Secure Application Development links

Oct 14, 2008 in Security

Hi,

I have been putting some secure application development documents together recently and have found some good general tutorials and guidelines which I thought I would post here.

Other Resources

No Comments »

Internet Banking Security Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

I was asked some time ago what sort of things may be considered when looking at .

Below is a list of things which could be considered. It was just a brain dump and as such may not be complete.

Don’t underestimate the value of standard for your infrastructure, website configuration,  database engine configuration/, and /QA environments.

Some thoughts:

  • Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system .

- And all the other things expected for a session (forced changes, aging, etc))
- Tools such as may be use to brute force authenticated sessions.

  • Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.

- These may be side, client side, cookie based, etc.
- Get someone to check the methodologies and the code being used.
- Database query strings can be placed into test entry fields, allowing table dumps to browser.
- Check all pages served are secure and contain user flags.

  • Customer may not be segregated, this needs to be checked.
  • Customer should not reside on the .
  • databases / system should not reside on the webserver.
  • The databases should reside on a private/semi-private .

- A different segment to the main system.

  • Webserver should be dual homed or equivalent (some VLAN techniques are good)

- Separate private and public cards, monitoring/backup/administration
- Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the .

  • At all segregation points ensure rules are in place which appreciates the traffic though that point.
  • All customer where possible should be sourced from a secure back-end database.

- This may be a . i.e. no the main system.
- This usually allows for transactions to appear real time to the customer.
- Many transactions may be batched in reality. (internal or external to the )

  • Ensure suitable rules have been set-up on firewalls.

- There should be inbound and outbound rules on firewalls and filtering routers.

  • Don’t allow any infrastructure on the front end to allow remote administrative connections. (, etc.)

- Use the serial console port to connect to a or back-end terminal .

  • Services not used by the system are active

- These should be disabled.

  • Port scan of the supporting infrastructure (routers /switches) and (s).

- Investigate the reasons for all open ports.

  • Don’t use the main gateway for trusted partner (clearing / RAS / etc.)
  • Do all that standard IIS checks and NT checks (Sample scripts, change management, methodologies, etc.)
  • Ensure denial of service precaution have been taken into account for all infrastructure and equipment.
  • Check the adequacy of the escalation procedures used.

- Look for real-time monitoring and alerting.
- Look for responsibility matrix.
- Look for ownership of issues.

  • Consider upstream carrier(s) (denial of service, IP spoofing, , etc)
  • Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.

- Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).

  • Use dynamic passwords where possible (SecureID, TACACS, etc.).
  • Use encrypted tunnelling where needed (, Firewall 1, etc)
  • Consider looking at other customer methods to enhance existing methods.

- cert, IP address locked to account, etc.
- Consider use of or CVN for issued cards.

  • Consider how passwords are distributed /changed for customers.

- Plain email, telephone, etc.
- Can passwords be changed ?

  • Is additional used between sections of the services once authenticated?
  • Consider what the customer has to once authenticated.

- Look at , RTGS, inter- transfers, to cards, etc.
- If an attacker does get in, what can the do?

  • Use techniques to ensure pages, customer details are not cached at , or client system.

- These are flags that can be set within pages.
- Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
- Caching of SSL pages on the client system can be turned on on some browsers.
- May banks use a (or similar) applet for all customer interaction, restricting all caching issues.

  • Ensure paper based and on-line liability clauses are available are address all effected areas.
  • Ensure within the customer sign-up process liability is reduced.

- I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
- Not very customer focused, but that’s what their legal department recommended.

All of the above can effect the and/or operation of an on-line system.

Other things to consider:

  • External and of the application.
  • Ownership and management of the /applications
  • Publishing points for new content (internal/private/trusted or )
  • Topology of front end.  i.e. document should be in place and managed appropriately.
  • Are limited AP tests performed whenever changes are made to the ? i.e. integrated AP into Change management process.
  • Database . Is it buffered or is it live to the core systems.
  • What facilities are provided? Direct + + + ……. Consider different scenarios for your depending on the feature.
  • What other services are shared within the segment that the service is running. Can this be used to compromise the site. eg. different /business/ organisations with differing strategies/profiles.
  • Consider all external supporting services within you AP. Look at internal/external poisoning opportunities, mail , etc. What IPS’s do they use has the any opportunity to systems or supporting services which may affect .
  • Depending on the size of the , many organisation do not use the same groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external organisation to administer the infrastructure.
  • Look at the business and user methods and paths (client side certs, secure ID, SMART , etc). Consider two factor and modern user methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
  • See if the application sends email to users which may contain interesting information.
  • Better to the application can generally be gained after to the system. i.e. get an legitimate account on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
  • Consider social engineering the Help desk to have an account reset.

No Comments »

Cisco Command Cheat Sheet

Jul 04, 2008 in Infrastructure

I found a list of useful which I though I would post here. When I get a chance I will continue to expand the list and broaden command set.

Thanks to the fastget2you.com Joined With #missomhack Community for the original list.

ROUTER COMMANDS :

  • Config# terminal editing - allows for enhanced editing commands
  • Config# terminal monitor - shows output on session
  • Config# terminal ip netmask-format hexadecimal|bit-count|decimal - changes the format of subnet masks

HOST NAME:

  • Config# hostname ROUTER_NAME

BANNER:

  • Config# banner motd # MESSAGE HERE # - # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

  • Config# description THIS IS THE SOUTH ROUTER - can be entered at the Config-if level

CLOCK:

  • Config# clock timezone Central -6
    # clock set hh:mm:ss dd month yyyy - Example: clock set 14:13:00 25 August 2003

CHANGING THE REGISTER:

  • Config# config-register 0×2100 - ROM Monitor Mode
  • Config# config-register 0×2101 - ROM boot
  • Config# config-register 0×2102 - Boot from NVRAM

:

CDP:

  • Config# cdp run - Turns CDP on
  • Config# cdp holdtime 180 - Sets the time that a device remains. Default is 180
  • Config# cdp timer 30 - Sets the update timer.The default is 60
  • Config# int 0
  • Config-if# cdp enable - Enables cdp on the
  • Config-if# no cdp enable - Disables CDP on the
  • Config# no cdp run - Turns CDP off

HOST TABLE:

  • Config# ip host ROUTER_NAME INT_Address - Example: ip host lab-a 192.168.5.1
    -or-
  • Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 - Example: ip host lab-a 192.168.5.1 203.23.4.2 199.2.3.2 - (for e0, s0, s1)

:

  • Config# ip domain-lookup - Tell router to lookup domain names
  • Config# ip name- 122.22.2.2 - Location of
  • Config# ip domain-name cisco.com - Domain to append to end of names

CLEARING COUNTERS:

STATIC ROUTES:

  • Config# ip route Net_Add SN_Mask Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2
  • Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add - Default route
    -or-
  • Config# ip default- Net_Add - Gateway LAN

IP ROUTING:

  • Config# ip routing - Enabled by default
  • Config# router rip
    -or-
  • Config# router igrp 100
  • Config# 0
  • Config-if# ip address 122.2.3.2 255.255.255.0
  • Config-if# no shutdown

IPX ROUTING:

LISTS:

IP Standard 1-99
IP Extended 100-199
IPX Standard 800-899
IPX Extended 900-999
IPX Filters 1000-1099

IP STANDARD:

  • Config# -list 10 permit 133.2.2.0 0.0.0.255 - allow all src ip’s on 133.2.2.0
    -or-
  • Config# -list 10 permit host 133.2.2.2 - specifies a specific host
    -or-
  • Config# -list 10 permit any - allows any address
  • Config# int 0
  • Config-if# ip -group 10 in - also available: out

IP EXTENDED:

  • Config# -list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq
    -protocols: tcp, udp, icmp, ip (no sockets then), among others
    -source then destination address
    -eq, gt, lt for comparison
    -sockets can be numeric or name (23 or , 21 or ftp, etc)
    -or-
  • Config# -list 101 deny tcp any host 133.2.23.3 eq www

-or-

-or-

  • Config# -list 801 permit -1 -1 - “-1″ is the same as “any” with /host addresses
  • Config# 0
  • Config-if# ipx -group 801 outIPX EXTENDED:
  • Config# -list 901 permit 4AA all 4BB all
    - Permit protocol src_add socket dest_add socket
    -”all” includes all sockets, or can use socket numbers

-or-

  • Config# -list 901 permit any any all any all
    -Permits any protocol with any address on any socket to go anywhere
  • Config# 0
  • Config-if# ipx -group 901 inIPX FILTER:
  • Config# -list 1000 permit 4aa 3 - “3″ is the service

-or-

  • Config# -list 1000 permit 4aa 0 - service of “0″ matches all services
  • Config# 0
  • Config-if# ipx input--filter 1000 - filter applied to incoming packets

-or-

  • Config-if# ipx output--filter 1000 - filter applied to outgoing packets

NAMED LISTS:

  • Config# ip -list standard LISTNAME
    -can be ip or ipx, standard or extended
    -followed by the permit or deny list
  • Config# permit any
  • Config-if# ip -group LISTNAME in
    -use the list name instead of a list number
    -allows for a larger amount of -lists

PPP SETUP:

  • Config-if# ppp
  • Config-if# ppp chap pap
    -order in which they will be used
    -only attempted with the listed
    -if one fails, then connection is terminated
  • Config-if# exit
  • Config# username Lab-b 123456
    -username is the router that will be connecting to this one
    -only specified routers can connect

-or-

  • Config-if# ppp chap hostname ROUTER
  • Config-if# ppp chap 123456
    -if this is set on all routers, then any of them can connect to any other
    -set same on all for easy configuration

ISDN SETUP:

  • Config# isdn switch- basic-5ess - determined by telecom
  • Config# serial 0
  • Config-if# isdn spid1 2705554564 - isdn “phonenumber” of line 1
  • Config-if# isdn spid2 2705554565 - isdn “phonenumber” of line 2
  • Config-if# PPP - or HDLC, LAPD

DDR - 4 Steps to setting up ISDN with DDR Configure switch

1. Config# isdn switch- basic-5ess - can be done at config

2. Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to 192.3.5.5 (through bri0)

3. Configure
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# ppp
Config-if# dialer-group 1 - applies dialer-list to this
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212″ instead if there is only one router to connect to

4. Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 - use the -list 101 as the dialer list

5. Other Options
Config-if# hold-queue 75 - queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-”125″ is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either

Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120

FRAME SETUP:

  • Config# serial 0
  • Config-if# frame- - cisco by default, can change to ietf
  • Config-if# frame- lmi- cisco - cisco by default, also ansi, q933a
  • Config-if# bandwidth 56
  • Config-if# serial 0.100 point-to-point - subinterface
  • Config-if# ip address 122.1.1.1 255.255.255.0
  • Config-if# frame- -dlci 100
    -maps the dlci to the
    -can add and/or IETF at the end
  • Config-if# serial 1.100 multipoint
  • Config-if# no inverse-arp - turns IARP off; good to do
  • Config-if# frame- map ip 122.1.1.2 48 ietf
    -maps an IP to a dlci (48 in this case)
    -required if IARP is turned off
    -ietf and are optional
  • Config-if# frame- map ip 122.1.1.3 54

SHOW COMMANDS

  • Show -lists - all lists on the router
  • Show cdp - cdp timer and holdtime
  • Show cdp entry * - same as next
  • Show cdp neighbors detail - details of neighbor with ip add and ios version
  • Show cdp neighbors - id, local , holdtime, capability, platform portid
  • Show cdp - int’s running cdp and their
  • Show cdp traffic - cdp packets sent and received
  • Show controllers serial 0 - DTE or DCE status
  • Show dialer - number of times dialer string has been reached, other stats
  • Show flash - files in flash
  • Show frame- lmi - lmi stats
  • Show frame- map - static and dynamic maps for ’s
  • Show frame- - ’s and dlci’s
  • Show history - commands entered
  • Show hosts - contents of host table
  • Show int f0/26 - stats of f0/26
  • Show 0 - show stats of 0
  • Show ip - ip config of switch
  • Show ip -lists - ip -lists on switch
  • Show ip - ip config of
  • Show ip protocols - routing protocols and timers
  • Show ip route - Displays IP routing table
  • Show ipx -lists - same, only ipx
  • Show ipx interfaces - RIP and info being sent and received, IPX addresses
  • Show ipx route - ipx routes in the table
  • Show ipx servers - table
  • Show ipx traffic - RIP and info
  • Show isdn active - number with active status
  • Show isdn status - shows if SPIDs are valid, if connected
  • Show mac-address-table - contents of the dynamic table
  • Show protocols - routed protocols and net_addresses of interfaces
  • Show running-config - dram config file
  • Show sessions - connections via to remote device
  • Show startup-config - nvram config file
  • Show terminal - shows history size
  • Show a/b - stat of port 26/27
  • Show version - ios info, uptime, address of switch
  • Show vlan - all configured vlan’s
  • Show vlan-membership - vlan assignments
  • Show vtp - vtp configs

CATALYST COMMANDS
For Native IOS - Not CatOS

SWITCH ADDRESS:

  • Config# ip address 192.168.10.2 255.255.255.0
  • Config# ip default-gateway 192.168.10.1DUPLEX MODE:
  • Config# 0/5 - “fastethernet” for 100 Mbps ports
  • Config-if# duplex full - also, half | auto | full-flow-control

SWITCHING MODE:

  • Config# switching-mode store-and-forward - also, fragment-free

MAC ADDRESS CONFIGS:

  • Config# mac-address-table permanent aaab.000f.ffef e0/2 - only this mac will work on this port
  • Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
    -port 3 can only send out port 2 with that mac
    -very restrictive
  • Config-if# port secure max-mac-count 5 - allows only 5 mac addresses mapped to this port

VLANS:

  • Config# vlan 10 name FINANCE
  • Config# 0/3
  • Config-if# vlan-membership static 10 LINKS:
  • Config-if# on - also, off | auto | desirable | nonegotiate
  • Config-if# no -vlan 2
    -removes vlan 2 from the port
    -by default, all vlans are set on a port

    CONFIGURING VTP:

  • Config# delete vtp - should be done prior to adding to a
  • Config# vtp - the default is , also client and transparent
  • Config# vtp domain Camp - name doesn’t matter, just so all switches use the same
  • Config# vtp 1234 - limited
  • Config# vtp pruning enable - limits vtp broadcasts to only switches affected
  • Config# vtp pruning disableFLASH UPGRADE:
  • Config# copy tftp://192.168.5.5/configname.ios opcode - “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

  • Config# delete nvram

1 Comment »

Technology is always being challenged

Jun 18, 2008 in RFID

I read a very interesting paper created by the University of Massachusetts Laboratories and Innealta, Inc.<<

This paper primarily relates to the compromise of contact less technologies () if the and/or have not been implemented correctly or the solution provider has used an inappropriate of and discusses the challenges around and with respect to financial transactions e.g. and compliance.

Additionally, the paper describes a method which is being discussed within many forums around the world and we have now begun to see equipment being produced for the /clonners to use for malicious means.

The overarching point of this paper is to use an appropriate & solutions which supports the / of the user and purpose of the  (financial or non financial)<<

The paper can be found at http://prisms.cs.umass.edu/~kevinfu/papers/-CC-manuscript.pdf

In modern & solutions, newer devices can be used which possess a high degree of power and are therefore able to execute strong cryptographic methods (such as signatures) to protect the and information whilst the is occurring.

These systems often utilise between the / scanner and the tag/ prior to performing the . These methods and are accepted and proven to work within the traditional markets.

As mentioned in the paper, some solution store static digitally signed and/or encrypted which is provided to the / when queried, but this never changes from one to another. This may allow a malicious individual to capture and re-inject the into the at a later stage. The alternative to storing static digitally signed and/or encrypted is to negotiate a key exchange at the time of the in which the /value information is encrypted and subsequently transmitted. With this method the transmitted
changes on every and therefore even if a malicious individual was to capture the encrypted from one , this would not be accepted by the if re-injected at a later stage.

Although this is the case today, older / solutions often use technologies which are not appropriate for financial transactions and therefore may be compromised easily and in some cases without the knowledge of the holder, or .

I find this interesting how some of these less secure solution have been approved for use by acquiring banks and the schemes around the world (if they were told) in recent years, where it has been seen that these solutions have utilised techniques or deployment methods which can be compromised. These technologies and techniques would never be approved within the Point of Sale (PoS) or traditional markets.

It can only be assumed that the need to get product to market quickly at the expense of proper testing, understanding and with due consideration to industry lessons learnt has succeeded again.

No Comments »

Serious flaws in bluetooth security lead to disclosure of personal data

Mar 24, 2008 in Bluetooth

source

Summary
In November 2003, Adam Laurie of A.L. Ltd. discovered that there are flaws in the and/or transfer on some enabled devices. Specifically, three have been found:

Firstly, confidential can be obtained, anonymously, and without the owner’s knowledge or consent, from some enabled . This includes, at least, the entire book and calendar, and the ’s IMEI.

Secondly, it has been found that the complete memory contents of some can be accessed by a previously trusted (”paired”) device that has since been removed from the trusted list. This includes not only the phonebook and calendar, but media files such as pictures and messages. In essence, the entire device can be “backed up” to an attacker’s own system.

Thirdly, can be gained to the AT command set of the device, giving full to the higher level commands and channels, such as , voice and messaging. This third was identified by Martin Herfurt, and they have since started working together on finding additional possible exploits resulting from this .

Finally, the current trend for “” is promoting an which puts consumer devices at greater risk from the above attacks.

The :
It is possible, on some makes of device, to connect to the device without alerting the owner of the target device of the request, and gain to restricted portions of the stored therein, including the entire phonebook (and any images or other associated with the entries), calendar, real-time clock, business , properties, change log, IMEI (International Mobile Equipment [6], which uniquely identifies the to the mobile , and is used in illegal ‘cloning’). This is normally only possible if the device is in “discoverable” or “visible” mode, but there are tools available on the that allow even this safety net to be bypassed[4]. Further details will not be released at this time (see below for more on this), but the can and will be demonstrated to manufacturers and press if required.

The :
The involves establishing a trust relationship through the “pairing” mechanism, but ensuring that it no longer appears in the target’s register of paired devices. In this way, unless the owner is actually observing their device at the precise moment a connection is established, they are unlikely to notice anything untoward, and the attacker may be free to continue to use any resource that a trusted relationship with that device grants to (but note that so far we have only tested file transfers). This means that not only can be retrieved from the , but other services, such as modems or , WAP and GPRS gateways may be accessed without the owner’s knowledge or consent. Indications are that once the is installed, the above will function on devices that previously denied , and without the restrictions of a plain , so we strongly suspect that the other services will prove to be available also.

The BLUEBUG :
The bluebug creates a serial profile connection to the device, thereby giving full to the AT command set, which can then be exploited using standard off the shelf tools, such as PPP for networking and gnokii for messaging, contact management, diverts and initiating calls. With this facility, it is possible to use the to initiate calls to premium rate numbers, send messages, read messages, connect to services such as the , and even monitor conversations in the vicinity of the . This latter is done via a voice call over the GSM , so the listening post can be anywhere in the world. is only required for a few seconds in order to set up the call. Call forwarding diverts can be set up, allowing the owner’s incoming calls to be intercepted, either to provide a channel for calls to more expensive destinations, or for theft by impersonation of the victim.

:
Although known to the community and early adopters for some time, the process now known as “”[1] has recently come to the fore in the consumer arena, and is becoming a popular mechanism for exchanging anonymous messages in public places. The