Tuesday, June 30, 2009

Log Centralization, Analysis and Visualization

Although many of us have seen IT companies securing the logs in one centralized location but in one or two they lack visualization in time of incident handling or analysis process. This could raise a serious bar from legal and corporate image perspectives. SEIM (Security event information management) systems can help to resolve these issues but logging, correlation and visualizing from distributed networks has always been challanging.


As we can see that different souces interacting with muliple devices at specific levels to pass the network traffic. The ratio of such typical network to generate logs would be moderate-high. So, why is it log centralization is considered necessary? From my experience, it is because of easy accessibility, searchability, log categorization, identification, correlation and redundancy. While talking about securing architecture of log management, virtualization concepts put the step forward mostly in data centers and hosting farms. The typical architecture looks as below:

{Sources -> Generate Logs -> Virtualization (analyzing, disposing logs) -> Log Management (storing, analyzing logs)}

The typical challanges to this architecture involves balancing the quantity of log management resources, policies and procedures, continuous monitoring of log data, log categorization and access control. On the otherside when considering the visualization, DAVIX Live CD contains some of the useful tools and scripts which make it easier to process data and visualize them to track the incidents.

References:
http://davix.secviz.org
http://www.wallinfire.net/picviz
http://www.vizsec.org
http://www.splunk.com

Saturday, June 27, 2009

Bypassing IPS: A Penetration Tester Perspective

IPS (Intrusion Prevention System) technology was designed to cover the shortcomings of the IDS systems. In technical words, it will not only detect but also prevent the malicious packets from entering the secure zone on your network. Basic firewalls are just capable of scanning and examining the headers of the packet but IPS also inspect the payload inside it. Intrusion prevention system manages a deep packet inspection (DPI) technology to conduct its tests against protocol headers and payloads by gathering more information on attack patterns,
anomalous behavior and controlling the network traffic intelligently. The basic IPS deployment can be done using an open source tools, such as, Snort Inline + IPTables. With this kind of basic configuration, a security administrator would be able to capture malicious packet (snort_inline) and block(IPTables) that sequential traffic from reaching vulnerable host.

Now lets take a look on evasion technique used to bypass these intrusion prevention systems. As we know that there are several IPS vendors in the market today, such as;

- Cisco
- 3Com
- Cyberoam
- Fortinet
- Checkpoint
- Sourcefire
- IBM
- Third Brigade
- eEye
- Juniper
- Radware
- TippingPoint
- ForeScout
- IntruPro
- StoneGate
- DeepNines
- Enterasys

and others...

These vendors design the IPS technology in different ways but their basic approach of stopping the bad network packets remain similar. Holding a strong knowledge of TCP/IP, an attacker can easily manage to bypass the IPS and deliver the malicious packets destined for the vulnerable host. The technique is known "Packet Fragmentation". However, this is an old method but still useful to bypass some of the vendors IPS. The task to generate and route the malicious packets can be accomplished using 'Fragroute' tool. 'NMap' can do the similar stuff using '-f' option.
Recently, while conducting the penetration testing, I found that the DMZ network was protected with an IPS. Although I am not going to disclose the vendor name, but I will explain the method I used to approach the web application server with malicious SQL/XSS query. However, it should be noted that not all vendors are vulnerable to these specific attacks.

Fragroute
This tool helps the pentester to intercept, modify and rewrite the egress traffic according to the rules defined in the configuration file. By simply modifying the configuration file located at '/etc/fragroute.conf' with the following values:
tcp_seg 24 ip_frag 64 tcp_chaff paws print

This modification will help segmentation of TCP data into forward overlapping 24-byte segments, dervie the 64-byte fragments, interleave with overwriting, random chaff segments holding older timestamps for PAWS elimination and print the output. Fragroute has changed the sequence of the traffic generated and directed them from my attacking machine to the vulnerable host bypassing the IPS. It is recommended that these variable-set should be tested in the controlled environment before applying them for the live network.

The network layout was simple, {Attacker<-->(Fragroute)-->Internet-->IPS-->Webserver}

Its worth noticing that we dont need to use the local proxy to browse the remote web application (true for many web applications auditing tools). So, just browsing and injecting the application with SQL and XSS queries worked very well this time. Another technique can be used in conjunction with fragroute is gzip encoding for evasion purposes.

Problems with IPS
Two major problems should be outlined when we talk about IPS deployment.
-False Positives (need the exact signatures)
-Performance (Latency issues, such that in VoIP network it not acceptable at all)
-Evasion (A simple obfuscation of detectable traffic pattern can make its way through)

However, if we create a conceptual picture of the above mentioned problems. They can only be the reasons because of cost, physical limitations or any specific network envrionment. A small perl based script 'IPSTester.pl' from "iv2-technologies.com" can help to assess these IPS systems for their limitations.

Saturday, June 6, 2009

Industrial Hacks, Controlling and Securing SCADA Systems


SCADA, the Supervisory Control and Data Acquisition system is a software application used to control the process, monitor and gather the real-time data from remote devices in order to manage any hazardous conditions. Its application is widely applied in telecommunication, transportation, oil and gas industry, defense systems, water and waste control systems and power plants. Process controlling and monitoring can be categorized as industrial, infrastructure or facility.

Looking from the security perspective of these systems govern the major vulnerabilities and threats that can easily be exploited by malicious adversaries. For a decade, number of legacy IT tools have been developed for scanning and assessing the SCADA systems security. Number of incidents reported in past have proved the inconsistency of these systems, such that, on 10-June-1999 an "Olympic Pipe Line" company faced the rupture and release of gasoline causing damages of at least $45m and life of several people.

For more information:
http://www.cob.org/services/environment/restoration/olympic-pipeline-incident.aspx

Number of security problems discovered while investigating these kind of incidents range under
application response delay, system fault in shutdown and isolation process and various security vulnerabilities such as blank password access on compressor station. SCADA systems basically carry the operations which always hold real-time communication. Many of these systems are deployed without anti-virus to maintain the performance and scability. But at the same time, they are vulnerable to viruses and worms. One such incidents has been reported in 2003 at Davis-Besse Nuclear Power Plant, Ohio, infecting the whole network with Slammer worm and disabled the safety monitoring system. Employing security policies and procedures can remove such gaps from SCADA based network but changing them often is a nightmare.

Penetration Testing for the SCADA Systems
To assess the security of these systems, a traditional approach of Penetration Testing can be used to conduct the assessment in order to assure the SCADA network security. From my past experience in assessing the SCADA application and network, it is vital to defense such network at perimeter level (DMZ, IDS/IPS, Firewalls). Researchers from different security groups has revealed serious security issues in default SCADA system, such as:

-No Data encryption
-No Authentication or Blank Password
-No Integrity statement
-Network Traffic in clear text
-Default system/network configurations
-No backup strategies
-RAS/VPN access without proper security policies
-Physical security

Although the deployment of IT and SCADA system envrionment has similarity but the differences can be measured and the reliable security assessment approach can be done. Major security compliances that could help in achieving this goal include, BS7799, ISO15408, NIST-SPPICS, ISA S.99.1 and CIDX-VAM. Following the similar security approach from IT systems envrionment can help to integrate and preserve the CIA (confidentiality, integrity and availability) for SCADA systems.

Generally speaking, the SCADA Penetration Testing process involve:
-Identification
-Fingerprinting
-Vulnerability Mapping
-Exploitation
-Control

The major assessment tools remain same with an exception to modify the methodology of performing pen-testing against the SCADA envrionment as compared to the IT network. Tools like nmap, nessus, wireshark and metasploit play a key role in assessing the security posture of the organization's infrastructure. Custom scripts and fuzzers (SPIKE, LZfuzz) can also provide aid in assessing the SCADA applications.

Additional Resources:
CrISTAL Project: http://cristal.recursiva.org
ModScan: http://code.google.com/p/modscan
ScadaSafe: http://scadasafe.sourceforge.net
SMART: http://safemap.sourceforge.net