Secure Application Development links

Oct 14, 2008 in Security

Hi,

I have been putting some secure application development documents together recently and have found some good general tutorials and guidelines which I thought I would post here.

Best Practices

Other Resources

No Comments »

Internet Banking Security Assessment Considerations

Aug 05, 2008 in Banking and EFTPoS, Security

I was asked some time ago what sort of things may be considered when looking at .

Below is a list of things which could be considered. It was just a brain dump and as such may not be complete.

Don’t underestimate the value of standard for your infrastructure, website configuration,  database engine configuration/, environment and /QA environments.

Some thoughts:

  • Many don’t lock accounts after X failed logins, this is normally done for good customer service, but leaves the system .

- And all the other things expected for a session (forced changes, aging, etc))
- Tools such as may be use to brute force authenticated sessions.

  • Many allow session sequence numbers to be incremented, allowing an authenticated user to view other customer session.

- These may be side, client side, cookie based, etc.
- Get someone to check the methodologies and the code being used.
- Database query strings can be placed into test entry fields, allowing table dumps to browser.
- Check all pages served are secure and contain user flags.

  • Customer may not be segregated, this needs to be checked.
  • Customer should not reside on the .
  • databases / system should not reside on the webserver.
  • The databases should reside on a private/semi-private .

- A different segment to the main system.

  • Webserver should be dual homed or equivalent (some VLAN techniques are good)

- Separate private and public cards, monitoring/backup/administration
- Infrastructure set-up to explicitly deny inbound/outbound ports, private IP & monitoring escaping from the .

  • At all segregation points ensure rules are in place which appreciates the traffic though that point.
  • All customer where possible should be sourced from a secure back-end database.

- This may be a environment. i.e. no the main system.
- This usually allows for transactions to appear real time to the customer.
- Many transactions may be batched in reality. (internal or external to the )

  • Ensure suitable rules have been set-up on firewalls.

- There should be inbound and outbound rules on firewalls and filtering routers.

  • Don’t allow any infrastructure on the front end to allow remote administrative connections. (, etc.)

- Use the serial console port to connect to a or back-end terminal .

  • Ensure that a separate / QA / production environment system and suitable process is in place.
  • Services not used by the system are active

- These should be disabled.

  • Port scan of the supporting infrastructure (routers /switches) and (s).

- Investigate the reasons for all open ports.

  • Don’t use the main gateway for trusted partner (clearing / RAS / etc.)
  • Do all that standard IIS checks and NT checks (Sample scripts, change management, methodologies, etc.)
  • Ensure denial of service precaution have been taken into for all infrastructure and equipment.
  • Check the adequacy of the escalation procedures used.

- Look for real-time monitoring and alerting.
- Look for responsibility matrix.
- Look for ownership of issues.

  • Consider upstream carrier(s) (denial of service, IP spoofing, hacking, etc)
  • Consider social engineering of customer, administrative, partner accounts / systems / infrastructure.

- Helpdesk procedures and policies and/or alternate technologies (Caller ID, Gateway IP, etc.).

  • Use dynamic passwords where possible (SecureID, TACACS, etc.).
  • Use encrypted tunnelling where needed (, Firewall 1, etc)
  • Consider looking at other customer methods to enhance existing methods.

- cert, IP address locked to , etc.
- Consider use of or CVN for issued cards.

  • Consider how passwords are distributed /changed for customers.

- Plain email, telephone, etc.
- Can passwords be changed ?

  • Is additional used between sections of the services once authenticated?
  • Consider what the customer has to once authenticated.

- Look at , RTGS, inter- transfers, to cards, etc.
- If an attacker does get in, what can the do?

  • Use techniques to ensure pages, customer details are not cached at , or client system.

- These are flags that can be set within pages.
- Normally SSL is cached, but some proxy vendors have been playing with techniques to do so.
- Caching of SSL pages on the client system can be turned on on some browsers.
- May banks use a (or similar) applet for all customer interaction, restricting all caching issues.

  • Ensure paper based and on-line liability clauses are available are address all effected areas.
  • Ensure within the customer sign-up process liability is reduced.

- I’ve seen statements like “use this system at your own risk, responsibility for any liability or claim will NOT……”
- Not very customer focused, but that’s what their legal department recommended.

All of the above can effect the and/or operation of an on-line system.

Other things to consider:

  • External and of the application.
  • Ownership and management of the /applications
  • Publishing points for new content (internal/private/trusted or )
  • Topology of front end.  i.e. document should be in place and managed appropriately.
  • Are limited AP tests performed whenever changes are made to the environment? i.e. integrated AP into Change management process.
  • Database . Is it buffered or is it live to the core systems.
  • What facilities are provided? Direct + + + ……. Consider different scenarios for your depending on the feature.
  • What other services are shared within the segment that the service is running. Can this be used to compromise the site. eg. different /business/ organisations with differing strategies/profiles.
  • Consider all external supporting services within you AP. Look at internal/external poisoning opportunities, mail , etc. What IPS’s do they use has the any opportunity to systems or supporting services which may affect .
  • Depending on the size of the , many organisation do not use the same groups for infrastructure and the application. As a result external connections to the infrastructure may be provided for an external organisation to administer the infrastructure.
  • Look at the business and user methods and paths (client side certs, secure ID, SMART , etc). Consider two factor and modern user methods. eg. what is your favourite food in addition to normal usernames and passwords. Do system administration staff use dynamic passwords (secureID, etc)?
  • See if the application sends email to users which may contain interesting information.
  • Better to the application can generally be gained after to the system. i.e. get an legitimate on the system. I have found that some sample/administration screens have been restricted to authenticated users only.
  • Consider social engineering the Help desk to have an reset.

No Comments »

DNS Hack Needs Patching - Serious Problem

Jul 10, 2008 in Security

This has been kept under wraps by the Operating System and vendors for the last few weeks and now patches have finally been released for many , software applications and devices.
If you provide or rely on DNZ services (external and Internal) you should consider quickly your servers/devices.

Although Internal servers may not be exposed to an , we see many more internal attacks within larger organisations which involve or services being established within the firewalled trusted . As a result, this lifts the level of internal systems/services and therefore the need for effective timely .

Also consider asking the question of your hosting facility, upstream or provider to see if they have patched their servers and forwarders.

http://www.doxpara.com/?p=1162 This link also has a checker.
http://afp.google.com/article/ALeqM5hwFqcnWAuDWlcqfvfyHu5PGG9RMQ
http://www.kb.cert.org/vuls/id/800113

This is a full list of vendor links
http://www.betanews.com/article/Major_fix_to_DNS_vulnerability_impacts_Windows_Debian/1215551008

Good Luck

No Comments »

Cisco Command Cheat Sheet

Jul 04, 2008 in Infrastructure

I found a list of useful which I though I would post here. When I get a chance I will continue to expand the list and broaden command set.

Thanks to the fastget2you.com Joined With #missomhack Community for the original list.

ROUTER COMMANDS :

  • Config# terminal editing - allows for enhanced editing commands
  • Config# terminal monitor - shows output on session
  • Config# terminal ip netmask-format hexadecimal|bit-count|decimal - changes the format of subnet masks

HOST NAME:

  • Config# hostname ROUTER_NAME

BANNER:

  • Config# banner motd # MESSAGE HERE # - # can be substituted for any character, must start and finish the message

DESCRIPTIONS:

  • Config# description THIS IS THE SOUTH ROUTER - can be entered at the Config-if level

CLOCK:

  • Config# clock timezone Central -6
    # clock set hh:mm:ss dd month yyyy - Example: clock set 14:13:00 25 August 2003

CHANGING THE REGISTER:

  • Config# config-register 0×2100 - ROM Monitor Mode
  • Config# config-register 0×2101 - ROM boot
  • Config# config-register 0×2102 - Boot from NVRAM

:

CDP:

  • Config# cdp run - Turns CDP on
  • Config# cdp holdtime 180 - Sets the time that a device remains. Default is 180
  • Config# cdp timer 30 - Sets the update timer.The default is 60
  • Config# int 0
  • Config-if# cdp enable - Enables cdp on the
  • Config-if# no cdp enable - Disables CDP on the
  • Config# no cdp run - Turns CDP off

HOST TABLE:

  • Config# ip host ROUTER_NAME INT_Address - Example: ip host lab-a 192.168.5.1
    -or-
  • Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 - Example: ip host lab-a 192.168.5.1 203.23.4.2 199.2.3.2 - (for e0, s0, s1)

:

  • Config# ip domain-lookup - Tell router to lookup domain names
  • Config# ip name- 122.22.2.2 - Location of
  • Config# ip domain-name cisco.com - Domain to append to end of names

CLEARING COUNTERS:

STATIC ROUTES:

  • Config# ip route Net_Add SN_Mask Next_Hop_Add - Example: ip route 192.168.15.0 255.255.255.0 205.5.5.2
  • Config# ip route 0.0.0.0 0.0.0.0 Next_Hop_Add - Default route
    -or-
  • Config# ip default- Net_Add - Gateway LAN

IP ROUTING:

  • Config# ip routing - Enabled by default
  • Config# router rip
    -or-
  • Config# router igrp 100
  • Config# 0
  • Config-if# ip address 122.2.3.2 255.255.255.0
  • Config-if# no shutdown

IPX ROUTING:

LISTS:

IP Standard 1-99
IP Extended 100-199
IPX Standard 800-899
IPX Extended 900-999
IPX Filters 1000-1099

IP STANDARD:

  • Config# -list 10 permit 133.2.2.0 0.0.0.255 - allow all src ip’s on 133.2.2.0
    -or-
  • Config# -list 10 permit host 133.2.2.2 - specifies a specific host
    -or-
  • Config# -list 10 permit any - allows any address
  • Config# int 0
  • Config-if# ip -group 10 in - also available: out

IP EXTENDED:

  • Config# -list 101 permit tcp 133.12.0.0 0.0.255.255 122.3.2.0 0.0.0.255 eq
    -protocols: tcp, udp, icmp, ip (no sockets then), among others
    -source then destination address
    -eq, gt, lt for comparison
    -sockets can be numeric or name (23 or , 21 or ftp, etc)
    -or-
  • Config# -list 101 deny tcp any host 133.2.23.3 eq www

-or-

-or-

  • Config# -list 801 permit -1 -1 - “-1″ is the same as “any” with /host addresses
  • Config# 0
  • Config-if# ipx -group 801 outIPX EXTENDED:
  • Config# -list 901 permit 4AA all 4BB all
    - Permit protocol src_add socket dest_add socket
    -”all” includes all sockets, or can use socket numbers

-or-

  • Config# -list 901 permit any any all any all
    -Permits any protocol with any address on any socket to go anywhere
  • Config# 0
  • Config-if# ipx -group 901 inIPX FILTER:
  • Config# -list 1000 permit 4aa 3 - “3″ is the service

-or-

  • Config# -list 1000 permit 4aa 0 - service of “0″ matches all services
  • Config# 0
  • Config-if# ipx input--filter 1000 - filter applied to incoming packets

-or-

  • Config-if# ipx output--filter 1000 - filter applied to outgoing packets

NAMED LISTS:

  • Config# ip -list standard LISTNAME
    -can be ip or ipx, standard or extended
    -followed by the permit or deny list
  • Config# permit any
  • Config-if# ip -group LISTNAME in
    -use the list name instead of a list number
    -allows for a larger amount of -lists

PPP SETUP:

  • Config-if# ppp
  • Config-if# ppp chap pap
    -order in which they will be used
    -only attempted with the listed
    -if one fails, then connection is terminated
  • Config-if# exit
  • Config# username Lab-b 123456
    -username is the router that will be connecting to this one
    -only specified routers can connect

-or-

  • Config-if# ppp chap hostname ROUTER
  • Config-if# ppp chap 123456
    -if this is set on all routers, then any of them can connect to any other
    -set same on all for easy configuration

ISDN SETUP:

  • Config# isdn switch- basic-5ess - determined by telecom
  • Config# serial 0
  • Config-if# isdn spid1 2705554564 - isdn “phonenumber” of line 1
  • Config-if# isdn spid2 2705554565 - isdn “phonenumber” of line 2
  • Config-if# PPP - or HDLC, LAPD

DDR - 4 Steps to setting up ISDN with DDR Configure switch

1. Config# isdn switch- basic-5ess - can be done at config

2. Configure static routes
Config# ip route 123.4.35.0 255.255.255.0 192.3.5.5 - sends traffic destined for 123.4.35.0 to 192.3.5.5
Config# ip route 192.3.5.5 255.255.255.255 bri0 - specifies how to get to 192.3.5.5 (through bri0)

3. Configure
Config-if# ip address 192.3.5.5 255.255.255.0
Config-if# no shutdown
Config-if# ppp
Config-if# dialer-group 1 - applies dialer-list to this
Config-if# dialer map ip 192.3.5.6 name Lab-b 5551212
connect to lab-b at 5551212 with ip 192.3.5.6 if there is interesting traffic
can also use “dialer string 5551212″ instead if there is only one router to connect to

4. Specify interesting traffic
Config# dialer-list 1 ip permit any
-or-
Config# dialer-list 1 ip list 101 - use the -list 101 as the dialer list

5. Other Options
Config-if# hold-queue 75 - queue 75 packets before dialing
Config-if# dialer load-threshold 125 either
-load needed before second line is brought up
-”125″ is any number 1-255, where % load is x/255 (ie 125/255 is about 50%)
-can check by in, out, or either

Config-if# dialer idle-timeout 180
-determines how long to stay idle before terminating the session
-default is 120

FRAME SETUP:

  • Config# serial 0
  • Config-if# frame- - cisco by default, can change to ietf
  • Config-if# frame- lmi- cisco - cisco by default, also ansi, q933a
  • Config-if# bandwidth 56
  • Config-if# serial 0.100 point-to-point - subinterface
  • Config-if# ip address 122.1.1.1 255.255.255.0
  • Config-if# frame- -dlci 100
    -maps the dlci to the
    -can add and/or IETF at the end
  • Config-if# serial 1.100 multipoint
  • Config-if# no inverse-arp - turns IARP off; good to do
  • Config-if# frame- map ip 122.1.1.2 48 ietf
    -maps an IP to a dlci (48 in this case)
    -required if IARP is turned off
    -ietf and are optional
  • Config-if# frame- map ip 122.1.1.3 54

SHOW COMMANDS

  • Show -lists - all lists on the router
  • Show cdp - cdp timer and holdtime
  • Show cdp entry * - same as next
  • Show cdp neighbors detail - details of neighbor with ip add and ios version
  • Show cdp neighbors - id, local , holdtime, capability, platform portid
  • Show cdp - int’s running cdp and their
  • Show cdp traffic - cdp packets sent and received
  • Show controllers serial 0 - DTE or DCE status
  • Show dialer - number of times dialer string has been reached, other stats
  • Show flash - files in flash
  • Show frame- lmi - lmi stats
  • Show frame- map - static and dynamic maps for ’s
  • Show frame- - ’s and dlci’s
  • Show history - commands entered
  • Show hosts - contents of host table
  • Show int f0/26 - stats of f0/26
  • Show 0 - show stats of 0
  • Show ip - ip config of switch
  • Show ip -lists - ip -lists on switch
  • Show ip - ip config of
  • Show ip protocols - routing protocols and timers
  • Show ip route - Displays IP routing table
  • Show ipx -lists - same, only ipx
  • Show ipx interfaces - RIP and info being sent and received, IPX addresses
  • Show ipx route - ipx routes in the table
  • Show ipx servers - table
  • Show ipx traffic - RIP and info
  • Show isdn active - number with active status
  • Show isdn status - shows if SPIDs are valid, if connected
  • Show mac-address-table - contents of the dynamic table
  • Show protocols - routed protocols and net_addresses of interfaces
  • Show running-config - dram config file
  • Show sessions - connections via to remote device
  • Show startup-config - nvram config file
  • Show terminal - shows history size
  • Show trunk a/b - trunk stat of port 26/27
  • Show version - ios info, uptime, address of switch
  • Show vlan - all configured vlan’s
  • Show vlan-membership - vlan assignments
  • Show vtp - vtp configs

CATALYST COMMANDS
For Native IOS - Not CatOS

SWITCH ADDRESS:

  • Config# ip address 192.168.10.2 255.255.255.0
  • Config# ip default-gateway 192.168.10.1DUPLEX MODE:
  • Config# 0/5 - “fastethernet” for 100 Mbps ports
  • Config-if# duplex full - also, half | auto | full-flow-control

SWITCHING MODE:

  • Config# switching-mode store-and-forward - also, fragment-free

MAC ADDRESS CONFIGS:

  • Config# mac-address-table permanent aaab.000f.ffef e0/2 - only this mac will work on this port
  • Config# mac-address-table restricted static aaab.000f.ffef e0/2 e0/3
    -port 3 can only send out port 2 with that mac
    -very restrictive
  • Config-if# port secure max-mac-count 5 - allows only 5 mac addresses mapped to this port

VLANS:

  • Config# vlan 10 name FINANCE
  • Config# 0/3
  • Config-if# vlan-membership static 10TRUNK LINKS:
  • Config-if# trunk on - also, off | auto | desirable | nonegotiate
  • Config-if# no trunk-vlan 2
    -removes vlan 2 from the trunk port
    -by default, all vlans are set on a trunk port

    CONFIGURING VTP:

  • Config# delete vtp - should be done prior to adding to a
  • Config# vtp - the default is , also client and transparent
  • Config# vtp domain Camp - name doesn’t matter, just so all switches use the same
  • Config# vtp 1234 - limited
  • Config# vtp pruning enable - limits vtp broadcasts to only switches affected
  • Config# vtp pruning disableFLASH UPGRADE:
  • Config# copy tftp://192.168.5.5/configname.ios opcode - “opcode” for ios upgrade, “nvram” for startup config

DELETE STARTUP CONFIG:

  • Config# delete nvram

1 Comment »

Financial Transaction Processing

Jul 02, 2008 in Banking and EFTPoS

I have been recently working inside one of the larger Banks in .
Through this work I have been looking at the controls and surrounding the of and cards around the Asia Pacific.

I get perform many and systems assessments.
Over the years I have always considered the of the as one of the key considerations.

Until yesterday I had never seen an or tools. I think some scripted use of these tools could be very interesting.
The site hziggurat29.com

Many of the other tools on this site are also very unique and worth a look.
Big thanks to ziggurat29 for providing such awesome tools.

As many of these sites are of this nature are difficult to find and often seem to vanish over the years, I have chosen to replicate the the from this page and provide local copies on the files.
It is worth periodically visiting the ziggurat29 site every now and again to see if any additional tools have been posted.

One of the more extraordinary files is the Atalla Module ()  and for (simulation) tools. So I wonder if and are shaking in their boots. Some how I don’t think so. ;-)

——– ziggurat29 ———

These are all Windows command-line utilities (except where noted); execute with the -help option
to determine usage.

DUKPT Decrypt (<- the actual file to download)

This is a that will Encrypted Blocks that have been produced via the triple- method.  I used this for testing the output of some Pad software I had created, but is also handy for other debugging purposes.

VISA PVV Calculator (<- the actual
file to download)

This is a that will compute and verify Values that have been produced using the .  It has a bunch of auxiliary functions, such as verifying and fixing a PAN (Luhn ), creating and encrypting blocks, decrypting and extracting PINs from encrypted blocks, etc.

VISA CVV Calculator (<- the actual file to download)

This is a that will compute Values that have been produced using the .  MasterCard CVC uses the , so it will work for that as well.  It will compute , CVV2, CVV3, iCVV, CAVV, since these are just variations on service code and the
format of the expiration date.  is simply comparing the computed value with what you have received, so there is no explicit function.

Atalla AKB Calculator (<- the actual file to download)

This is a that will both generate and Atalla AKB cryptograms.  You will need the plaintext MFK to perform these operations.  When decrypting, the MAC will also be checked and the results shown.

BogoAtalla (<- the actual file to
download)

This is an Atalla (or simulator).  This software (simulation) of the well-known Atalla Module () that is used by banks and processors for cryptographic operations, such as verifying/translating blocks, authorising transactions by verifying
/CSC numbers, and performing key exchange procedures, was produced for testing purposes.  This implementation is not of the complete HP Atalla command set, but rather the just
portions that I myself needed.  That being said, it is complete enough if you are performing acquiring and/or issuing functions, and are using more modern schemes such as and , and need to do generation, , and translation.

This runs as a listening socket and handles the native Atalla command set.  I have taken some liberties with the error return values and have not striven for high-fidelity there (i.e., you may get a different error response from native ), but definitely should get identical positive
responses.  Some features implemented here would normally require purchasing premium commands, but all commands here implemented are available.  Examples are generating values and encrypting/decrypting plaintext values.

BogoAtalla for Linksys (<- the actual file to download)

This is the Atalla ported to Linux and build for installation on an OpenWRT system.  Makes for a really cheap ($60 USD) /test device.

 

Local Files

bogoatalla002
atallaakbcalc
bogoatalla_10-1_mipsel
dukptdecrypt
visacvvcalc
visapvvcalc

2 Comments »

E-Commerce Glossary

Jun 18, 2008 in Banking and EFTPoS

Acquiring Institution
The which holds the partaking in a financial , typically the first involved in the of a .

Applet
A small computer program which facilitates the performance of particular tasks.

Bandwidth
The capacity of a to carry or process information. The higher the bandwidth the faster graphics-laden pages will download.

Browser
Short for browser, a software application used to locate and display pages. The two most popular browsers are Netscape Navigator and Microsoft . Both of these are graphical browsers, which means that they can display graphics as well as . In addition, most modern browsers can present multimedia information, including sound and video, though they require plug-ins for some formats.

Caching
The automatic copying and storage of frequently used information onto a computer system – Typically caching is seen whilst surfing the (graphics, etc.) and used by Services Providers (’s) to reduce the amount of requested from the user onto the .

Issuer
The which issued the cardholder’s and .

Cardholder
The individual participating in the financial whose is being credited or debited.


The additional information printed on the to be processed. This is used to verify if the was present when the was initiated.  This is the additional digits imprinted on the usually on the reverse side for & Mastercard and on the front for AMEX.

Certificate
An x.509 certificate used to entities such as Merchants and Gateways. Certificates can be used to identify and/or encrypt sensitive such as numbers and personal cardholder information.

CGI
Common Gateway : A protocol that allows a page to run a program on a . Forms, counters, and guest books are common examples of CGI programs.

Any piece of software can be a CGI program if it handles input and output according to the CGI standard. Usually a CGI program is a small program that takes from a and does with it, like putting the content of a form into an e-mail message, or turning the into a database query. CGI “