2k nosp 2 */
char win2ksp1eng[] = "\xec\x29\xe8\x77"; /* english win2k sp1 */
char win2ksp2eng1[] = "\x2b\x49\xe2\x77"; /* english win2k sp2 1 */
char win2ksp2eng2[] = "\xb5\x24\xe8\x77"; /* english win2k sp2 2 */
char win2ksp3eng1[] = "\x7a\x36\xe8\x77"; /* english win2k sp3 1 */
char win2ksp3eng2[] = "\x5c\xfa\x2e\x77"; /* english win2k sp3 2 */
char win2ksp4eng[] = "\x9b\x2a\xf9\x77"; /* english win2k sp4 */
char win2ksp3chi[] = "\x44\x43\x42\x41"; /* china win2k sp3 */
char win2ksp4chi[] = "\x29\x4c\xdf\x77"; /* china win2k sp4 */
char win2ksp3ger[] = "\x7a\x88\x2e\x77"; /* german win2k sp3 */
char win2ksp2jap[] = "\x2b\x49\xdf\x77"; /* japanese win2k sp2 */
char winxpnospeng[] = "\xe3\xaf\xe9\x77"; /* english xp nosp ver 5.1.2600 */
char winxpsp1eng1[] = "\xba\x26\xe6\x77"; /* english xp sp1 1 */
char winxpsp1eng2[] = "\xdb\x37\xd7\x77"; /* english xp sp1 2 */
char winxpsp2eng[] = "\xbd\x73\x7d\x77"; /* english xp sp2 */

Saturday, March 17, 2007

Cup of Hot Cocoa: Patch Warfare II

What to do?

First

Either update you machines religiously on every Black Tuesday (the second Tuesday of the month when Microsoft releases security patches). I don't trust Microsoft update. I have seen too many machines that have it running and are still unpatched days after new patches are released. I know many of these machines where left running over night to update. So my conclusion is the the Microsoft update services are overwhelmed by the shear numbers to properly serve all the machines clamoring for update.

Third Party Software

Microsoft has no mechanism to update non-Microsoft programs, and who doesn't have those? These must be kept up to date as well. Some offer automatic silent updates, automatic notices of updates or nothing at all. Oh I almost forgot about the automated update notice that is broken... I ran in to this with several versions of Sun Java JRE.

Well there is an option for some of the more popular software out there. Secunia Software's fee online assessment which I wrote about in How to Find Bad Apps (http://sec-soapbox.blogspot.com/2007/02/how-to-find-bad-apps.html) will scan your computer for vulnerable non-Microsoft applications.

Cruft

Not all applications clean up after themselves. Sun Java for one leaves old versions in place, which can be usefule for those few who actually need multiple versions. For the rest of us it leaves security holes on our systems and takes up disk space. I have more details including how to automate the install and de-installation of Sun Java posted here: Do you Java? (http://sec-soapbox.blogspot.com/2007/01/do-you-java.html).

Stay tuned for the next "Cup of Hot Cocoa" episode where I discuss default.

Friday, March 16, 2007

Cup of Hot Cocoa: Patch Warfare

Back in the day...

In the PC world patches where a rare thing. You purchased a program and then when the next version came out you either upgraded or didn't end of story.

As programs became more complex and we actually began to use more of the growing set of features. We found bugs and software companies began to supply patches. If I recall correctly (IIRC) most patches where actually a whole new install that you didn't have to pay for... well maybe a small fee for the media (5 1/4 inch floppies) and shipping.

Most people and companies didn't bother installing patches unless they experienced an error that required the patch to be resolved.

Time and the world moved on and before we knew it people actually started to break into computers. A whole new breed of patches. Security patches.

As the "dark side" evolved their techniques patch management went from an anomaly, to a necessity, to the current arms race.

  • Vulnerabilities (http://www.answers.com/main/ntquery?s=vulnerability&gwp=13) are announced.
  • Exploits (http://www.answers.com/topic/zero-day-exploit) are found in the wild, or sold on "underground" auctions.
Patch warfare has become a reality. Companies must balance between breaking business applications and vulnerable systems. Leaving systems unpatched is simply not an option anymore Windows Survival Time (http://www.dshield.org/survivaltime.html) tracks the length of time unpatched systems avoid infection by malware, and for Windows the "sweet spot" tends to be 40-60 minutes once connected.

The there is a paper Windows XP: Surviving the First Day (http://www.sans.org/reading_room/whitepapers/windows/1298.php) that has advice on how to patch a new system prior to connecting it to the world, and no it is doubtful the system will survive long enough to finish the windows on-line patch process before it is infected. I personally have had luck with this DIY Service Pack: Installing Windows updates without an internet connection (http://www.heise-security.co.uk/articles/80682/0) for updating new systems and ones that are missing patches.

Thursday, March 15, 2007

Why is Windows Insecure?

Consider the following quote for a minute:
Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted.
— Gene Spafford (in e-mail to organizers of a workshop on insider misuse)

I' say reactions for this statement cove the whole range. From "Them's fight'in words" to laughter to agreement.

The fact of the matter is that Windows was born at a different time. To a proud papa that wanted the whole world to love his offspring. Windows was taught to be polite and play with others. Even if Windows had to play dumb so that they could understand it.

Now back to reality. Windows was designed to be backwards compatible, who wants to buy something that breaks everything else, and easy to setup and use. Ever break out of the password prompt on a Windows 9X machine and do what ever you want. How about break out of an kill the password protected screen saver on the same machine? Both these where trivial exploits that only required physical access.

Windows Vista is the first attempt to drop the legacy weakness and create a secure operating system from the start Microsoft.

I consider XP Service Pack 2 to be Microsoft's first real attempt to secure any Windows version, and XP is still the most exploited abused operating system know to man.

XP Service Pack 2 was a step in the right direction. The jury is still out on Vista, although it may shape up into a hanging jury. ;-)

Monday, March 12, 2007

A Small Cup of Hot Cocoa

Less is More!

Less running or installed on your computer is more secure. With less running on your computer there are fewer attack vectors (http://searchsecurity.techtarget.com/sDefinition/0,290660,sid14_gci1005812,00.html).

To make sure we are all on the same page consider that everything that us running on a computer is a potential weak point where the system can be compromised. Unnecessary or occasionally used programs should not be set to start when your computer starts or you log into the computer. Sun Java is a good example here Java does not start until it is needed.

Some Things are *Not* Optional

This is not to say that there are some thing s that should be running as they specifically add security. Three that come to mind are personal firewalls, anti-virus and anti-spyware. Honestly the line between the last two has been blurring and we should have "anti-malware." Aside from the fact that there is no marketing value in malware and no one would buy it...

In keeping with the theme that more is less I won't do a deep dive on removing excess programs right now, but will look up some good references and post them in another blog entry.

Stay tuned for the next "Cup of Hot Cocoa" episode where I discuss patch warfare.

Friday, March 9, 2007

Light at the End of the Tunnel?

...or do I hear a train coming?

Microsoft has announced (http://www.microsoft.com/technet/security/bulletin/advance.mspx) that there will be no Black Tuesday (no security patches) this month. Have we finally turned the tide? I think not.

SANS Internet Storm Center keeps a list of knows security vulnerabilities that are not patched "The missing Microsoft patches." (http://isc.sans.org/diary.html?storyid=1940&dshield=5dcab42dbdd98865096b12b60165295c) So if it was a light month why not catch up on unpatched vulnerabilities before another one becomes critical?

In my opinion Microsoft is giving battered IT workers a break due to their Daylight Savings Time (DST) patch requirements. The new US DST starts this weekend (three weeks earlier than previously).

The real problem is the herculean tasks required to up grade all but the latest Microsoft products (Windows XP, 2003 Server and Exchange 2007). As an example Windows 2000 requires manual registry settings, but that is not as bad as Exchange.

For any version prior to Exchange 2007, and how many ran out and updated to that yet? Microsoft supplies utilities that must be run against every Exchange users mailbox. Now these utilities are resource intensive and have been causing total outages on Exchange while running the utility at worst, and apparently intermittent outages on some servers.

While I don't claim to have insider information on all the companies running Exchange what I have seen and heard all point to companies scrambling this week to be prepared for the time change.

You might think shame on the companies for waiting for the last minute, but on the other hand think about:
  • Lean and mean IT departments
  • Microsoft must be coming out with a less painful method...
Right now I don't know if I condone or condemn Microsoft's actions, But I do think in a perfect world a better course of action would have been to delay Black Tuesday by a week.

Thursday, March 8, 2007

Hot Cocoa

Based on my recent blog entry on insecure endpoints "https is all I need, right?" (http://sec-soapbox.blogspot.com/2007/03/https-is-all-i-need-right.html)Joe of 2 Guys Named Joe (http://www.2gnj.com) wants to know how to determine if he is secure and if his information is already out there.

First my warning the Cocoa is very hot be careful that you do not burn your tongue. In other words there is no silver bullet in security. My second warning is that since I have covered some of this previously I will reference any previously written blogs entries rather than reproduce them.

Balancing Act

One of the points to understand is that security is a process not a goal. If it was a goal then when your village/town/city was established the police would show up and secure it. Then the police would leave and there would never be any crime. I don't think anyone would subscribe to that option.

On the other hand we can't have a police officer assigned to every person and building to provide 100% security and protection. But some institutions hire guards to protect valuable assets.

In computer security it is much the same. Too much security prevents people from getting anything done and will cause people to circumvent it (the sticky note on the monitor for the assigned password). There must be a balance between security and ease of use. Additionally there must be a balance between value of an asset and cost to protect the asset.

See Risk Options (http://sec-soapbox.blogspot.com/2007/03/risk-options.html) for additional details.

The Basic Goal

The best you can do is make sure you are not the easiest target. In short unless there is a reason to target you the dark side will tend to go after the "low hanging fruit." If a burglar is walking down the street looking for a house to burglarize they will tend to avoid the ones with a alarm in favor of one that doesn't.

See Predators and their Prey (http://sec-soapbox.blogspot.com/2007/01/predators-and-their-prey.html) for an old security joke and more details.

Passwords

Everyone hates passwords, but at the moment they are the a fact of life. Everyone has to have passwords, and too many people use simple easy to break passwords.

I subscribe to the use a very long complex password to protect your password data base. See Anatomy of a Password (http://sec-soapbox.blogspot.com/2007/01/anatomy-of-password.html) for more information on complex usable passwords.

I personally use Password Safe (http://passwordsafe.sourceforge.net/), but it is not the only option. See Password Tools (http://sec-soapbox.blogspot.com/2007/01/password-tools.html) for more information.

More to come


This is a complex topic and I will flesh it out with additional blog entries.

Wednesday, March 7, 2007

Black Tuesday, Wednesday, Thursday, etc.

MS Patching

Officially called Patch Tuesday is the second Tuesday of the month, and is the date that Microsoft released their patches for the month.

Many users, and small companies, have set their computer to automatically update. These computers will daily check for updates, and apply them as they are releases. Or not...

It appears that the shear volume of computers attempting to check for updates causes timeouts. Which, again apparently, the computer treats as there are no updates available.

Same Bat Time, Same Bat Place...

MS automated updates all default to the same time, and most people never change the defaults. So each time zone pounds on the MS update servers , basically, in unison.

The Consequences

This is understandable from a programming perspective, but this results in large numbers of computers set for automatic updates vulnerable after Patch Tuesday.

Wherever I find this issue I automatically manually run updates, and I have found this issue 3 and 4 days after Patch Tuesday.

Its the second Wednesday of the month do you know where your computer's patches are...

Tuesday, March 6, 2007

Risk Options

Old, but still relevant.
Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful.
— Niccolo Machiavelli, The Prince
Value vs. Cost

This is still one of the hardest aspects of security today. What are your different assets worth and how much will you spend on protecting them? The difficulty raises when intangible assets are involved. How much is a customer list worth? What about credit card information?

For a corporation a $2,000 laptop is not a major asset, but when customer data resides on the laptop the value of the asset just increased. Now spending $1,000 on the laptop's security (Physical lock down cable, encryption, phone home software, etc.) may be an acceptable cost.

On the other had when is risk transfer the best solution?

Consider the owners of rare gems and artwork. I bet every single one has an insurance policy that covers theft and destruction. While the owner would rather keep the object some or all the financial risk is transfered to the insurance company.

Monday, March 5, 2007

https is all I need, right?

Everyone talks about only sending you information over a secured connection when ordering or sending personal information over the internet, but is that all you should be concerned about?
Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.
— Gene Spaffor
In other words both ends of the communication must be secure. With phishing, pharming, malware (including rootkits), drive-by-downloading, computers without passwords, etc. Your home computer is at risk. What are you doing to protect your computer?

Then there are all the security breaches and lost computers, tapes, etc at the web sites/stores you shop at. look at TJX the company behind JMaxx, Marshalls, Winners, HomeGoods, TKMaxx, AJWright, and HomeSensse. TJX experienced, and tried to cover-up, one of the most extensive long term security breaches in history. Additionally it has been the one that has had the most fraudulent charges directly linked to the break-in.

Don't let a secure connection lull you into a false sense of security. Your personal information my already be out there.

Sunday, March 4, 2007

Evolution: Fun, Bragging Rights and Profit

In the Beginning

Back in the old days it was the curious looking to expand their understanding of systems. They could hack together a program in fact the best hack was the most concise and elegant code.

Organic Evolution

Some of these hackers turned their focus deep into the bowels or the computers and their operating systems. Of course this required a higher privilege level so cracking into accounts with greater privileges, usually called root on unix systems, and thus began the evolution of the modern day hacker.
Sidenote: Crackers are hackers that use their skills for breaking into systems, in much the same way as an assassin uses their abilities as a marksman to kill. Alas the public has picked up the term hacker so life goes on.
Pressure to be the best

As time passed pride demanded that these hackers proclaim their victories to the world. hackers would post their conquests on underground communication channels and then started proclaiming them to the world in the form of defaced web pages.

As time passed and tools automated finding and breaking into systems. At first these where transfered "underground," but many migrated to the mainstream. Additionally security researchers and administrators began to write their own tools to find and patch the holes before the hackers did.

Scavengers Appear

These tools gave rise to the script kiddies. People that learned how to run the tools, but did not know how to use them. These are the people that scan large blocks of the internet looking for something to attack. They tend to attack based on port not application. in other words these are the ones that launch Microsoft IIS attacks on Apache Web Servers.

The hard core criminal element eventually caught wind of this new avenue for illegal profits. This has given rise to two basic criminal categories the botnet herders and the professional crackers.

Botnet herders initial growth and expansion is very similar to script kiddies. In their recruitment phase spam, drive-by-downloads and scans are used to recruit new bots, or zombies, into the herd. These botnets can then be used doe DDoS attacks, SPAM prorogation, and other nefarious for profit motives.

The professional cracker will case their target and look for vulnerabilities and unprotected avenues to launch their attack. The professionals will learn their prey including partners, remote workers, IP addresses, key employees, environment.
Amateurs hack systems, professionals hack people.
— Bruce Schneier
Update: The professional hackers tend to be freelancers or directly controlled by organized crime.

Saturday, March 3, 2007

One

One simply one. One crack one unguarded entry point of entry or one moment of opportunity. So true, and so deadly at the same time:
We only need to be lucky once. You need to be lucky every time.
— The IRA to Margaret Thatcher, after a failed assassination attempt.

Probably the most famous example of one point of weakness is Achilles heel (http://en.wikipedia.org/wiki/Achilles%27_heel). In short Achilles' mother dipped him in the river Styx, and the water from the River made him invulnerable. Except for where the mother held him with her finger and thumb on his heel. Thus he was invulnerable except one spot, his heel, which lead to his downfall.

Friday, March 2, 2007

Why is Defense so Hard?

The basic premises is that you defend every attack vector. While the attacker probes for the one weak point where your defenses can be bypassed or breached.
Securing a computer system has traditionally been a battle of wits: the penetrator tries to find the holes, and the designer tries to close them.
— M. Gosser
When possible in the physical world fortifications are used to limit the attack vectors and defense in depth is obtained by layering using obstacles such as walls, cliffs, moats, and rivers.

A more modern description could be a football game The goal, pun intended, is to breach the other teams defense and score.

No one gets points added to their score for the number of plays that are successfully defended against.

Thursday, March 1, 2007

This isn't Your Fathers Phone

As I mentioned previously I started blogging after being a guest on the "2 Guys Named Joe" podcast (http://twoguysnamedjoe.libsyn.com/).

Recently I was invited back to discuss VoIP AKA Voice over IP (http://www.answers.com/main/ntquery?s=voip&gwp=13) for their current podcast 2gnj Episode 30: Ed Wants VOIP (http://twoguysnamedjoe.libsyn.com/index.php?post_id=185540).

I really enjoy doing the podcasts and decided I'd do a follow-up blog entry on VoIP security.

The Basics:

First one basic non-security fact VoIP requires broadband (http://www.answers.com/main/ntquery?s=broadband&ff=1) which roughly translates into DSL, Cable or FiOS (http://www.answers.com/main/ntquery?s=fios&gwp=13).

Second anyone who is using a broadband connection should be running a hardware router/firewall. These devices are under $100 and considering the cost of broadband at $30-$50 a month they are well worth it.

Location, location, location:

Just like in real estate location matters. For security reasons you should place the phone adapter behind your firewall.

I have seen many recommendations and diagrams for placing it in front of the firewall. This has only one goal which is to prevent calls to the helpdesk. This is good for your VoIP provider, but not for you.

The best thing for the VopIP customer is to give the phone adapter a static IP address, or use the MAC address (http://www.answers.com/main/ntquery?s=mac+address&gwp=13) to have your router always provide the same IP address to your phone adapter. Then have your router UDP port 5060-5061 to your phone adapter's IP address.

In The Clear

Everything you say can be heard by anyone...

Just like a regular phone everything you say is transmitted in the clear, or understandable to anyone with the right tools. When it comes to old fashioned phones there are wiretaps and good old standard thunderbirds (these are used for troubleshooting and allow the user to listen in on a phone call). To be able to protect your conversation you would need to purchase a special phone and the person you call would need one as well.

With VoIP there seems to be a viable inexpensive option Zfone (http://zfoneproject.com/getstarted.html).

Zfone was created by the same man that created PGP Phil Zimmerman (http://zfoneproject.com/aboutphil.html) . As is to be expected both users have to use Zfone for it to work. Presently it only works with "soft phones," such as x-lite (http://www.xten.com/index.php?menu=X-Series), due to the fact that the currently available implementations run the same computer. Additionally there is a Software Development Kit (SDK) available on the site.


Zfone utilizes ZRTP and has been submitted for acceptance as a standard (http://zfoneproject.com/zrtp_ietf.html) which will allow it's inclusion in any VoIP product.

ZRTP is an extension to Real-time Transport Protocol (RTP) which describes a method of Diffie-Hellman key agreement for Secure Real-time Transport Protocol (SRTP). It was submitted to the IETF by Phil Zimmermann, Jon Callas and Alan Johnston on 5 March 2006.
- http://en.wikipedia.org/wiki/ZRTP