Archive for the ‘ Security ’ Category

With our latest network revision we are focusing more on network security and lowering the amount of unprotected and unsecured ports. Some ports you can not help but open like your FTP and HTTP which are inherently internet facing. There are things that can be done to tweak the underlying daemon to be more secure though. Also other modules and encrypted versions of the protocols exist that use secure certificates and algorithms to obscure the data being transfered between hosts. For instance HTTPS uses certificates to establish secure methods of communications between client browsers and Web servers. The certificates are used mainly to encrypt HTTP requests for banking sites, web based emails, and other web based resources.

We have grown to accustomed to opening ports for various services like camera servers, a/c controllers, and odd port HTTP services. Our goal is to have less ports opened for internet facing  services. Now hackers can still jump on to an incoming stream to exploit any vulnerabilities on the other side. For now we are working on edge based security by implementing other tools like Intrusion Detection and Prevention Systems (IDS/IPS) like Snort.  Snort can be used as an add-on to routers with a package based system like PFSense which is what we use, installed as a daemon on a server that is turned into a router, or as an outside server configured with port mirroring monitoring the traffic transparently.

So as the first step to minimizing our surface for attack is to use a VPN tunnel to control/manage servers behind the firewall as opposed to opening a port. Even remote management of firewalls is a security risk. For example dd-wrt was a victim of an attack on its web based management tool when accessible from the internet. A work around to this would be to use a VPN connection or a system behind the firewall to manage the firewall. Though remote control protocols are always targeted, especially RDP on the well known port 3389. We choose to use IPSec for our VPN this time around instead of OpenVPN or PPTP (which only works for a while if at all).  We didn’t feel like messing with CAs and Keys this time around but may be implemented later on if we choose too. We are still researching any vulnerabilities with IPSec as configured along with best practices for this setup on our development network. Yes, we test things before deploying it in the wild. It gives us time to learn and figure out the best method for implementing services like VPNs or Networking topologies.

So far I like it. Using Schrewoft’s IPSec client and PFSense I get to the web management GUI and it works with my redundant firewalls We just have to reconnect when one goes down. We will be testing the ability to reach other devices later on when we added more boxes to the network. We like the speed even over wireless from Bellsouth to Comcast. We will be testing data transmission speeds also when more boxes are added since a basic webpage isn’t a great test for the speed of connections.

So to summarize, no more swiss cheese firewalls, all open holes are monitored and flagged if suspicious traffic is discovered, and management is done over encrypted tunnels instead internet facing management GUIs that may be vulnerable. We will be doing more of this in future deployments of any network we roll out.

OOO you thought this was a game. LOL, nah buddy. We recently attended a talk at SFISSA (South Florida Information Systems Security Association), we definitely plan to join them again this month also. Well at the last talk we expressed interest in donating some old equipment to the cause and we were told the fine guys at Hack Miami may be interested. We got in contact with James C. aka Hat Trick and linked up. James works for <can’t say> where he test web page vulnerabilities to protect against hacker’s like himself from getting important customer data. We donated a HP ML350 and a Cisco 3500 24 port switch to the cause. Talked for a bit and showed him around the home office and our development network we are working on. A very cool and interesting dude. You can tell he has been through some networks. He has done work on hacking into terrorist networks, who actually seem to be very vulnerable from his perspective. Did I mention he was a super cool dude, we went into it quite a bit and we will be doing more with Hack Miami and other organizations. He will list us as sponsors for the group so thats always a good look for us.

Once the latest revision on our network is done we will definitely ask these guys to try and hack us. Why you ask? This is important and needed as a proactive step to ensuring that networks we build and design are safe to use. There is no point in sitting down now a days and waiting to be hacked as if “No one will ever find us over here.” is a mantra to design lack luster security scheme for an internet facing server or network. Even internal networks can be hacked to bits by John in accounting who just got laid off. Security is important and without it in mind you may be on the bad end of identity theft. Sounds fun doesn’t it.

Ask your web design guy about %27

Got a little insight on some web programming and other network security centric ideals along with some other hilarious photos. We hope to be  more involved with local computer organizations. This helps us with exposure amongst our peers and we get a lot of info on network security, new technologies, insight on best practices for enterprise organizations, along with cool stuff other NERDS are doing.

Ummm there isn’t any. What I mean is that most business don’t care  and they feel the expense for such security is to high and the age  old phrase “who would attack me?” well just about anyone these days.  With this recessions we seem to be in, crime is at an all time high both in the street and on the Internet. A myriad of methods to collect or steal data that start from constant phishing emails telling you to renew or update account info all the way to site hijackers posing as online banking institutions that harvest your log in info then drain you dry. It’s only become easier these days with the explosion of wireless networks being put up without the proper protection or updating the systems sharing the network. Inferior wireless security and encryption methods are still used to block access. Little do most businesses and wireless users know that there  are people out there that look for these vulnerabilities and exploit them. Harvesting the I’ll gotten gains (magic the gathering reference for the nerds).

Say for instance this was a financial instituion or even a store. These places store financial information of customers. Whether it’s on quickbooks or through a credit card terminal. So if one would say break through that and take a look at the computers on the network I’m sure you would find that the systems haven’t been updated with even the latest service pack. There are sites where vulnerabilities are cataloged, categorized, and archived so they are easily searched to help a hacker exploit your system(s). Cracked versions of software are no different. Sureeee it’s free and even though it can’t be updated it’s cool right? NOPE! Some of these wares have built in vulnerabilities and hacks that go un noticed by antivrus/antimalware programs. One program or document type that is known for its numerous exploits is the PDF format. Used in the past to jailbreak iPhones and penetrate system security this along with other popular formats like doc/docx (Word) and xls/xlsx (Excel) have been transporter of nasty malware/virus attacks. They install, infect, and repeat on any other system on your network.

Some would say man your just being paranoid, but when your system gets infected or you have financial data that is of the greatest importance to keep your company going can be potential compromised you tend to protect that at any cost.

The reason for this post is because recently I was getting my vehicle repaired by the dealer. I noticed while looking to connect to their wireless their WIFI encryption was WEP. Known to hacked in no time and not allowed to be used by networks with credit card terminals by some merchants services vendors. I informed them of their easily hackable network and let them know. They kinda shrugged it off as if I was some sort of salesman. Which I guess I was in a way cause I told them I could fix it :D) The lady who I think ran the place declined even when I briefly explained what could happen. I walked away and told my partner the story. He said “Wow and she didn’t care” I replied “No”, “Well I guess she doesn’t want to keep her money then.”…..”YEP!”

For example if I was to hack into this dealers network. Access one of there terminals/PCs that allow me to make say MINOR changes to my payments we could make a Jaguar XJ or BMW M3 a biiiiiit more affordable. Now a good hacker doesn’t do this drastically. No, a good hacker takes their time makes payments on time and stays under the radar. Finding the best way to make sure they are unnoticed. Leave some fruit on the tree for the winter in a sense. A friend and I spoke about this and we came up with this pan.

THE PLAN – CODE NAME: NICE AND EASY

Make payments for a year. Don’t be late or cause any discrepancy. Then go back and change their payment logs. Augment it showing that you have paid them in full within that one year term. Yeah that’s it niceeee and easy. They got something right.

This is how some hackers squat in the bushes and work till they are found out. Like infecting a heavily visited government site or blog with a Java exploit. I personally feel bad doing something like this, but hey I feel bad though the person who does penetrate their network on the other hand…..well I’m sure they won’t. Security is hard and computer/network security is even harder. Exploits are patched then exploited again. There are many flaws in computer systems and they are all brought to light sooner or later. I’m just trying to find better ways to protect my little piece of the CLOUD.

 

Some good reading/watching

Old PDF Exploit

WEP Cracking Step-by-Step

WEP Hacking VIDEO!

 

 

 

Update when it asks

When java, flash, or adobe reader prompts you for an update, you should do it. Recently a customer needed malware removed. Even with the latest OS and up to date antivirus the system was still infected due to the out of date java plugin. It was minor and thankfully easy to remedy, but it could have been avoided by updating their software on a regular basis or at least when it prompts you to. Out of date software produces vulnerabilities for malware and wide spread infections. Sooo yeah update when it says so, OK. If your unsure then post a question here on our facebook page. An opening like this can destroy a network over time, sometimes in no time at all. We run through system updates on a regular basis to make sure we are in good standing, but even though not very often we are victims even with our best efforts.

Heed it's warning

 

 

Many viruses are stuck to websites, some on email, and in programs. Viruses do things like doing nothing to multiplying and taking up memory to erasing your entire hard drive. Here’s how to implode those annoying things.

Email is the most common way of getting infected
Don’t click on pop-up windows that announce a sudden disaster in your city!
Be careful about using MS Outlook.
Install an Anti-Virus program(ex. Norton,  McAfee, or AVG.)
Install an Anti-Spyware program(ex. Ad Aware SE, Windows Defender)
If someone sends you an attachment in e-mail or instant messaging, do not open it.
Do not use disks that other people gave you, even from work.
Do not download software from just any old website.
Set up your Windows Update to automatically download patches and upgrades.
Consider switching to a different web browser. Other web browsers (such as Firefoxor Opera)
Be careful when surfing the internet.
Read about the latest virus threats so you are aware of the potential danger.
Try to balance paranoia with common sense. Some people get really weird about viruses, spyware, etc. It’s just a computer!
Use a software firewall! Even if you have a hardware firewall, always use a software firewall (ex. Norton, Mcafee, AVG, CA…Internet Security).
Scan things you download!
Stay away from file-sharing sites (Limewire, frostwire, and some bit torrent websites)

Joke of the day: You can avoid getting virus by just simply getting a Mac!!!

URL: http://www.wikihow.com/Avoid-Getting-a-Computer-Virus-or-Worm-on-Your-Windows-PC