The Security Kitchen

voip interception using cain. from Wim Remes on Vimeo.

A small introduction on how to scan voip (SIP) traffic using Cain.
Find info on installing the voiplab over at http://enablesecurity.com/resources

Dear readers, as you may already know, Brucon is taking place on September 18th and 19th here in Brussels, Belgium. Their CFP is still open until the end of this month and I encourage you all to think about submitting !!

Imagine a great security conference, wonderful food and an amazing choice of local yummy beers. I see no reason why you shouldn’t !!!

http://www.brucon.org for more information, what are you waiting for ?

I caught this in the logs.
You’re either a prankster, changing your agent string or you’re living in the stone age

Last night someone shot me a press release from Gartner about IAM (Identity and Access Management)

I was amazed on so many levels that I have to get rid of the awful aftertaste that this left …

Ant Allen says it likes this :

“There is a continuing need in this time of economic uncertainty and budgetary constraints for cost-effective, risk-appropriate IAM methods. This includes growing demand for identity-aware networking, host- and service-based IAM offerings and the search for protection from increasingly effective malware attacks against consumer accounts.”

I don’t know how I should read this, knowing that it came from the mouth of a man who was named after a bug.

Someone on Twitter summed it up quite right … “Well since no one can make it work, might as well schlep it to a 3rd party ”

From my experience, IAM projects fail because it is a burden laid upon the IT department by the business, who subsequently denies any responsibility in it. Observed from the other side, most of the IT people involved in IAM projects lack the skills to effectively communicate with business people to get done what needs to be done for IAM projects to work.

Look, it’s quite simple, IAM projects fail because people fail to communicate and work together. There’s plenty of technologies (I’m not naming products) that support a good and functional IAM approach. Moving IAM to a third party and having it delivered to you ‘from the tap’, will not suddenly make your IAM attempts work.

If nothing else, they will help you fail at a lower cost. If you start to grow accustomed to failure, you might feel that this is a good thing.
I ,for one, beg to differ.

In a server-based computing environment (think Windows Terminal Server or Citrix) environment you have quite some challenges to restrict or control web access.  The following simple solution solves one of them and it comes without a cost

In this particular situation, I was looking for a way to restrict web access based on the workstation that a user connected from. The reason for this was that certain workstations were located in areas where browsing was formally not allowed but yet people would need access to their Citrix-based applications.  Thus begun a long search …

If you look in the Terminal Services Manager, you’ll see that username and workstation name are properties of a RDP or ICA session.  But I can’t do anything with that information because I need to write some kind of script, so I need to retrieve that information from the command line.

net session didn’t turn up anything regarding TS connections, so I ruled that one out.

query user or query session did give me information on the user, but even though the feedback of the tool contained a device column, it didn’t show values for the workstation.

On I went with WMIC, something Ed Skoudis and Paul Asadoorian (amongst others) pointed to in recent publications and podcasts but I wasn’t able to retrieve the information either.  Let me tell you I was bummed … I needed one parameter and it wasn’t available through the command line ?

It turned out I was looking too far, searching for a complex solution while the information was readily available. In the end, this was the solution :

FOR /F “tokens=1″ %G in (\\server\share\clients.txt) DO IF %G == %CLIENTNAME% (REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” /v ProxyEnable /t REG_DWORD /d 0 /f)

Yes, the enviromental variable %CLIENTNAME% contains the name of the computer that the user used to connect to the Terminal Server.

A little explanation :
clients.txt is a plaintext file containing the names of the clients from where internet browsing is not allowed. If %CLIENTNAME% matches one of these clients, ProxyEnable is set to 0 and browsing is disabled (assuming you are using a proxy server and direct outgoing web traffic is not allowed). I suggest putting clients.txt on a share as a read-only file for all users.

Please note :
If you run this command from the command line (instead of from a script) change %G to %%G !

Combine this with a GPO restricting access to the proxy settings, so the user can not enable the setting herself and you’re done. Location-based browsing restrictions are in effect.

On the last Risky Business podcast it was mentioned that companies would be able to reduce costs by enabling little known or previously unused features in their infrastructure, mostly focusing on IDS/IPS, AV, Webfiltering and other features in perimeter appliances.

This is an interesting idea but let’s take a step back.

From a business POV, I’d love to sell additional features but chances are that my customers do not have the manpower to manage those. The features mentioned are not as fire-and-forget types of things. First off, they will change the end-user experience, possibly hindering people in doing their jobs. But they will also generate tons of logs, which need to be analyzed and acted upon. You see, it’s not as easy as “enable the feature and be more secure”.

For me, there is one things you can focus on right now which can improve the security of your company and it won’t cost you a dime to kickstart it. Once you are clear about what you want/need to see and how you want to see it, you will also know which vendors to talk to, to build a cost-effective system.

Logging !

There is thousands of log messages to be captured every day.
All your appliances, switches, servers, even clients are generating messages every second. If you haven’t done anything to listen to what they are saying, START NOW !
Build a system that enables you to centralize logging for your infrastructure. Maybe you won’t be looking at it all day, every day, but make sure that it is there. Consider tools like Splunk , it’s free for the first 500MB of daily logging and it supports a lot of formats. It also allows you to drill down, correlate and report on events.

Reports require good metrics, consider buying ‘Security Metrics’ by Andrew Jacquith. Choosing the right metrics is paramount to effective systems management, Andrew does a fantastic job in teaching us how to choose them.

A last resource that I want to suggest regarding this subject is the wonderful site www.secviz.org, and another wonderful book by Raffael Marty called ‘Applied Security Vizualisation’.
It is one thing to collect logs and go through them manually, visualizing them using one of the dozens of methods Raffy explains in this book might prove invaluable for your company ! Remember that 70% of people are considered to be visual, understanding things better and easier through graphics than in plain text.

Another thing you might want to focus on is your security policy. You know, the thick stack of paper that gathers dust or keeps your desk level. Review it, rip it apart, reconstruct it. Make it a flexible framework of documents that support your security programme, instead of leaving it in it’s 2×4 function that it serves right now. Make security work for the people and the business.