Category Archives: Uncategorized

What Can You Do To Protect Yourself From Spyware, Malware And Ransomware?

Companies and consumers continue to be under threat when operating online. While the vast majority of websites are designed for safe and practical use, some online users have found that their computers can be quickly infected with spyware, malware and ransomware.

Protecting Yourself From Spyware

These infections can not only slow down an operating system, but also leave the user’s data vulnerable to hacking attempts from around the globe. It’s important to take steps to protect yourself in this type of challenging online environment, so within this post we’ll look at what you can do to protect yourself against malware, ransomware, and spyware.

Harness Two-Factor Authentication

While most of us use passwords on our home computer accounts, email accounts and on our cell phones, it’s now important to take that extra step for optimal protection. Two-factor authentication provides additional fortification against hackers through the use of a second security step. The second authentication might involve a confirmation being sent to a cell phone or a conformation via a secondary email account. This helps further protect the user and their data.

Check Authorized Devices when Using Mobile Applications

The applications used on a mobile phone will sometimes allow the user to create a unique security code on the device that prevents the need to key in the password at a future time. Users can check which devices have this security code by viewing “authorized devices” via their mobile phone. It’s a good idea to check this list on a regular basis, and to delete all authorized devices immediately if an unknown device is found on the list.

Install Antimalware Software

Antimalware software is becoming incredibly sophisticated in blocking malware from being installed on computers. For those who use the internet online for simple emailing and shopping, antimalware software can provide an all-in-one solution to potential security issues. It’s important that the software chosen offers the ideal level of protection, so users should review antimalware products recommended by experts such as AV-Test.

Stop Clicking Email Links

It can be tempting to simply click a link from an email sender that is known and trusted. But oftentimes, even emails from trusted senders can contain viruses that have been transferred from their computer. If there’s a link within an email that contains potentially important information, users are advised to simply type out the link in their browser directly rather than clicking the email link. This will help separate safe from unsafe links within the browser.

By taking proactive measures to secure their computers, users can mitigate security threats and protect their data for the long-term. To learn more on this topic, speak to our trusted experts directly!

Critical Security Controls

20 critical security controls

Are you focused on maximizing the value of your security resources?

Is your security budget allocated for maximum ROI?

NCI’s structured approach to the 20 Critical Security Controls framework helps you build a pragmatic plan to reduce risk and increase ‘security maturity’.

GOAL BASED AND MEASURABLE
The Critical Security Controls is a framework administered by the Council on Cyber Security that emphasizes immediate and prioritized risk reduction. Our structured approach allows you to measure your maturity against this framework and NCI has aligned key products and services within the framework to help you achieve ‘quick wins’ against your security goals.

NCI’S CSC ASSESSMENT PROVIDES YOU WITH:

  •  A structured and detailed assessment based on the CSC framework
  •  A maturity dashboard to assist you with key analytics
  • A prioritized security roadmap customized for your business
  •  Maturity averages from similar business verticals

QUANTITATIVE VALUE Untitled 1

  •  Measure your security maturity based on the 20 controls.
  • Your prioritized plan is based on ease of implementation and your available resources.
  • In partnership with NCI, implement your controls.
  • Validate your new controls to measure the effects of your risk reduction.

MATURITY DASHBOARD dashboard
NCI provides you with a report complete with a dashboard to determine and track your   maturity scores. Utilizing NCI’s prioritized approach you will have a clear plan to help you budget for and enhance your security maturity over time.

Thoughts After Passing the CWSP PW0-204 Exam

After putting it off until the very last moment, I finally wrote and passed the Certified Wireless Security Professional (CWSP) PW0-204 exam. This was important since it had been almost 3 years since I passed the CWSP (PW0-200) exam and my credentials were set to expire on the 25th of June. Crisis averted! With the exam out of the way, I thought it would be worthwhile to share some thoughts on my experiences while preparing for it.

In no specific order, here are a few things I found very interesting about my time studying for PW0-204: 

  1. Wireless security was much less complicated 3 years ago. When I took the PW0-200 exam, I didn’t have to know anything about 802.11n, 802.11k, 802.11w, or 802.11r. All of these, now ratified, IEEE standard amendments come with their own set of additional security settings and concerns that must be taken into consideration when securing a WLAN. Continuing to educate yourself and staying on top of the latest industry developments is the easiest way to ensure that a certification’s body of knowledge doesn’t leave you behind.
  2. Experience in the field helps immensely with this exam. When I first wrote the PW0-200 exam, 3 years ago, I had a great interest in the subject but very little real-world WLAN experience. This time around, after living and breathing WLANs for 3 years, I found I was able to quickly skim or review a lot of the CWSP Study Guide since I deal with 802.1X/EAP, PKI, and WIDS/WIPS solutions quite frequently in my role as a security consultant. In my opinion, the CWSP certification is a great example of an exam that goes beyond ‘textbook studying’ and really tries to incorporate lessons that can only truly be learned through hands-on experience. Certifications like that rock because they signify practical/useful knowledge instead of just the ability to memorize answers for a test.
Next Step

Keeping my existing CWNA and CWSP credentials was just stop number one on this journey. With that out of the way, I’m now beginning my assault on the Certified Wireless Network Expert (CWNE) designation. Last time I check there were less than 100 CWNEs globally so it’s definitely going to be a challenge. I have to pass both the CWDP and CWAP exams first. Wish me luck and I look forward to posting my thoughts and insights on my next exam this summer.

Dan C.

 

The Rule of 10s and 3s

A while back I wrote a blog post explaining how an antenna works when it is connected to a wireless access point. Today I’m going to add to that lesson by explaining The Rule of 10s and 3s. Essentially, you can use this rule to figure out what your transmit power is going to be when you add various connectors, cables, and external antennas to your access points. Without further ado:

Please remember that using The Rule of 10s and 3s does not give you exact figures. It should only be used to perform rough calculations. Also, this video is not intended to be a technical deep-dive into the field of RF mathematics. Instead, my goal is to explain the basics of a complex topic so that almost anyone can understand it. (I’ve assumed knowledge of milliwatts and decibels though).

Dan C.

Bonus marks if you can explain why having this knowledge is important for anyone working with WLANs. Leave your answer in the comments section and share this video with anyone you think might benefit from knowing this rule.

Despite what you may think, IT security “is” your business

Many executives feel that IT security is only an issue for the IT department.  The problem is IT security is a bigger issue than just your IT department.  Everyday your company faces viruses, lost devices, stolen data, and intellectual property walking away with recently dismissed or disgruntled employees.  According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  Costing companies an estimated $26 billion in 2011.  Now you might say, “We aren’t in the business of IT or security.  We make widgets.  We maximize investor returns by buying, selling, and trading subsidiaries to create wealth.”  The fact is currently, for an organization to ignore IT security is clearly risky.   As reported in Forbes magazine on January 2, 2012 “If data loss continues on its current trends, it will cost the U.S. economy $290 billion by 2018”. As most cases go unreported, check out the cases that made headlines in 2011:

  • RSA
    The security division of data storage firm EMC was hit by a hack that compromised their popular SecurIDcryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities.”  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
  • Texas Comptroller
    A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
  • Sony
    In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effects are they likely to have on the online services industry?
  • SK Communications
    A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
  • SAIC
    A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
  • Sutter Medical Foundation
    A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Can you afford to have your company on this list?  I did not think so.  All of us have a role to play in a more secure internet and it is clear  we have a problem and need to get on with fixing the issues as quickly as possible.  If your company has customer information, takes credit cards or has computers that use passwords then IT security is in fact your business.

 

 

LDAP Injection

What is LDAP

LDAP (Lightweight Directory Access
Protocol) is a standard protocol for managing directories, that is to say,
access to databases of information. This information is generally related to
users, but they are sometimes used for other purposes such as to manage the
equipment in a company.

What is the best way to protect
yourself from SQLi? Don’t use it, period. This simple idea made eventually its
way to some organization (like banks!) and introduced a new question, how to
replace SQL. Hey LDAP should be right! And boom, LDAP auth from a website is
born. And bang, LDAP injection also! The same advanced exploitation techniques
available in SQL Injection can also be similarly applied in LDAP Injection.

Initially based on X.500 protocol
(and named X500-DAP) in lately 1980’s, LDAP is based on TCP/IP stack since 1993
(by default on TCP port 389) and has earned the Lightweight in the same time.
As it’s only a protocol, LDAP defines how the data is accessed from the client
to the server, and not the way in which information is stored. LDAP provides
the information as a hierarchical tree called DIT (Directory Information Tree).
An attribute has a name (an attribute type or attribute description) and one or
more values.

The common methods are:

  • Bind – authenticate and specify LDAP protocol version
  • Search – search for and/or retrieve directory entries
  • Compare – test if a named entry contains a given attribute value
  • Add a new entry
  • Delete an entry
  • Modify an entry
  • Unbind – close the connection (not the inverse of Bind)

Common LDAP servers are:

  • Apache Directory Server
  • Open Directory d’Apple
  • Red Hat Directory Server
  • OpenLDAP
  • Novell eDirectory
  • Active Directory de Microsoft

Save me from SQL
injection!

What is the best way to protect
yourself from SQLi? Don’t use it, period. This simple idea made eventually its
way to some organization (like banks!) and introduced a new question, how to
replace SQL. Hey LDAP should be right! And boom, LDAP auth from a website is
born. And bang, LDAP injection also! The same advanced exploitation techniques
available in SQL Injection can also be similarly applied in LDAP Injection.

LDAP Query

LDAP Query use simple
attribute-value match. For example, if you want to find all objects that have
the first name of Alice, you would use:

(givenName=Alice)

Parentheses are included to
emphasize the beginning and end of the LDAP statement.

Multiple conditions

If you want to find all objects that
have the first name of Alice AND is in Toronto, you would use:

(&(givenName=Alice)(l=Toronto))

  You can also use the OR token:

(|(givenName=Alice) (givenName=Bob))

First and last parentheses are
included to emphasize the beginning and end of the LDAP statement. You can even
make a search with more condition:

(&(givenName=Alice)(|(l=Montreal)(l=Toronto)))  

Wildcard

Here is the best; LDAP loves
wildcard. You can find all objects that have a title attribute:

(title=*)

Or all objects that have the first
name starting with A:

(givenName=A*)

Parentheses are included to
emphasize the beginning and end of the LDAP statement.

Selection of
attributes

In SQL, we can select attributes
with SELECT:

SELECT name, job, phone FROM list WHERE name=$name

In LDAP, we can do the same with ;
at the end of the statement:

(givenName=$name);givenName,phone,job

If an attribute doesn’t exist, there
is an error

(givenName=$name) ;givenName,phone,job,color

Weird returns

On some LDAP server, like OpenLdap,
only the first group of parantheses is evaluated:

(givenName=Alice) (givenName=Bob)

This returns only objects that have
the first name of Alice, without any error.

Another interesting thing is that
there is no error if an attribute that doesn’t exist BUT starts with a valid
name, is simply ignored.

(givenName=$name) ;givenName,phone,jobYGCIUDHOISUHD,job

LDAP Injection

A login page has two text box fields
for entering user name and password. Uname and Pwd are the user inputs for USER
and PASWORD. To verify the existence of the user/password pair supplied by a
client, an LDAP search filter is constructed and sent to the LDAP server:

(&(USER=$Uname)(PASSWORD=$Pwd))

WildCard Injection

If wildcard are available, a simple * in password
should do the trick:

User Injection

We can also use the fact that only
the first group is evaluated:

Password Injection

In LDAP, password is rarely
injectable because it is often hashed before to be sent to the LDAP server.

(&(USER=$Uname)(PASSWORD={MD5}fd9ee57179a15116ed6a560a15d30afd))

Attribute Injection

Example of a phone directory:

(& (ou=$Ugroup)(cn=$Uname));cn,telephone

We can use here the starting
attribute trick and request all passwords:

Blind Injection

If we can’t use Attribute Injection,
we can use, just like Blind SQLi, Blind LDAP Injection, by recursively trying
every first chars of a value of a specific attribute.

If we want to get the street address of Alice from the Phone book:

(& (ou=$Ugroup)(cn=$Uname));cn,telephone

Mitigation

Just like SQLi, the mitigation is
quiet simple: User Input Validation!

The escape sequence for properly
using user supplied input into LDAP differs depending on if the user input is
used to create the DN (Distinguished Name) or used as part of the search
filter. The listings below shows the character that needs to be escape and the
appropriate escape method for each case.

Finally, ignore the request if there
are more than 2 externals parentheses.

Rémi Menegon, M.Sc.A., BEng, CISSP