Security testing - crossing the line

I have been pondering the case of Marcus Hutchins who was recently arrested in the U.S for hacking and the parallels to an experience I had a number of years ago.

Marcus Hutchins gained notoriety for stumbling onto a “kill switch” for the WannaCry ransomware in May 2017. He did this by registering a domain during some diagnostic tests he was running against the ransomware, in an effort to learn more about it, which caused the ransomware to believe it was in a lab and shutdown (so he believes). The more detailed explanation is here but to summarise he believes that in a lab environment the ransomware would try to detect if it was in a lab and want to shut itself down to avoid analysis. To try and determine if it was in a lab the ransomware checks to see if a spuriously long domain existed, was being answered, or not. In a lab environment every call by the ransomware would be answered to see what the traffic it was sending but this would also let the ransomware know it was being answered and thus in a lab so it would shutdown. However this also means if you just register the domain then those outside the lab would just shutdown as well…

So fast forward a few months and Marcus goes to the U.S to visit friends at a conference and has been arrested for writing malware by the FBI. This, at time of writing, is unproven but would be odd for someone who is a white hat hacker to be writing malware and selling it on the side as you are making yourself very publicly known and thus a target to people on both sides.

Anyway this led me back to a story I wanted to tell that has very direct parallels with non-technical people in positions of authority and them being needing to take action on something that they don’t understand. So lets rewind a bit, and for this you are going to have to excuse my memory of the situation, to an early part in my career where I was looking at some security testing as part of my job.

Part of my job at this company was to look at the security of an in house application they had built. This was only a part of my job and not the full extent of what I was doing but I was the only person looking at this part of the product and I had been told to test it. So as part of that I started to devise what it was I was going to look at; what happens when you assign privileges, do they work? What happens when you change a password, does it work? When you do this through the GUI does it change in the database?

It was a standard part of the toolkit of most people who worked within IT to have read-only database access; working out what had happened and how to fix was part of the job especially in test. So as part of my job to test the permissions and passwords changing within the security module I also checked they had changed within the database but that is where things started to look a little odd to me.

Having run a query to select the T_Users table (table names changed to protect the innocent!) I notice something:

Why are James, Bill and Emily’s passwords the same? Why would they think of the same password? I bet it’s because they used “Password”. So I check this by logging into the test system as Bill with the password of “password” and sure enough I can login. But I also notice that the length of the password actually matches the length of the word “Password” if you remove the $ symbols (none of this is rocket science). I further notice that position 3 of my password is also the letter “S” and the number 29  which is then repeated for the next letter which is also “S”  so it must be direct substituting letters for numbers. So what position is the letter S in the alphabet? 19. What position is P? 16.

• P (position 16 in the alphabet) : 26 - 10 = 16
• A (position 1 in the alphabet) : 11 - 10 = 1
• S (position 19 in the alphabet): 29 - 10 = 19
• S (position 19 in the alphabet): 29 - 10 = 19

Oh dear.

So clearly the strength of the encryption of the passwords in the database wasn’t terribly strong. What was slightly worse is that most people in the live environment also had some sort of query access to the database to run reports against it (the system was still in development).

Then another thought struck me; what is in the .ini file that the application (executable) uses to login into the database to do it’s work.

(.ini file)
Username: BLAHBLAH
Password: 32$28$29$27$19$20$21$32$35$17$27$26$18$15$31$20$24

Oh please don’t tell me this is true. I notice that the username is the Oracle schema owner (not a user with privileges to do work) and that this password looks awfully familiar. So to finish my testing I “decrypt” the password and check that by logging into the live system with the username and the decrypted password.

Mistake.

No alarm bells go off or anything but I realise I have just logged into the live company system as the schema owner with access to everything. This is possibly a step too far and in hindsight I wish I had logged into test (they would have been the same passwords, same data etc etc but there you go).  But of course I am testing this module for the security of the system so I go over to the developers and start to talk to them about how their encryption isn’t very strong (this is understating it somewhat). The next thing I know I am brought in-front of my boss and told that I am subject to a disciplinary.

The disciplinary runs along the lines of:

• Why were you testing the security module? Because you told me to.
• Why did you test the passwords? Because I was testing the security module.
• Who told you to check the passwords? No-one, but you didn’t tell me what to do or give me any other instructions other than test the module.
• Why did you think it was your job to test the encryption? No-one else is testing it, who else is going to check it. You spot a problem you have a look to see if it is “broken” you don’t just ignore it!

So that goes on for about an hour and, what with me being slightly inexperienced in these things, I am very very nervous and wondering what is going to happen to me. I understand that the database manager wants me fired, one of the other managers thinks I was only doing my job and the developers are kind of embarrassed. So with the director of the department and an HR advisor sat there in this disciplinary meeting I am told I am being given a verbal warning. *phew*

So I now look at this with years of hindsight and the benefits of being in management and working out what I would do. Looking back I am pretty sure that none of those involved had any idea of what they were talking about. The development team was blowing smoke and trying to deflect attention away from their poor coding and the management team was trying to work what was going on. Had their been a technical manager involved above me I doubt I would have gone anywhere near a disciplinary but all those above me were project managers. They needed to take some sort of action but didn’t know what was proportional or appropriate so they ended up making a whole load of noise and doing nothing.

So where are the parallels to Marcus? Well the lack of technical understanding of the management involved in my little incident meant they could not objectively evaluate what had taken place and whether or not I had acted in the best interests of the company, they only knew the word “hacker” and that must mean I had done something bad. The U.S justice department needs to “get results” in the current political climate and I cannot help but wonder if their lack of technical skillset has led them to go after a “hacker” who once wrote code to show how other people hack into systems (how else are you going to know?). Marcus is a, young, white hat hacker and finds problems that can be fixed before someone with malicious intentions finds it, exploits it and causes damage. In both our cases if you don’t look and reverse engineer systems and code you will not be able to determine if it is secure or actually poses a vulnerability. By writing code showing how hackers work he educates coders on how to protect their systems by showing them the vulnerabilities.

It’s a fine and difficult line to walk where you are trying to explain the methods used to gain access to help stop criminal activity without looking like a criminal yourself. But this goes on all the time where people pick locks on youtube and show it is done to show you how good or bad a product might be and how difficult it is to pick. There are guys called “Lock Smiths” who pick locks for a living when you lock yourself out and you don’t see them being arrested by police as soon as they let someone back into their home.

I feel sorry for Marcus as it is going to be difficult for him to explain his actions to a potentially non-technical audience in even more so to a “jury of his peers” in the differences between white and black hat hacking. I am also giving him the benefit of the doubt as we all should in these cases until different evidence appears. For a guy so young he, like I was back then, must be very worried about his future and i do feel for him.

For the record I continued to work, and undertook multiple roles, at the same company for many years before I left to progress my career elsewhere. Of those involved I continued to enjoy a good working relationship with all and the whole episode was swept under the rug where I think they would have preferred it had never been dragged out from in the first place!

Hardening WordPress

If you ever deploy a site using WordPress then you REALLY need to ensure its had some security hardening. “Why?” I hear you ask, “No-one is going to target me!”. If you think these things then you are probably right; no-one is really interested in hacking you personally unless you have high profile. This raises the question of who a likely attacker would be then and therefore the method of attack. In my opinion, humble as it is, the likely attacker is going to be one of opportunist and the method will be automated scripting. This is done by targeting multiple websites and IP ranges and would not directed at you personally.

So with that premise in mind what can be done to harden a WordPress installation to make it more difficult for an automated hack?

Keep WordPress up to date

WordPress does automatically patch itself but you should also ensure that the plugins that are being run are also up to date as these wont be automatically updated. Checking this on a regular basis (put it in your diary!) will stop attacks with known vulnerabilities that you have yet to patch on your website.

Do you really need that plugin?

The more plugins you have the broader the attack surface is for an attacker. This is mostly because of the extra code you are adding to your website for those “must have features” could also contain bugs which an attacker can exploit. If a plugin author does not fix bugs in their software, or worse stops maintaining it, then it could contain undiscovered vulnerabilities. The less of these you have the smaller the attack surface of exploitable bugs for an attacker.

Cloudflare

I have only recently started using this but it is worth bringing up as it can be used as a free service and really help.
Very briefly Cloudflare works by passing all the traffic destined for your website through its network first before hitting your webserver. It does this by pretending to be your webserver to the outside world (you have to configure DNS for this to work).
So why is this good? Well the more people use this service the more Cloudflare “sees” what is going on across many many websites and therefore who might be acting maliciously. If an attacker is automating scripts to hit hundreds of websites at once then Cloudflare will see this and block their IP from hitting your server.
Cloudflare does the blocking on the basis of you telling them about the bits of your website that needs special attention using something called “Page rules”. I use these, within the confines of the free version, to do the following:

Protecting the WP-Login.php page; this setting lets Cloudflare know that this particular page needs to be protected!!

URL match: craig.yourintranet.co.uk/wp-login.php
Settings
Security: High

Protecting the WP-Admin area; this setting tells Cloudflare that the entire area under wp-admin needs to be protected and not cached or any clever stuff done with it :)

URL Match: craig.yourintranet.co.uk/wp-admin*
Settings
Security: High
Cache Level: Bypass
Disable Apps
Disable Performance

This next one is not about security but you get 3 free page rules with the free version so the last one is about performance. Caching your uploads folder means that your webserver wont always be asked for those big image files that you have uploaded and that Cloudflare’s servers will serve them on your behalf. This is really clever as it means a local (to the user) Cloudflare server will be providing those files rather than your server which might be on a different continent to your user!

URL Match: craig.yourintranet.co.uk/wp-content/uploads*
Browser Cache TTL: a day
Cache Level: Cache Everything
Edge Cache TTL: a month

WordPress itself!

Yes there is still more to do with our WordPress site to make it difficult for an opportunistic attacker. Initially we want to break up the structure of WordPress such that an attacker isn’t going to instantly know what the underlying code looks like. We do that in two ways:

1. Change the table names
2. Change the structure of the WordPress site (the URL).

In detail:

1. Changing the table names is something you typically do during the installation of the site. When the installer asks you “Table Prefix” then put in something a bit rubbish like “wpijundsaf_” as the prefix. This will make SQL injection (writing database commands into a URL) much more difficult to execute as the table name will be unpredictable and therefore the SQL command will fail. This change won’t stop your site from working but might stop an attacker writing malicious code into your database.
2. Changing the structure of the WordPress site is a similar method to the table prefixes. When an attacker iterates hundreds of vulnerable plugins by just looking for /wp-content/plugins/ on a webserver then perhaps we should change that!

Doing so is not that difficult and requires the re-naming of the wp-content directory to something else like wp-content-myblog and then the changing of the wp-config.php file. To change the wp-config.php you need to know the name of the directory you have changed and where it sits on your operating system and then add the following:

define ('WP\_CONTENT\_DIR', '/the/operating/system/path/to/my/website/html/wp-content-myblog');
define ('WP\_CONTENT\_URL','/wp-content-myblog');

Now bear in mind the following; ‘the/operating/system/path/to/my/website/html/wp-content-myblog’ will be different for you depending on where your files are on the server which runs your website. You need to work out where that directory is on your server then name the folder something other than wp-content and put the entire path into the config as above. You will also need to go back up to that page rule for Cloudflare we talked about earlier and change the URL match so that the path to your uploads folder is correct.

.htaccess

Onward now to .htaccess where we look at the file in the root directory of your website which deals with, among other things, security. The .htaccess file is a simple text file in a directory which the Apache webserver reads to determine if there are any actions it should take. It only reads that file it is in the same directory as the file/page being requested it or if it passed it in a lower directory on the way to get that file/page.
Within .htaccess you can setup some rules about what things are accessible, to whom and under what conditions. It’s finer grained than some of the other things we have talked about but does protect some specific thing even further.

Within the root folder of your website edit (or add) your .htaccess file and append:

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# Deny access to XMLRPC
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>

These first few just deny external access to the .htaccess and wpconfig.php files which should only ever be read by the webserver.

The third one involves the XMLRPC service which usually allows you to post content remotely to your blog. This service is useful if you are planning to write content remotely and then upload it through a third party application or a mobile device. If your planning to just use the website itself to write articles and content then you do not need this service. Why deny access to it? Because by it’s very nature it allows the posting of content into your website remotely and could be a security hole. If you’re not going to use it then why take the risk?

# disable directory browsing
Options All -Indexes
# Turn off the ServerSignature
ServerSignature Off

# limit file uploads to 10mb
LimitRequestBody 10240000

These settings stop people browsing the files on your webserver and getting the server to tell information about itself to the end user. This is information an attacker could use so why provide it? The limit file uploads is not a security feature as such but is going to need changing if you plan on uploading any files of a certain size. You should be aware of this value and what you have set it to.

# Protect from spam bots
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\\.php*
RewriteCond %{HTTP_REFERER} !.craig.yourintranet.co.uk.* \[OR\]
RewriteCond %{HTTP\_USER\_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ \[R=301,L\]

Finally within the .htaccess file we add in this to help with the ever present problem of spam. The section here uses the mod_rewrite module within Apache which will need to be enabled beforehand (it might well be within your hosting provider). The conditions flow through asking if someone is trying to post a comment and then if they posted it from the website and if that fails it pushes them to an error page. Useful little script to, again, keep automated comment bots from plastering your site with comments/spam.

File Permissions

The files on your webserver need to be protected from arbitrary access outside of the webserver itself usually from with the operating system. Adding permissions to whom can read/write/execute a file stops other website on the same server from reading your files and protects the integrity of the file system.
Wordpress themselves recommend the following:

Directories - 755
Files - 644
wpconfig.php - 400

HTTPS

Using HTTPS/SSL on your website ensures that the traffic between you, your customer or anyone else and your website is encrypted. Each time you login to your website, to post a new article or whatever, the username and password of your login is sent over as plain text.
If you install an SSL certificate on your website and your start using HTTPS then that login traffic will be encrypted. Similarly any comments or articles you or your users post are also encrypted in transit. It’s very unlikely someone is going to be “sniffing” the traffic passing to your website to intercept your login credentials but it could happen and so why not protect yourself?
With Google ranking HTTPS sites higher than HTTP sites and the roll-out of LetsEncrypt there are starting to be less and less reasons to do so.
I am not going to go into how you might go about putting a SSL certificate on your website as it needs the involvement of the hosting provider. In my case TSOHost(link on the right) allow you to tick the “LetsEncrypt” checkbox on your website and that applies an SSL certificate almost immediately; again there are caveats about more configuration and the limitations of LetsEncrypt.
Personally I pay for my certificate and ask my hosting provider to deal with all of it; which they do so I am happy!

Security Plugins

There are plenty of these around and some of them I think are reasonable enough. Certainly ones that scan your files for virus’ seem to be worthwhile as they could find malicious, injected, code in amongst your theme or plugins. The security plugins will often give you the option to clean that file or take some action against it which should give you peace of mind if you do find something untoward. Personally I don’t use these owning to the mantra above “Do you really need that plugin” and hope that the rest of these security steps are strong enough.

Backups

If all the above doesn’t work and something tells you that you have been compromised then it’s time to restore the site from backup.
Taking regular backups of the site means downloading the site via FTP and taking a backup (dump file) of the database. Much of this can be automated and your hosting provider might provide this service as part of the hosting package. You might think it isn’t worth it but if you ever have to use it you will be very glad you did and wish you had backed up more often!!!

We done now?

Yup.
Much of the above came after I was hacked and started to look into security much more around WordPress to stop it happening again. I am hoping I have managed to hit a balance between outright paranoia and security that will stop me being the victim of a “drive-by” hacking attack and will only be vulnerable to the most ardent of hackers. But even if that happens I will have a backup of my site and ultimately this is only a tech blog right???
You may wish to pose even stronger security features on your website such as locking out access to wp-admin by another security method through plugins or edits to the WordPress site. Further security hardening is up to the site owner as there are always other solutions which others will advocate.
Here is a picture of a fence which will stop anything that is not determined.

Securing your passwords and more (1Password & Dropbox)

As the Internet has evolved we have been presented by more and more services each of which require us to have a login. Having to remember all those username and passwords is a pain, so many of us (me included) started to use the same login each time. This is a very bad idea as if one of the services is compromised then they are all compromised. As an example; if you were to have used the same login details for the Playstation network as your Amazon account then when the Playstation network was compromised last year they would have been able to login to your Amazon account (not good).

The recommended “best practice” is, therefore, to have unique usernames and passwords for every site that you visit. However trying to remember that many different username/password combinations would be almost impossible so you are going to have to record them in some manner to recall later. There are two options here; 1. A physical piece of paper with them written on or 2. A piece of software which holds these usernames and passwords in. Now if you lose either the piece of paper or the software you want to make sure no-one else can read it. To do that you need to encrypt it, which is slightly easier in software than on a piece of paper!

Let’s assume then, for the purposes of this article, that you are going to use software to record your passwords. You need those passwords on all of your devices so that no matter where you are you can access it but you also need to be sure that if you lose a device then your data remains secure. Enter 1Password and Dropbox.

1Password

1Password made by AgileBits is a piece of software that creates an encrypted password store on your local disk which you unlock each time with a single password. Thus you have 1 password to remember in order to access all your other passwords!

When you run the program you are presented with a login prompt to unlock the contents of your store (or vault as they call it).

It’s important to note that the password vault is only stored on your local device and is not held online or anywhere on AgileBits servers. Later we see how to synchronise that data between devices in such a way that makes it available offline as well as online.

Having logged into the 1Password software you can record the username, password, the location you are logging into and other important data into a single form. That form is then encrypted inside your vault and can only be read once you have logged into the App (as above).

A great feature here is the “generate password” function which allows you to generate a random password with letters, numbers and symbols. That password is then saved within your vault and you can copy/paste it directly into the website - much more secure than using your mother’s maiden name!

Having added credentials for sites into 1Password you end up with a Vault full of your logins, credit card details, secure banking details and anything else you need protected in a place which is easily accessible but heavily encrypted.

I really like this software and have been using it for a while to hold 100+ login details and find it invaluable. I don’t remember any passwords as they are all 10+ random digit passwords and so if some site says they have been hacked then I know it’s just the loss of a password which I never knew in the first place!

There are many other security features which I am glossing over here but you can look, and try, for yourself and see what you think. But now we need look at synchronising our 1Password vault onto multiple devices.

Dropbox

Many of you will be aware of Dropbox and what it is; in short it is an application which can synchronise data to any device onto which it is installed and you are logged in.

What you have to imagine here is that you have a small storage area on the Dropbox company servers and that your data is uploaded from your device to that server in near real time. By installing the Dropbox software onto each of our devices we can synchronise data, in this case our 1Password vault, between them and access that data on or offline as we choose.

Getting started

You have to create an account with Dropbox in for it to synchronise between your devices (each device needs to be logged in with the same account) so some quick words about that. We are not going to use Dropbox to synch any data in the clear. We are only going to be synchronising the encrypted data that forms the 1Password vault. It is, therefore, not necessary for us to be overly concerned about the security of the Dropbox password as its loss means that all someone has is our encrypted password files. The “strength in depth” side of me says that the initial loss of the Dropbox password is the first line of defense gone however I am aware that you are now having to remember 2 passwords; 1 for 1Password and 1 for Dropbox and you are not likely to use the Dropbox one often so let’s make it easy.

The Dropbox app can be downloaded from the App Store, their website or Google Play depending on what you are using.

Configure

Once you have installed Dropbox it will ask you where you want your Dropbox directory. I am going to assume, on a PC, you have made it something like;  “C:\Users_YourName_\Dropbox\” so we need to tell 1Password to store it’s vault there. By going into “File->Preferences” within 1Password it will ask where to put the 1Password data and you can then select the same folder you used for Dropbox. It will create a folder in Dropbox called “1Password.agilekeychain” but that’s OK as that’s the vault itself - have a look inside!!!

From there we can simply install Dropbox and 1Password on a mobile device and, when 1Password starts, it will ask where you want to store data. So first login to Dropbox with the same username and password you setup earlier. That will then sync and bring down the 1Password vault you setup earlier.

Start 1Password and when it asks you what to sync with select “Dropbox” (see image).

Login with the same 1Password login that you created at the beginning.

Remember that the 1Password login and the Dropbox login do not have to be the same and, in fact, should not be.  

Done

It’s easy, it’s straight forward and it’s secure. It will make your online security life much easier so I suggest you give it a go and see how you like it :)

Dealing with: Your entire 2003/2008 AD domain being locked out!

So you have tried your normal account (it’s locked out) you have found the admin password from wherever you keep it (it’s locked out) and you are now wondering whether to go to a backup of your domain controller.

I have been through these thought processes and, from experience, have successfully used the following method to regain access. The method below has been researched from various sites on the internet and can be adapted as required. I’ll attempt to explain why the steps involved are used as we go through for clarity.

General premise

The idea here is to run a process (service) when the domain controller reboots that sets the admin password to be something you know and unlocks the account. To do that we need to have that process start on the domain controller and run as a privileged user.

Initial steps

You first need to be able to reboot your domain controller and have console access to it. This is easy if it’s a physical box (although lugging that screen and keyboard around a server room is a pain!) but not so easy if it’s a virtual machine.

If you are running a VMware virtual setup then you will need to edit the settings of the domain controller Virtual Machine and do the following:

Edit Settings -> Options Tab -> Boot Options -> Power On Boot Delay - change this to 5000ms

Local admin Password

You need the local admin password for the machine. This is NOT the domain administrator password as that is a different thing. The local admin password would have been setup with the machine and hopefully is also stored somewhere you can find it. You need this to login locally to the machine in safe mode.

Microsoft Tools SRVANY and INSTSRV

These are tools (executables) provided by Microsoft in their NT resource kit which are going to be used to create a user defined service. That service will be the thing that resets the administrator password in the domain so we need these. You can download them from the internet although I have not found originals to host but will look for the future…

You will also, if using VMware, need to create an ISO with these on and put it somewhere that you can mount it within the VM. If it’s physical then you could use a USB drive or you can create a CD with these two things on them and. Many ways to do this but worth doing in advance.

The process

Firstly we need to boot this domain controller into safe mode which we can do by hitting F8 as it boots and choosing (from rather a long menu) “Directory Services Restore Mode”.

At this point you will need to login to the machine as the LOCAL administrator (not domain) which should give you desktop access. You can’t make any changes to active directory, as you didn’t login as domain admin, but you can access the environment.

Now we need to create a service to run our custom command.

Create a directory C:\Unlock - the choice of folder is arbitrary but I would imagine you don’t have an unlock directory yet!!

In that directory you need to copy INSTSRV.EXE and SRVANY.EXE from the CD/ISO/USB that you created earlier. You also need to copy cmd.exe from the system32 directory (usually C:\Windows\system32) as this will make your scripting easier. You don’t HAVE to move the cmd.exe but it makes later stages easier so I would.

Now we need to create the service itself to run our command, we do this by opening a dos prompt, navigating to our directory and typing the following:

INSTSRV ResetPassword "C:\\Unlock\\SRVANY.EXE"

This will use the INSTSRV executable to create a service called “ResetPassword” that points to SRVANY.EXE in your directory. This trick here, of course, is that the service will start with whatever permissions you give it including a privileged account! That’s the bit that actually “breaks in” to the system; the ability for this service to run as a privileged account.

To set the permissions for the service you now need to open up the Services MMC

Control Panel -> Administration -> Services

Select the properties of the “ResetPassword” service (you just made that) and ensure the “Startup type” is “Automatic”. Select “Log On”, in there make sure the “Log on as:” is set to “Local System account” and that the “Allow service to interact with desktop” is checked. This will mean the service now starts as the OS does with a privileged account.

Last thing we need to do is configure our privileged service with a command to reset our administrator account’s password.

Start regedit and go to:

HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\ResetPassword

This is the configuration area for our new service so we create a new subkey called “Parameters” and then two new values within that:

name: Application 
type: REG\_SZ (string) 
value: C:\\Unlock\\cmd.exe 

name: AppParameters 
type: REG\_SZ (string) 
value: /k net user administrator  **PASSWORD **/ACTIVE:YES/domain

IMPORTANT! You need to change PASSWORD to be the new password for the administrator account and it must comply with your current password policy; complexity, length etc. If you don’t do this then it will simply not work and it wont tell you why! Make sure you do this correctly.

Having done all that you simply reboot the machine and let it boot normally. As the OS boots the service you have setup will run as a privileged user and run the command you setup above. At the login prompt you should now we able to login with your reset administrator account that the password you setup earlier!

Remember to disable the “ResetPassword” service and, as soon as you are happy, remove it entirely together with the C:\Unlock directory.

Comments and feedback gratefully received via twitter (at top of page). Good luck!  

Sources:

www.petri.com (Reset Domain Admin Password)
Windows Troubleshooting
Microsoft (How to create a user defined service)

When the Internet was young - IP Allocation

You may, or may not, be aware that the internet is split into enormous address “blocks” composed of 4 digits. Those 4 digits is how everyone else on the internet finds you and how information traverses the internet; from one IP address to another.

What’s, marginally, interesting is how those 4 digits are allocated to people/companies. Obviously you could do it on a “first come, first served” basis but that would be very difficult to manage a person/company may want 1000 now, 100 later and 500 in 3 years time all of which would not be contiguous. As such, and in a similar way to area codes, entire “blocks” were given away to make companies lives easier.

Without going into why blocks are created the way they are I was curious to look at the allocation of the Class “A” blocks which represent 1/256th of the internet address space (that’s an awful lot!) and how they were allocated.

From this site: IANA you can see some history of people who were big enough, at the time, to now own 1/256th of the internet address space:

GEC,
IBM,
Level 3 (they have 2 blocks so own 1/128th),
AT&T (2 blocks),
Xerox,
HP,
DEC (now owned by HP),
Apple,
MIT,
Ford,
UK MoD,   Haliburton, Prudential Securities (investment bank),
UK DWP,
DuPont (US Chemical company),
Daimler,
SITA (Aerospace),
US Gov - 9 blocks around 1/28th of the internet

It’s an odd selection of companies and between them they own around 1/10th of the entire internet address space! It’s not as if these are even countries (apart from the US which has more than anyone) so the REST OF THE WORLD has to fight over the 90% of the internet addresses that these guys don’t have.

Choosing data centers - submarine cables!

In a follow up to my original article on choosing a data center I thought it worth pointing out that if you are thinking of world wide locations for your data center then checking the intercontinental connectivity is all important!

There are a number of submarine (under sea) cables that crisscross the globe providing connectivity from one continent to the next. These cables are commercially run and are laid by specialist ships literally from beach to beach (have a look on YouTube). A map of where the undersea cables run is available from here: SubmarineCableMap.com and clearly shows where they are in the world and where they land.

So the important bit; if there are a large number of cables terminating in a similar area then prices are going to be competitive, if there is a single cable then there is a monopoly and they can charge what they like. As an example if you look at India there are a number (around 13) of cables terminating in Mumbai which means there is going to be healthy competition there whereas Western Australia is only served by 2! Competition for the space on these cables could mean; higher prices, latency issues, capacity issues and in the event of a “problem” a business continuity issue.

Looking at the map throws up some interesting observations:

• Eastern Australia is connected by only 2 cables whereas Western has 10 (all into Sydney).
• All the connectivity from India to the UK runs through Egypt!
• Cornwall is pretty important in the UK connectivity to the rest of the World :)

EMC CLARiiON/Unisphere into Engineering mode

As I am always hunting round for this sort of thing:

To Engineering Mode on a CLARiiON/Unisphere press Ctrl+Shift+F12. Once the dialog box appears the password is “messner.”

PSN. Maybe it's security all companies should take a look at?

I have been working quite a lot lately on a local government organisation’s (read: Council) PSN compliance. It struck me that much of what I am doing could, and should, be applied to the commercial world.

Ok so quick terminology here; The Public Services Network (PSN) is an actual thing it’s not just an acronym for a committee it really is something! It delivers (over a connection from an accredited provider) access into a secure network which other accredited bodies have access. The other organisations on the PSN are anything from Local Government and Blue Light services through to Government Departments such as the Department for Work and Pensions. Now that last bit is the important bit for me; unless the council I am working for can get a connection to the PSN then it cannot access the Department for Work and Pensions to process benefit claims, this would be bad….

In order to access the PSN you must hit a security standard. This isn’t a set standard as the security picture is continually evolving and as such setting one would be arbitrary and impractical to hit. Instead it is actually more about integrating security standards into your organisation as something that is part and parcel of your day to day business. This is quite an important distinction as many companies see accreditations as a “tick in the box” where you are such-and-such compliant but don’t actually practice it. Part of the PSN accreditation is yearly assessment which ensures that you keep up the practices and adopt them as part of your culture.

So once you have hit the standard required a bunch of paperwork flies back and forth between the various agencies involved (cabinet office and telecoms suppliers) and you are then granted access to the PSN network as a community of “trusted organisations” the theory being that you are all of a similar standard of security.

Seems easy huh? Well it can be provided you have built security into your infrastructure and processes from very early on. Implementing these things into a mature environment where processes have evolved can be very difficult but ensuring security could save a potential loss of data - a loss which would be both harmful to finances and customer relations.

The key steps to securing the environment aren’t actually that difficult. There are a few simple steps that you need can embark on and follow up by re-designing and fixing the infrastructure to enforce them.

1. Do an internal IT health check.

This will be done by an external agency that you pay them for; they will then give you a report saying what they found. I have engaged with, and used, NCCGroup in the past but cannot say they are better than anyone else (they seem ok).

Importantly these guys are independent of your organisation and can be used as a reference for when someone (read: The Cabinet Office) asks if the organisations security is ok. Any sort of security accreditation will need this and remember it’s a culture thing not a tick in the box so there is no harm in getting this done right now (they aren’t going to tell anyone else what they find!).

2. Fix the things they found in that health check

Yup that’s literally it. But wait(!) it might not be THAT easy because what they have found might have huge implications on how you actually work.

This is way WAY too in depth for me to go into what you might have to change. As an example the CESG (UK Government techie types) recommend a DMZ between two separate firewalls so:

Net -> Firewall 1 -> DMZ -> Firewall 2 -> LAN

This means a compromise of the first firewall does not mean the second one will be; indeed they recommend having two separate manufacturers for the two firewalls! This approach forces a protocol break between the two firewalls in the DMZ so any services you wish to expose externally (including VPN users) must have some sort of proxy in the DMZ. It may sound a bit like overkill but I for one would feel much more secure about my LAN with this sort of setup.

This isn’t the only example of architecture and there is a whole section on mobile devices that I wont go into but overall i would say:

2.1 Do not have un-managed devices on your internal network

So this appears to be fairly obvious but people think that the Bring Your Own Device (BYOD) culture is something we should all embrace. No we really shouldn’t! As IT professionals we must heavily restrict their usage and try to stand up to the people who shout/stamp/scream/tantrum that they can’t use their personal device for connections into work.

This is the biggest area of security concern right now as any edge security device; unified threat management (UTM), firewall, email filter, content filter or anything is completely useless when someone brings in a laptop from home with a virus on it and plugs it into your network.

But laptops aren’t the only thing you should be concerned about; phones are now at the point that they are smart enough to be a problem but not mature enough to be secure. They don’t really have firewalls on them, they all connect to a generic Access Point Name (APN), they can easily have code installed on them from unverified sources and often they aren’t locked properly.

If you have sensitive email on your phone (because you are the CEO/CFO/Director) then you should have a passcode on your phone and the phone should have a level of security to the same level as a laptop. What is more likely to be lost/stolen? What data is exposed if one of those people loses their personal mobile phone? How can you secure that data? In answer you cannot if it is a personal mobile, you must heavily secure that phone to be sure that the data is safe.

There are some vendors (Air Watch, Citrix, Good etc) who will promote the “container” approach to securing the device. This could be risky in itself as you still don’t truly control the environment as you just control a virtual machine (ish) running on the phone. I would be wary of this and treat it as a stop gap approach (btw did you know that all traffic on phones secured by Good is routed by two data centres in the US).

3. Patch stuff

Sounds stupid but most of the methods into a network are through services that are un-patched and have vulnerabilities in them. This happens over time as people find them and fixes/upgrades are put into place. By having a regime of patching you will be less likely to suffer from “zero day attacks” and will start to have these things engrained in your culture.

Obvious things like WSUS should be already in place and running and an understanding of your estate would really help but where you are unsure you need to run a security scan.

4. Scan your internal network

Having done all the above you want to make sure you remain secure and the best method of doing that is to regularly scan your network looking for vulnerabilities. A Nessus vulnerability scanner will do a good job of this and will alert you to where you need to apply patches. It is a subscription thing as there is a continually evolving landscape of security threats but it is worth the cost.

The scan report will point out where there are problems and what you need to do to fix them. This will happen a lot and you will want to give responsibility of this to someone who is a “proper techie” but also has the confidence to speak up about problems.

The wider view - do i need this?

It might be that you must have some BYOD service going on or that you have a particularly difficult system to get compliant. With these things it makes sense to put them into a lower security area (preferably by themselves) and firewall them off. You will of course be buying lots and lots of firewalls in this exercise but they are boundary controls and you need them to ensure the protections of your core information.

All this is, of course, about protection the core information and systems that are central to your business. Once those are secured then you can think about moving things around to lower security to less important things, I would even go so far as to say that you might want to outsource the things that you don’t need to run in house that are going to cause you security problems.

Architecture design is never the same from one company to the next and understanding business needs (one of which is security btw) and implementing them is going to be a tough task for any IT leader/CTO to balance out. However putting in appropriate controls and designs mean that you will reduce your risk profile and make yourself a difficult target. It does not mean you will have to hamper the business you support but you will certainly consume lots of resources implementing things they will never see. Until the day you don’t implement it and someone takes your data.

Software vendors - please set the database up properly

In my return to blogging pedestal I am going to start with a bit of a moan; fixing other people’s bad practices.

I have been providing consultancy to a site where an Oracle database was set up to provide a repository for graphical information. Now the data involved is not massive (around 40GB) but the initial configuration of the database meant that the system has stopped working on two separate occasions. Bear in mind that, whilst reading this, the site has no Oracle DBA and relies on support from the vendor who also install and configure all parts of the software.

The configuration appears to be mostly the default settings so here are some of the issues:

All data in the users tablespace - not that great really makes performance as the system gets larger a big problem. It will also create one very large file with all the data in it. Oracle uses multiple files for a reason so it makes a lot of sense to use it.

The users tablespace was set with a maxsize - now if your going to put all of your data into one tablespace then not allowing it grow will cause a problem later on!

Account’s set to expire password after 90 days - This is the default security setting and is a good one if you have a DBA to change passwords. If you have no-one then the accounts lock out and you cannot access your data…

No backups set - Often some form of backup strategy is used such as; nightly full export, shutting down the database and copying the files off or archive logging. None of these were set and it is unlikely that a consistent backup was being taken.

Without some DBA knowledge many of these issues would have been quite difficult to fix.

So the original request still stands; Software Vendors - please set up your database properly :(

Sony - My own little data privacy battle

Hi there. Long time no write! Well actually that’s not true, it’s more like long no publish as there are quite a few things in draft so let’s hope this one goes out ;)

A while ago I bought a Sony VAIO S-series laptop and when I say a while I mean 4 weeks ago. I bought the laptop because I needed something that was:

• A good specification and made from decent components
• Has a reputation for going on forever
• Reasonable price
• A brand I knew and trusted.
• Appropriate for business use

 Sony fitted most of those criteria and, having worked with them in the past, I knew that they did indeed go on for some considerable time! :)

All was well for the first 10(ish) days of my purchase until I started to get a black screen with a white cursor after booting into Windows. I tried everything I knew, and a few things I didn’t, to try and fix it but to no avail. So I decided I was no longer going to spend any more time on this and I would pass it back to where I bought it (Sony Centre Basingstoke) for them to sort it out.

I went in and was told that they would send it away and it would take 5 days. OK I thought that’s fair enough. I was also asked if there was any data on the laptop as it could be lost. No, that’s OK, I replied thinking that what they meant was that if the hard disk had gone they would not retrieve it off the platter.

<– Wait 5 days –>

I get a call back on the 13/6/2013 to retrieve the laptop after it had been fixed. On arriving at the shop it has had a new HDD fitted but there is no sign of the old one. I query this with the store and they say that they will ask for it. I am slightly surprised at this point as the old hard drive was clearly semi-serviceable as it booted to a certain point and then failed which means that the data on it should be easily retrievable. I go away thinking that this is an oversight and they will get back to me, but actually this is just the start of my woes. To cut this story very short I will now condense everything to today (20/6/2013) into a timeline

(Sony Centre Basingstoke): The repair guys wont give us the hard drive back
*I contact Sony Repair Centre and have a lovely time*
(Sony Repair Centre): As we have replaced the hard drive the old one is now our property as was agreed to  when you took the laptop in for repair, the store told you this.
*Not really. What are you going to do with the hard drive?*
(Sony Repair Centre): We will try and fix the hard drive and then sell it to someone else
*With my data on it???*
(Sony Repair Centre): We will delete everything off it of course
*How can I be sure? Do I get a certificate of destruction if you destroy it? I did not agree to this*
(Sony Repair Centre): We don’t know what a “certificate of destruction” is; Your problem is not with us it is with the Sony Centre Basingstoke; No-one has asked for this before
(Sony Centre Basingstoke): No-one has asked for this before

I find this totally ridiculous. They have my hard drive with my data on it and are refusing to give it back or tell me how they will wipe/dispose of it. Further to this no-one is actually taking ownership of this and saying “yeah we made a mistake”. They are both the same company yet doing nothing about it.

I am still arguing with them but they do not understand that the data on the disk might actually be confidential and I want to make sure it is destroyed. It’s not that there are passwords on the device but there is all the documentation for the company I have created and I would rather that I had control of it and not the other way round.

I put it to them that if this were the other way round then I would be getting letters from Lawyers by now as I have not given them permission to have or to withhold my data either verbally or in written agreement. In fact this whole thing just stinks and makes me question why I ever bought a “quality” product like Sony in the first place.

I suspect this will be continued….