Professional Documents
Culture Documents
This issue is packed full with material for every knowledge level and will especially be of interest to those
that want to know more about the inner workings of the Payment Card Industry since we got two articles
related to the topic.
Mirko Zorz
Chief Editor
Distribution
(IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF document.
Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit
permission from the editor. For reprinting information please send an email to reprint@insecuremag.com
or send a fax to 1-866-420-2598.
www.insecuremag.com
4
SECUDE releases Secure notebook 7.2
This version also offers a Plug-In for BartPE; the Windows recovery system that boots and runs
from CD. It supports the creation of an emergency recovery disk (ERD), which can be used to
secure data for emergency cases, preventing loss; as well as getting the notebook running after a
system crash. More information is available at www.secude.com
www.insecuremag.com
5
Sophos offers free rootkit detection and removal tool
Performance increases in the new models are the result of faster CPUs, greater memory and
overall system improvements. The models offer more memory capacity than comparable current
models and many of them offer larger disk space with the option for even greater disk space. For
more information visit Blue Coat Systems at www.bluecoat.com
www.insecuremag.com
6
Over the years the landscape of information security has changed from the
need to implement perimeter protection to the concept of defense-in-depth
and edge-security. Both of the latter concepts are a result of the changing
landscape of fraud. In an effort to prevent fraud and reduce risk across the
board, different industries have implemented their own set of compliance re-
quirements.
On the surface the PCI DSS looks very de- of the history, current landscape, risks, and
tailed, especially when compared with other best ways to mitigate those risks for your
standards such as HIPAA, GLBA, and SOX. company or the companies you work with.
Underneath the clearly outlined requirements This paper will not make you an expert on the
and audit procedures is a lengthy list of com- payment card industry but it will give you a
pensating controls, third-party systems, out- great start in beginning to understand the
sourcing, small data caveats, and that doesn’t compliance process.
even break the surface of the individual re-
quirements and their intent. As PCI begins to A quick review of the headlines in 2005 dem-
gain critical mass and more companies begin onstrates that organized crime is successfully
to comply there is a need for clarity of vision compromising organizations of all kinds to
and understanding for each part of the stan- gain access to credit and debit card data. It
dard. seemed like every week there was a new data
compromise showing up in the news, eerily
This article begins to demystify the Payment shadowing the many more that never made it
Card Industry Data Security Standard; ex- to press. The credit card associations saw this
plains the industry, its players, and how they fraud coming and have been working since
relate; and explain the long list of nuances 1999 to move the industry onto a more secure
and differences in these definitions. path, but it is not as easy as many assume.
Through detailed explanation the reader
should have a much stronger understanding The payment card industry is a unique beast
www.insecuremag.com 7
when compared with others because it does age was cheap. Now they were being told not
not fit into a single procrustean box. While only should they not store it but if they do
other industries fall into "verticals" such as fi- there is a whole list of controls they must have
nancial services, manufacturing, or education, in place. In many instances these controls re-
the payment card industry is described as a lied on software that was sold to them by third
"horizontal" because it cuts across most other parties – entities that were outside their con-
vertical industries. The majority of companies trol.
accept credit cards as payment for services
and thus falls under the umbrella of the pay- As companies moved slowly towards compli-
ment card space. Due to its large size making ance another problem arose. The standard
any change in this market is a slow process was so new that everyone interpreted it a little
that takes time and patience. differently. One would think that between se-
curity professionals they would all interpret a
The card associations finally combined forces certain requirement a little different but more
in December of 2004 by creating a common or less the same. This assumption proved
compliance standard to which they all agreed. very wrong as information security consulting
This reduced the overlap and redundancies as companies were submitting proposals for work
well as compliance costs for companies. The that varied from $10,000 to $400,000 for the
industry emerged in 2005 with a new standard same project. It was clear that these require-
for compliance, but crime continued to in- ments needed some clarification so compa-
crease more than ever as criminals found new nies and professionals would have a common
and creative attack vectors to target the indus- understanding about their intent and thus their
try. The card associations, overwhelmed with implementation.
fighting fires on multiple fronts, tried to push
companies to increase the security of their To address this communication problem, Visa
data systems to prevent future fraud. In June U.S.A. (and the other regions internationally)
of 2005 a large and mostly unknown credit launched a training program for qualified pro-
card data processor CardSystems Solutions fessionals to provide them a common under-
Inc. (CSSI) was compromised and liable for standing of the industry, compliance require-
the potential loss of 40 million credit card ments, and their intent. This paper does for
numbers. This was the largest data security the individual what Visa has already done for
breach to date and made worse by the fact the qualified security companies – it explains
that CSSI was listed on the Visa web site as a the intent, clarifies the ambiguity, and provides
compliant service provider. This one event examples for how the payment card industry
rocked the industry because of the media compliance requirements affect your busi-
coverage it obtained. It seemed as if the pub- ness. After reading this paper you should be
lic was suddenly concerned with their per- better able to understand their recommenda-
sonal privacy and they began fighting back tions and qualify them to save your company
against the senseless loss of personal infor- or department time and money.
mation.
Creating and rolling out any new standard for
In October 2005, John Coghlan, the new any industry is not an easy task. The British
President and CEO for Visa U.S.A., an- standard for information security management
nounced his focus in helping secure the pay- (BS 7799) began as a code of practice in
ment card industry. Although forgoing the use 1992 but was not formalized into a standard
of credit cards is almost unimaginable for until 1995. Even then it was not until Decem-
many people, the risk of brand reputation loss ber of 2000 that it became an international
and the slowing of an ever expanding market standard as ISO 17799. In 2002, the second
could cause millions of dollars of loss for Visa part of the standard was published as BS
as well as other card associations. Industry 7799-2. Then in October of 2005 a final draft
experts began to look at all the moving parts of ISO 27001 was published that described
and realize the magnitude of what it meant to how to apply the controls of ISO 17799 and
secure credit card data. For years, companies how to build and maintain an information se-
were storing credit card data along with all the curity management system (ISMS ). It has
other data they collected because data stor- taken 13 years for the standard to mature
www.insecuremag.com 8
from a code of practice into a fully working tion to control the fraud problem. Legislation is
certification program. This shows that stan- one way of stemming the fraud, but it also
dards are not created perfect but evolve and binds all of the players in the payment card
change over time. industry to play by the rules set forth by the
federal government. Some may not see a
The payment card industry is one of the first to problem with this, but those familiar with the
proactively implement an industry specific government run Gramm-Leach-Bliley (GLB)
compliance program. The real estate market Act of 1999 will know that it is better to have
implemented a similar industry driven regula- Visa as your regulator than the Federal Re-
tion called the REALTOR Secure program but serve, FTC, Controller of the Currency and
it is nowhere near the size or has as much Office of Thrift Supervision. The major differ-
impact as the one being implemented by the ence between industry run regulations and
payment card industry. The reason for self those controlled by the government is that of
regulating is to prevent government interven- flexibility. The card associations are better
tion and increase consumer confidence. The able to update and improve their compliance
story goes like this: if the fraud increases too requirements on a continual basis as opposed
much and the media hypes it, then people will to those that govern financial institutions such
get concerned – if citizens are worried they as Credit Unions with compliance require-
put pressure on their local and state represen- ments that are only updated on a three year
tatives in government who then pass legisla- cycle.
...if the fraud increases too much and the media hypes it, then people will get concerned.
This combination of self-regulation and actual and policies and procedures. Each of these
teeth to the program (in terms of large fines) areas is optically similar to other information
are what is driving the industry in the right di- security best practices, but there is a differ-
rection towards protecting a person’s credit ence in that they focus specifically on card-
card data. holder data and the environment that sur-
rounds, connects, and protects that data.
The credit card associations include Visa,
MasterCard, American Express, Discover, and A common confusion is the difference be-
JCB. These participants came together to tween PCI, Cardholder Information Security
agree upon a set of common security re- Program (CISP), Account Information Security
quirements that would govern entities that (AIS), and Site Data Protection (SDP). For
store, process, or transmit cardholder data. many who are not familiar with the subtly of
The card associations also agreed on the the PCI program these acronyms seem inter-
definition of cardholder data as the account changeable, but there are important distinc-
number (also known as the Primary Account tions between them. When the different card
Number or PAN), the expiration date, track associations (Visa, MasterCard, Discover,
data, personal identification number (PIN) American Express, and JCB) decided to align
block data, and the card verification value their security programs they had to make
(CVV2). The proper protection of these data compromises to account for their differences
elements is mandated by the PCI DSS re- in structure and location. MasterCard is an
quirements and must be verified differently association that is internationally chartered
depending on the level definition assigned to meaning that there is only one region that is
the organization. global in nature. They required their SDP pro-
gram be implemented universally around the
The PCI DSS focuses on 12 different areas of world. Conversely, Visa is made up of six dif-
security including: network segmentation, de- ferent regions and each has a slightly different
fault settings, data encryption, secure network way of combating fraud. Visa U.S.A. has the
communications, anti-virus software, software CISP which implements the PCI standard. AIS
development life cycle (SDLC), access restric- is the name given to implementation of PCI
tions, user authentication, physical security, with the other international Visa regions.
event logging, testing and auditing systems,
www.insecuremag.com 9
The PCI alignment is the agreement by the definitions but they grow in complexity with the
different card associations to adopt the follow- entity being examined.
ing documents as the data security require-
ments, compliance criteria, and validation pro- Many people get confused about the differ-
cedures. ence between merchants, service providers,
gateways, and data storage entities. The card
• PCI Data Security Standard associations generally break down non-
• PCI Security Audit Procedures issuing/acquiring/processing entities into:
• PCI Self-Assessment Questionnaire Merchant or Service Provider.
• PCI Network Security Scan Requirements
• PCI Payment Application Best Practices A Merchant is defined as a location or store
(Proposed) where purchases are made. The merchant is
responsible for the security of the credit card
The PCI DSS applies to any entity that stores, information regardless of who they pass off
processes, or transmits credit card data and the information to, such as a service provider.
all system components connected to the
cardholder data environment. All entities must A Service Provider is defined as an entity that
be compliant, but how they validate their com- handles credit card information on behalf of a
pliance is based on several factors including merchant, acquirer, issuer, processor, or other
their transaction volume and what services service provider.
they provide. These may seem like simple
Level 1 Service Provider examples Many people think of Amazon, the online book
seller, as a simple merchant but they are
• Gateways much more complex than that. Amazon is
• VisaNet Processors (member and non- strangely enough both a merchant and a serv-
member) ice provider. They are a merchant because
• Data Storage Entity (DSE) - (more than 6 they accept credit cards for the books they sell
million MasterCard or Visa transactions re- and a service provider for the transactions
gardless of acceptance channel) they aggregate on behalf of other merchants.
Amazon offers other merchants, most notably
Level 2 and 3 Service Provider examples Target, a storefront for their merchandise. The
transactions are processed by Amazon on be-
• Data Storage Entity (DSE) - (more than half of many different merchants making them
150,000 and less than 6,000,000 electronic a service provider.
commerce transactions)
• Third-Party Servicer (TPS) A common misconception with PCI is that if a
• Independent Sales Organizations (ISO) company does not need to validate their com-
• Merchant vendor pliance then they do not need to be compliant.
• Web hosting company or shopping cart This is incorrect because all companies must
• Media back-up company comply with the PCI DSS, but how these
• Loyalty program vendor companies validate their compliance will differ
• Risk management vendor depending on the type of organization, their
• Chargeback vendor transaction volume, and acceptance channels
• Credit bureau (i.e. e-commerce vs. brick-and-mortar).
www.insecuremag.com 10
Merchants are divided into four levels depend- large brick-and-mortar retailers that flew under
ing on their transaction level as shown in the the radar previously by not having e-
table below. A recent change in the level defi- commerce systems. The deadline for compli-
nitions increased the number of Level 2 mer- ance of all merchants, other than those newly
chants by making that level agnostic about classified as Level 2, has already passed.
acceptance channel and thus capturing many
• Any merchant that Visa, at its sole discretion, determines should meet
the Level 1 merchant requirements to minimize risk to the Visa system.
Level 4 Any merchant processing fewer than 20,000 Visa e-commerce transac-
tions per year, and all other merchants-regardless of acceptance
channel-processing up to 1,000,000 Visa transactions per year.
Level 1 merchants validate their compliance perform the same measures as Level 2 and 3
by having an annual on-site data security as- merchants but their validation dates and en-
sessment by a qualified security assessor and forcement is regulated by their acquirer.
performing a quarterly network scan by a
qualified scan vendor. These requirements are Service providers are divided into three levels
meant to enforce compliance among the riski- depending on their transaction level. Visa and
est merchants. Level 2 and 3 merchants must MasterCard differ on their definitions of a serv-
only complete an annual self-assessment ice provider meaning the service provider
questionnaire and a quarterly network scan by must assess at the greater of the two level
a qualified scan vendor. The ability to self- definitions they would fall into. The table be-
assess is given to those merchants that pose low outlines the Visa and MasterCard service
a lower security risk. Level 4 merchants must provider levels.
Level 1 All VisaNet processors (member and Nonmember) and all payment
gateways.
Level 2 Any service provider that is not in Level 1 and stores, processes, or
transmits more than 1,000,000 Visa accounts/transactions annually.
Level 3 Any service provider that is not in Level 1 and stores, processes, or
transmits fewer than 1,000,000 Visa accounts/transactions annually.
www.insecuremag.com 11
MasterCard Service Description
Provider
• All data storage entities (DSE) that store account data on behalf of
Level 1 or Level 2 merchants.
Level 2 All DSEs that store account data on behalf of level 3 merchants.
Level 1 and 2 service providers validate their or processors. A gateway aggregates transac-
compliance by having an annual on-site data tions from multiple merchants thus increasing
security assessment by a qualified security the volume and risk posed by these organiza-
assessor and performing a quarterly network tions. Service providers typically aggregate e-
scan by a qualified scan vendor. Level 3 serv- commerce transactions but can just as easily
ice providers must only complete an annual aggregate transactions from brick-and-mortar
self-assessment questionnaire and a quarterly merchants.
network scan by a qualified scan vendor. All
service providers must also submit a letter Retail merchants pose a specific risk as more
stating the confirmation of their report’s accu- and more stores are being connected together
racy. This provides clearly worded language via the Internet or use wireless networks for
from the service providers attesting to the fact POS or inventory purposes. The first risk
that the report being submitted to the card as- arises as retail stores are being connected di-
sociations is correct and valid. rectly to the Internet. As companies grow and
open new stores they are constantly looking
Credit card compromise cases continue to for an inexpensive method of remotely man-
plague the industry as attackers evolve from aging them. These companies need a way of
one method of attack to another. The current remotely managing and accessing each store
trends show credit card compromises are for administrative purposes. As a result many
changing from Internet facing organizations companies install a broadband or dial-up con-
down to the application level. nection to the Internet at each store location.
This connection is used to remotely access
E-commerce merchants were first on the the store either through a virtual private net-
scene for bringing credit card transactions to work (VPN) or other remote control software
the Internet. The credit card lends itself easily such as pcAnywhere. The risk associated with
to purchasing products and services online a retail location being directly connected to the
through its flexibility and almost universal ac- Internet through the use of remote manage-
ceptance. Credit cards can either be used in a ment software is relatively high with the weak-
‘swipe’ transaction where the credit card is est link in the security chain being the authen-
presented to the merchant and the magnetic tication mechanism.
track is read or in a ‘card not present’ transac-
tion where only the credit card number and The second risk outlined for retail merchants
expiration date are available. Card not present is that of wireless networks being used at a
transactions are a higher risk due to the fact store location and not properly secured. A re-
that the information could be forged. In addi- cent report identified “the wireless LAN
tion to the risk of card not present transactions (WLAN) market will grow at an annual rate of
there is the inherent risk that e-commerce sys- 30 percent per year … [it] also found that
tems are susceptible to attack by any user WLAN sales have increased 60 percent com-
connected to the Internet. pared to last year.” This growth in wireless
networking has not been ignored by retail
Service providers pose a unique risk in that merchants as they begin to implement such
they typically handle credit card data from networks for operating their POS or inventory
multiple entities, either merchants, acquirers, systems. The risk of wireless networks is that
www.insecuremag.com 12
few companies implement proper security or Reserve or their Financial Deposit Insurance
network segmentation to make these net- Corporation (FDIC) auditors do not force them
works safe for financial transactions. to close. The reason companies adhere to the
PCI DSS standard is because non-compliance
In the past two years many retail stores have could result in fines (egregious violations up to
been compromised including DSW Shoe $500,000), forensic investigation costs, issuer
Warehouse, Polo Ralph Lauren, and BJ's and acquirer losses (unlimited liability for
Wholesale Club Inc. This trend has increased fraudulent transactions and any card replace-
as attackers learn that compromising these ment costs), as well as any dispute resolution
systems is sometimes easier and more lucra- costs.
tive than other locations.
Although Visa cannot directly fine merchants
If an attacker wishes to compromise a pay- and service providers they can assign fees to
ment gateway they are usually faced with cir- the acquirer who can contractually pass them
cumventing a corporate firewall or looking for on to the appropriate merchant or service pro-
a vulnerability in one of their Internet applica- vider. If an acquirer does not have a direct re-
tions. Retail merchants on the other hand offer lationship with a service provider it is impor-
much less resistance with some connected to tant that the merchant who does have that re-
the Internet with no firewall at all. lationship have legal contracts in place to ver-
ify they can pass the fees along to the service
For many companies compliance is driven by provider.
a stick rather than a carrot. Publicly traded
companies comply with Sarbanes-Oxley Without such contractual assignment of fees
(SOX) because if they don’t the Securities and the merchant would be stuck with any fees
Exchange Commission (SEC) could shut them assigned to them resulting from a compromise
down. Financial institutions comply with of their credit card data even if their service
Gramm-Leach-Bliley (GLB) so the Federal provider was at fault.
For many companies compliance is driven by a stick rather than a carrot. Publicly traded
companies comply with Sarbanes-Oxley (SOX) because if they don’t the Securities and Ex-
change Commission (SEC) could shut them down.
In addition to the negative impact there are their software into compliance with the Pay-
several positive reasons to comply with the ment Application Best Practices (PABP).
PCI DSS. Merchants that wish to comply with
PCI DSS must validate that their service pro- The PABP is a set of best practices that has
viders are also compliant. not yet become part of the PCI compliance
requirements, but many companies have
As a result service providers are offering their complied with them in order to obtain a com-
compliance as a competitive advantage. Al- petitive advantage or so their customers can
though the list of compliant merchants is not meet their compliance requirements.
publicly accessible, Visa posts a list of all
compliant service providers on their website. Ultimately, the often overlooked benefit to a
company that meets compliance with the PCI
Additionally, companies that want to distin- DSS is that they are more secure. Having re-
guish themselves from their competition or viewed many companies large and small,
show their customers that their personal data there is not one that met all of the compliance
is secure will comply and issue a press re- requirements when first audited. Each com-
lease as well as publicizing it in their market- pany has something to implement: be it poli-
ing material. This is especially true with appli- cies or a firewall that will make their company
cation vendors that have proactively brought and their customer’s data more secure.
www.insecuremag.com 13
Keeping customer data secure may seem like will be secure from all hackers and compro-
an altruistic goal but transitively it keeps the mises this is not necessarily the case. One
company in business. There have been many simple example is that of internal employee
examples where a company lost their cus- theft. Contrary to common belief, most secu-
tomer data that in turn caused long term brand rity compromises occur as a result of some
and reputation damage to the company. form of insider fraud. This means that even
though a company complies with all stated re-
An important thing for upper management to quirements there is still the risk that an insider
understand is the difference between compli- with proper access, or in collusion with a sec-
ance and security. When a company is con- ond employee, could gain access to sensitive
sidering a compliance standard they look to data and remove it illegally from the company.
the expert in that one area and have them as-
sist with the one compliance issue instead of Another example of where compliance does
examining all compliance requirements sur- not equal security is that of operational man-
rounding data security. For example a bank agement over information security systems.
may have several compliance requirements To meet compliance requirements a company
such as GLB, PCI DSS and state notification must have certain controls in place as well as
laws (i.e. SB1386). Companies that have mul- operational management of these controls. A
tiple requirements should assign the respon- company may be compliant one day and not
sibility for data security compliance to an in- the next because the operational controls
ternal person. If external assistance is re- were not followed throughout the year. This is
quired then a firm that can help meet compli- a reminder that compliance is measured as a
ance with multiple requirements is better than point in time but security is continuous 24
having separate firms assist with addressing hours a day, 7 days a week, and 52 weeks a
individual requirements. This reduces redun- year.
dancies and cost associated with the compli-
ance process. The requirements look simple at first but there
are many nuances to them that require a care-
Once companies assign an employee the re- ful understanding of the credit card industry
sponsibility of compliance that employee and all players involved. It is important that
should educate upper management about the companies understand their risk exposure and
difference between compliance and security. what they need to validate compliance. Only
Although many companies find the compli- by understanding the framework can a com-
ance requirements arduous and time consum- pany then begin to dissect the details and in-
ing to comply with, they only represent the tent behind each requirement.
minimum best practice guidelines for data se-
curity. While compliance meets a minimum But before deciding whether or not to comply
standard, some companies may wish to go it is important to understand the risks and im-
above and beyond these requirements to en- plications of either decision. Compliance does
sure the security of their systems in other not equal security so creating a compliance
ways. work plan should also involve mapping the
security needs of your company to the desires
This method of thinking represents a differen- of the compliance requirements. Only then will
tiation between security and compliance. Al- compliance become an integral and beneficial
though many people think that by meeting part of your business.
their industry compliance requirements they
Michael Dahn is the President of Volubis, Inc. responsible for the management of consultants and project en-
gagements. Mr. Dahn has a technical background in the management, design, systems integration and im-
plementation of information security technologies for financial institutions, commercial and international clients.
Mr. Dahn serves on the Board of Directors for the InfraGard National Members Alliance and is a Certified In-
formation Systems Security Professional (CISSP). His professional memberships include the (ISC)2, High
Technology Crime Investigation Association (HTCIA), Information Systems Security Association (ISSA), and
InfraGard.
www.insecuremag.com 14
VoIP has hit the headlines in recent months and while some stories have fo-
cussed on the ways in which the technology is proliferating throughout the
commercial world, other perhaps more alarming articles have touched on the
security risks. Whilst these reports haven’t quite hit levels of mass hysteria,
and coverage has, by and large, been fueled by vendor hype, the discussion
surrounding VoIP security has merit.
Although the underlying technologies of VoIP VoIP is an immature technology emerging into
have been around almost as long as IP and an increasingly hostile world, but there's little
implementations have existed for many years, we can do about this. In a world where agility
it is only now that usage is extending from and time-to-market routinely come before cost
intra-office systems to worldwide usage both and security, the roll-out of new technologies
commercially and privately. To this extent, is as inevitable as the change of season. IT
VoIP is an immature technology. security professionals would urge caution in a
situation such as this - watch the early adopt-
Until commerce relies on a system, it is un- ers and you might just avoid getting burned.
likely to be adequately tested. Before the Why this article? Surely this situation is suffi-
World Wide Web was a commercial prospect, ciently commonplace as to render it uninter-
it was held together by software which would esting? Perhaps it is, until you consider
now be viewed as somewhere between quaint Skype.
and crazy. VoIP has matured, but is yet to
really be tested. In addition, a number of com- Skype re-writes VoIP rules
panies have begun offering gateway services
from Plain Old Telephone Systems (POTS) to Skype is VoIP on steroids. Even before eBay’s
VoIP and vice-versa, greatly enhancing its muscle backed the telecoms company, Skype
functionality and assisting quick take-up. swept all before it becoming the de facto
standard in a short space of time. The rea-
sons for this are more than mere good timing.
www.insecuremag.com 16
The Skype client is ‘free’, at least to the extent are routed are chosen remains unknown. It is
it costs no money. This, plus cross platform not impossible that a wily attacker might ex-
compatibility, good voice quality and a range ploit bugs or nuances in routing to their own
of peripheral services such as Skype Out ends. Study of Skype's protocol for any pur-
have helped the software client to over 247 pose is expressly forbidden in the license,
million downloads (source: Skype.com). Other which does not inspire confidence.
than its ubiquity, there are other interesting,
and in some cases slightly disturbing, features Secondly, closing the protocol necessitates
of Skype. closing the client. This may not appear to be a
significant issue, but in this instance it means
One of the reasons Skype is so easy to use is that the only Skype clients are Skype clients
that it works on almost any network, even be- (if you follow my capitalization). This repre-
hind a NAT or firewall with no special configu- sents a problem akin to that experienced by
ration. Such NAT traversing peer-to-peer ac- Microsoft Outlook users some years ago - the
tivity is almost impossible to detect or block, evolutionary ‘dead-end’ that is a homogene-
especially when you factor in the encryption of ous environment. With one dominant client,
Skype data. Any network administrators read- the first email worms spread rapidly and
ing should be worried at this point. Without caused significant damage. Similarly, Internet
resorting to client-side restrictions, Skype is Explorer's dominance gave it a high profile to
very difficult to stop; layer 7 blocking may be would-be attackers. Once a security flaw is
effective, but this is rarely black and white. found in Skype (and anyone who believes any
Skype transfers information, including file software other than "Hello World" is immune
transfer and instant messages, both in and out from security flaws has been watching car-
of the corporate network, unchecked, unre- toons), it is exploitable worldwide. In terms of
stricted and encrypted. Security professionals worms and viruses, this is write once, execute
should be pulling their hair out because of anywhere. Admittedly, email worms have
this, and there should be P45s in waiting for calmed somewhat, and are now more reliant
any IT administrator who hasn’t recognised on wetware flaws (human error) than bugs in
this issue. a particular software client, but email is a
much more mature technology. Worms, tro-
Secrecy poses questions jans and viruses, however have also matured.
Expect increasingly sophisticated tricks as
Other concerns with this technology stem from PCs are ‘owned’ by hackers.
the closed nature of Skype's protocol. Its
website gives little away and few know in de- This ‘one client’ approach not only forcibly
tail the internal workings of Skype. It just widens a user's circle of trust (those entities in
works, apparently. This poses a number of which a user is willing to entrust their secu-
problems. rity), but it adds a well known trouble-causer
to the list. eBay, Skype's 2.5 billion dollar new
Firstly, because Skype may route your calls owners, have a less than exemplary record
through untrusted hosts, your data must be with regard to their handling of user data. Ex-
encrypted. Even if this were not the case, it is isting articles have already flagged this salient
likely that you'd wish to secure your data. The point, but if you wish to talk with other
encryption scheme used is, to all intents and ‘skypers’, you're going to have to agree to
purposes, untested. Bruce Schneier, one of eBay's terms. How its policies will stack up
the most respected security authorities, sug- outside the US remains to be seen. Many
gests that the best thing you can say about an businesses would rather pay for a client and
encryption scheme is: "We can't break it". This gain the support of a commercial product. By
is even better if other clever people can't agreeing to the license, you also "grant per-
break it either. However, the encryption used mission for the Skype Software to utilize the
in Skype is afforded little of the rigorous aca- processor and bandwidth of Your computer for
demic and commercial review of say AES or the limited purpose of facilitating the commu-
other freely examinable algorithms. Similarly, nication between Skype Software users" - a
the underlying peer-to-peer systems are un- "limited purpose" with quite a broad remit!
known. How peers through which your data
www.insecuremag.com 17
Defend the network ‘Supernode’ list is outdated to easily find a
‘Supernode’ via which to route calls. This list
With potential security problems like these, it of easy targets is unavoidable, and clearly
would be wise to run Skype with caution, if at poses considerable risk.
all. A NAT firewall would mitigate direct attacks
against your client or server, for example. Un- As Skype gains popularity it will come under
fortunately, some Skype nodes are more vul- greater scrutiny by both the security industry
nerable than others, offering more by way of and those with less benign intentions. Threats
connectivity to untrusted parties. These are could range from lawsuits, through misuse
the ‘Supernodes’, used for routing calls and akin to the productivity losses incurred by spu-
allowing two NAT restricted ‘skypers’ to con- rious web browsing prior to the introduction of
verse. Any attacker would see a ‘Supernode’ effective content filters and logging, right
as an obvious target – after all this is access through to serious security breakdowns. What
to a network service, and traditional network can we do about this? Locking down client
services like HTTP, FTP and DNS have al- PCs, limited roll-out where necessary and in-
ways seen huge potential for worms such as telligent security polices are among the best
code red. HTTP servers are easy to find, but defences when implemented with the right pe-
what of Skype ‘Supernodes’? Well, you have rimeter firewall and proxy suite. This technol-
but to ask. The Skype server will, with a little ogy is inevitable, and it looks like Skype may
coaxing, happily provide a list of IPs currently ‘VHS’ the world with a possibly inferior, but
known to be running as ‘Supernodes’. This is ubiquitous, cheap and effective product. Don't
to allow the NAT-ed Skype client who's built-in say you weren’t warned.
Tom Newton is the product development manager at SmoothWall (www.smoothwall.net), an Internet security
provider now protecting over a million networks worldwide.
www.insecuremag.com 18
Inside Network Security Assessment: Guarding Your IT Infrastructure
by Michael Gregg, David Kim
Sams, ISBN: 0672328097
www.insecuremag.com 19
How Personal & Internet Security Works
by Preston Gralla
Que, ISBN: 0789735539
How Personal and Internet Security Works illustrates in vivid detail the many
dangers faced by those who use the Internet to send or receive email, surf
the Web, conduct personal business, use a credit card, or even travel to
airports and how those dangers can be solved.
This book explains UNIX for the Mac OS X user–giving you total control over
your system, so you can get more done, faster. Building on Mark Sobell’s highly
praised A Practical Guide to the UNIX System, it delivers comprehensive
guidance on the UNIX command line tools every user, administrator, and
developer needs to master–together with the world’s best day-to-day UNIX
reference. This book is packed with hundreds of high-quality examples. From
networking and system utilities to shells and programming, this is UNIX from the
ground up–both the “whys” and the “hows”–for every Mac user.
Certified Ethical Hacker Exam Prep is the perfect solution for the CEH exam,
giving you the solid, in-depth coverage you’ll need to score higher on the exam.
Along with the most current CEH content, the book also contains the elements
that make Exam Preps such strong study aides: comprehensive coverage of
exam topics, end-of-chapter review, practice questions, Exam Alerts, Fast
Facts, plus an entire practice exam to test your understanding of the material.
The book also features MeasureUp’s innovative testing software, to help you
drill and practice your way to higher scores.
www.insecuremag.com 20
Electronic Evidence is changing the scope and face of many regulatory and
judicial investigations. People may wonder why they need computer forensics
in an investigation if they are already using an electronic evidence specialist.
Why should they pay twice for what they perceive as being the same service?
www.insecuremag.com 21
A forensic review of selective computers can sider is do you want to review deleted items?
help an e-discovery team work more effi- If so, a forensic review is a must for that com-
ciently by helping them narrow their scope in puter. Below is a table comparing electronic
its time frame, number of locations, number of discovery and computer forensics on some of
computers (email servers, network servers) the key points.
and number of people. Another item to con-
Investigate and Detail Analysis Gathering, searching, filtering, and producing large
amounts of information for review
Typically targets selected hard drives
Can cover thousands of hard drives
Searches everything on the hard drive, “de-
leted” and active items Active and archived data, normally does not include
deleted, discarded, hidden, or encrypted data
Determine who, what, and when
Data is accessed, but not analyzed
Creation of a timeline of events
Can include backup tapes, email servers, other
Reporting and expert testimony servers
May include backup tapes, email servers, Can be reviewed by numerous people in several
other servers locations
You may notice that searches in computer fo- At one time computer forensics was very ex-
rensics can take days, compared to minutes pensive and was viewed as unaffordable for
for electronic discovery. This seems odd until the average case. This meant that if any elec-
you look at the way searches are done using tronic evidence was reviewed it was done
computer forensic software. through electronic discovery, not computer
forensics. Now, with innovations in computer
Consider that a typical personal computer has forensic software a forensic examination of a
an 80 GB hard drive can have 18,181,820 hard drive is reasonably affordable. This has
pages of data on it. Electronic discovery may caused more and more cases to include elec-
only look at a small fraction of this data, and tronic evidence that just a few years ago
the search is a text search (byte by byte). In would have ignored it. This has caused some
computer forensics every bit of the hard drive interesting developments as there was very
is searched bit by bit, (note: eight bits equals little case law to guide attorneys and judges in
one byte). In general, the bit by bit search al- these matters. The past few years have seen
gorithm is much slower than the text search. more and more rulings on items found using
This speed difference and the searching by computer forensics and more conferences
bits instead of bytes requires much more time. and work groups formed to publish guidelines
on electronic discovery and computer
www.insecuremag.com 22
forensics. One such organization is The Se- 6. Responding parties are best situated to
dona Conference (thesedonaconference.org), evaluate the procedures, methodologies and
which is a non-profit, non-partisan law and technologies appropriate for preserving and
policy think-tank. producing their own electronic data and
documents.
One of the Work Groups, WG1: Electronic
Document Retention and Production, purpose 7. The requesting party has the burden on a
is to develop principles and best practice motion to compel to show that the responding
guidelines concerning electronic evidence re- party's steps to preserve and produce rele-
tention and production. These guidelines were vant electronic data and documents were in-
developed as a joint collaboration between adequate.
attorneys in the public and private sector,
judges, and other experts. Here are the 14 8. The primary source of electronic data and
proposed guidelines: documents for production should be active
data and information purposely stored in a
1. Electronic data and documents are poten- manner that anticipates future business use
tially discoverable under Fed. R. Civ. P. 34 or and permits efficient searching and retrieval.
its state law equivalents. Organizations must Resort to disaster recovery backup tapes and
properly preserve electronic data and docu- other sources of data and documents requires
ments that can reasonably be anticipated to the requesting party to demonstrate need and
be relevant to litigation. relevance that outweigh the cost, burden and
disruption of retrieving and processing the
2. When balancing the cost, burden and need data from such sources.
for electronic data and documents, courts and
parties should apply the balancing standard 9. Absent a showing of special need and rele-
embodied in Fed. R. Civ. P. 26(b)(2) and its vance, a responding party should not be re-
state-law equivalents, which require consider- quired to preserve, review or produce deleted,
ing the technological feasibility and realistic shadowed, fragmented or residual data or
costs of preserving, retrieving, producing and documents.
reviewing electronic data, as well as the na-
ture of the litigation and the amount in contro- 10. A responding party should follow reason-
versy. able procedures to protect privileges and ob-
jections to production of electronic data and
3. Parties should confer early in discovery re- documents.
garding the preservation and production of
electronic data and documents when these 11. A responding party may satisfy its good-
matters are at issue in the litigation, and seek faith obligation to preserve and produce po-
to agree on the scope of each party's rights tentially responsive electronic data and
and responsibilities. documents by using electronic tools and
processes, such as data sampling, searching
4. Discovery requests should make as clear or the use of selection criteria, to identify data
as possible what electronic documents and most likely to contain responsive information.
data are being asked for, while responses and
objections to discovery should disclose the 12. Unless it is material to resolving the dis-
scope and limits of what is being produced. pute, there is no obligation to preserve and
produce metadata absent agreement of the
5. The obligation to preserve electronic data parties or order of the court.
and documents requires reasonable and
good-faith efforts to retain information that 13. Absent a specific objection, agreement of
may be relevant to pending or threatened liti- the parties or order of the court, the reason-
gation. However, it is unreasonable to expect able costs of retrieving and reviewing elec-
parties to take every conceivable step to pre- tronic information for production should be
serve all potentially relevant data. borne by the responding party, unless the in-
formation sought is not reasonably available
to the responding party in the ordinary course
www.insecuremag.com 23
of business. If the data or formatting of the Over the last year or so there has been more
information sought is not reasonably available merging of electronic evidence tools with
to the responding party in the ordinary course computer forensic tools. Where electronic
of business, then, absent special circum- evidence tools would search the storage me-
stances, the costs of retrieving and reviewing dia on a computer or network, it generally
such electronic information should be shifted would only look at undeleted or active files. If
to the requesting party. you thought the file you needed had been de-
leted, then you called in the computer forensic
14. Sanctions, including spoliation findings, person. They would get the deleted files, file
should only be considered by the court if, fragments, and other artifacts left on the com-
upon a showing of a clear duty to preserve, puter storage media. As electronic evidence
the court finds that there was an intentional or becomes more prevalent in court, vendors are
reckless failure to preserve and produce rele- beginning to develop more sophisticated tools
vant electronic data and that there is a rea- which will become increasingly important as
sonable probability that the loss of the evi- companies must now be sure they comply
dence has materially prejudiced the adverse with the new Federal laws such as Sarbanes-
party. Oxley.
J. Frank Grindstaff, Jr., (CPA, CISA, CIA, CCE, EnCE) is on the computer forensics team of a Fortune 500
company. Frank is a past president of the Atlanta Chapter of Information Systems Audit & Control Association
(ISACA) and is active in several professional organizations including the High Tech Crime Investigation Asso-
ciation (HTCIA), ISACA, and the Georgia Society of CPA’s. Frank can be contacted at www.gsforensics.com.
www.insecuremag.com 24
Ten years ago I started working for a small San Francisco based startup that
was offering consulting services for financial institutions. One of my first du-
ties there was to be a part of a small penetration testing team.
Back then we had some good pieces of code of company policy, some of the screenshots
that was helping us to test modem connec- accompanying the review will be obfuscated
tions, file servers and different networking or even taken from a scan of Acunetix test
equipment. web servers.
At my current job position, my employer often For the purpose of this review I used the latest
sends me to information security conferences version of Acunetix Web Vulnerability Scanner
all over the States. From the lectures I attend available - 4.0. With an installation file of just
and companies exhibiting, it is very obvious above 8 MB, the software will take approxi-
that the current hot trend is web application mately 28 MB of space.
security.
As you can see from the screenshot on the
With a growing number of businesses going following page, a straightforward software GUI
online, web applications became one of the offers an optimized three-column structure.
biggest security issues. The types of scanners From left to right we have a main set of op-
we used back then evolved to another level tions and tools, scan results and a window
following the latest threats. containing details of a selected vulnerability
alert.
Acunetix Web Vulnerability Scanner is one of
the rather new products in the evolving web The bottom of the screen hosts a real time ac-
application security market. Before I start this tivity window that shows the progress of the
review, I must give you a disclaimer - because scanning process.
www.insecuremag.com 25
Figure 1. Acunetix Web Vulnerability Scanner main screen.
There are four different scan types. The de- used the default option for scanning a single
fault one offers a normal procedure where one web site. After choosing this option, user is
web site gets all the attention. If the user able to use predefined set of scanning profiles
wants to scan multiple sites, there is an option and to set specific crawling options. If in any
to select a file that contains the list of URls. If case the target web server is located behind a
you already used the software's built-in HTTP authentication window, you will be able
crawler module, you can also act upon its re- to fill in your credentials. When you setup the
sults. The final scan type offers scanning of a initial scan settings, hitting the finish button
range of IP addresses with web servers run- will fire away the scanner.
ning on ports specified by the user. I mostly
The alerts are presented to the user in an the vulnerability as well as the HTML re-
easy to manage format: vulnerability type -> sponse given by the tested server.
vulnerability item -> description. Under the
vulnerability description, the most interesting Besides this, the software uses an innovative
thing is to check out attack details. approach allowing the user to modify and rep-
licate the same attack via a built-in HTTP Edi-
For every detected vulnerability, the user can tor module. Within this GUI, users can craft
see the actual HTTP headers that triggered specially structured attacks and analyze the
server response.
www.insecuremag.com 27
Figure 4. The HTTP Editor.
There is a slight bug with the attack launching attack related to this, but the software AI
that manifests in vulnerability items that are doesn't understand the difference. I didn't
clearly not exploitable. For instance, inside a come across any other buggy issues with the
blue alert that says "Broken link", the user can software, so I thought about mentioning this
try to launch this attack. There is obviously no one.
Advanced users will find the "Vulnerability Edi- ability information. This way, users develop
tor" option very interesting. There you can list custom sets of vulnerability scanning actions
and edit all the vulnerability types and specific that would be optimized for their servers, as
items that Acunetix uses for scanning. I was well as manually update sections of the cur-
really satisfied with the way how users can rent vulnerabilities.
create new items by cloning existing vulner-
www.insecuremag.com 28
Figure 6. The HTTP sniffer in action.
Besides HTTP Editor, Acunetix Web Vulner- • The last tool I actively used inside Acunetix
ability Scanner offers a couple of other invalu- WVS is an Authentication Tester, a brute force
able tools: module that can be configured for testing both
HTTP and HTML form authentication meth-
• With HTTP Sniffer users can create a cus- ods.
tom set of traps that would be recorded in the
sniffing period. By the way, by enabling the The verdict
sniffing option, the software starts a proxy on
port 8080. The bottom line is that Acunetix Web Vulner-
ability Scanner 4 is a powerful and versatile
• HTTP Fuzzer is a nice addition that is used scanner that proves to be an important piece
for crafting specific requests and tracking the of a web application-testing arsenal.
server's response. The option is especially
worthy when used with one of the predefined As always with penetration testing, some
number/character generators which append things must be done manually, but from the
their output to the requests. perspective of an automated web vulnerability
scanning procedure, you cannot miss with
Acunetix WVS.
Mark Woodstone is a security consultant that works for a large Internet Presence Provider (IPP) that serves
about 4000 clients from 30 countries worldwide.
www.insecuremag.com 29
Part 1, published in issue 7 of (IN)SECURE, looked at the technicalities of port
forwarding, covering local, remote and dynamic port forwarding. Part 2 looks
at the security implications, and makes some recommendations for securing
port-forwarding solutions on a network.
www.insecuremag.com 30
Internal SSH Server Configuration The sshd config keywords AllowTcpForward-
ing, AllowTcpForwardingForUsers and Al-
Most SSH servers default to allowing port for- lowTcpForwardingForGroups control TCP for-
warding. Where there is no reasonable use for warding, and allow the server administrator to
this feature, it should be disabled. This in- specify users and groups for which TCP port
stantly protects against many of the possible forwarding is allowed. When using public-key
circumventions of firewall rules or security authentication, port forwarding may be turned
policies. off on a per-key basis by using the
~/.ssh/authorized_keys file.
Where port forwarding is required, or useful,
two options exist to provide some extra secu- The second option is to put the server with
rity to this system. The first option is to reduce port forwarding enabled into a more secure
the number of users with accounts on this sys- zone of the network, a DMZ (demilitarized
tem to only those that need port forwarding zone), for instance, where there is a second
capabilities. Users who only need shell access firewall protecting the internal network, and
should be able to use a different sshd, which allowing connections only to services specifi-
has had port forwarding disabled entirely. Re- cally allowed. If you need to allow port for-
ducing the number of users with access to the warding to one or two well-defined services
system reduces the number of users with the running on your LAN, this may well be a se-
capability to subvert the security policy. cure and practical solution (see Figure 1 be-
low).
In the network example above, an external useful on secure servers, as Denial of Service
client may access the SSH server in the DMZ, attacks could flood the server with connection
with full port forwarding capabilities. The inter- requests and resources would be tied up until
nal firewall only allows certain inbound con- this time has passed and the connection is
nections to pass, however, and so the flexibil- closed. The LoginGraceTime keyword is re-
ity of the port forwarding is limited by the in- sponsible for setting this time period.
ternal firewall. This allows secure solutions to
retain some of the flexibility of port forwarding. Firewall Policies For Outbound SSH
Other security concerns exist with the use of
SSH, and it is of course always recommended In a perfectly secure environment, outbound
to change the default settings of an SSH SSH would be disabled entirely; it is not pos-
server to increase the security. The use of sible to guarantee the security of systems you
public-key authentication, and increasing the do not have direct control over. In many envi-
verbosity of the logging (the LogLevel server ronments, it is sufficient to allow outbound
configuration option) are important considera- SSH only to certain addresses; remote office
tions in a secure environment. Lowering the servers and other systems which are consid-
time an sshd waits for login to complete is also ered to be secure, and for which access is
www.insecuremag.com 31
needed on a daily basis. For all other out- the users have no means of compiling or us-
bound SSH, one solution is to put an SSH ing their own SSH clients, using this feature
server into the DMZ. This server would accept would be a powerful way to restrict user port
connections from only a limited number of us- forwarding. You do, however, lose a lot of
ers, and allow outbound SSH from that sys- flexibility in this method. An administrator can
tem to anywhere on the Internet. In this way, it no longer go to a user machine and use the
is possible to restrict which users have such same SSH client to perform activities which
access in much the same way as discussed require port forwarding. This loss of flexibility
above for inbound SSH. is only worth the security gain in a highly se-
cure environment. In all other cases, compre-
Outbound SSH Client Configuration hensive firewall rules and SSH server configu-
ration should suffice.
If your SSH client program allows port for-
warding to be disabled at compile-time, and
AllowTcpForwardingForUsers List of allowed users Lists the users which are allowed to use TCP
port forwarding on this server.
AllowTcpForwardingForGroups List of allowed groups Lists the groups which are allowed to use
TCP port forwarding on this server.
DenyTcpForwardingForUsers List of denied users Lists the users which are to be denied port
forwarding access on this server.
DenyTcpForwardingForGroups List of denied groups Lists the groups which are to be denied port
forwarding access on this server.
Andrew J. Bennieston contributes to leading computer security websites and forums. His writing efforts include
articles, tutorials and book/software reviews. His skillset includes C/C++, PHP, Python and Linux administra-
tion. His personal website is located at http://stormhawk.coldblue.net.
Liam Fishwick is an undergraduate in Physics at the University of Warwick, UK. His computing experience in-
cludes Linux and Windows administration and he was instrumental in testing the examples used in this article.
www.insecuremag.com 32
WINDOWS - Eraser
http://www.net-security.org/software.php?id=155
Eraser is a secure data removal tool for Windows. It completely removes sensitive data from your
hard drive by overwriting it several times with carefully selected patterns.
LINUX - strongSwan
http://www.net-security.org/software.php?id=643
strongSwan is a complete IPsec and IKEv1 implementation for Linux 2.4 and 2.6 kernels. It in-
teroperates with most other IPsec-based VPN products.
Password Gorilla helps you manage your logins. It stores all your user names and passwords,
along with login information and other notes, in a securely encrypted file. A single "master pass-
word" is used to protect the file.
POCKET PC - eWallet
http://www.net-security.org/software.php?id=553
Have your most important personal information backed up for safekeeping, encrypted and
password-protected for security, but right with you when you want it. Plus, you can enter your in-
formation on your Windows PC and synchronize it with your handheld.
If you want your software title included in the HNS Software Database e-mail us at software@net-security.org
www.insecuremag.com 34
Security professionals have come to realize that ensuring data security and
integrity is critical to business continuity and risk mitigation. However, with
increasing amounts of data flooding our ever more complex networks, the
risk of stolen or lost - with you unable to prove that it was not stolen - infor-
mation continues to rise.
Online merchant networks are particularly at Gramm-Leach-Bliley Act of 1999 and even
risk from both classic computer attacks and HIPAA (healthcare providers take credit cards
more insidious fraud. At the same time, the too!). Not complying with the above might re-
more customer data is collected, the more sult in fines, legal exposure, or both, although
dangerous the situation becomes. In response it is widely known that the regulation differ
to this trend and to prodding from major credit wildly in regards to their “teeth.” For instance,
card companies, new security measures are it was reported that nobody was ever fined for
being implemented by merchants and other being out of compliance with HIPAA.
businesses to protect the data their customers
trust them with (or don’t even know they But this is easier said than done. Immense
have…). volumes of log data are being generated on
such payment networks, necessitating more
Today, all credit card merchants, service pro- efficient ways of managing, storing and
viders and retailers who process, store and searching through log data, both reactively –
transmit cardholder data have a responsibility after a suspected incident – and proactively –
to protect that data and must comply with a in search of potential risks. For example, a
diverse range of regulations and industry typical retailer generates hundreds of thou-
mandates as well as a growing list of volun- sands of log messages per day amounting to
tary “best practices” frameworks. These in- many terabytes per year. An online merchant
clude the venerous Sarbanes-Oxley bill (better can generate upwards of 500,000 log mes-
known as SOX or SarbOx), the Payment Card sages every day. One of America’s largest re-
Industry (PCI) data security standard, the tailers has more than 60 terabytes of log data
www.insecuremag.com 35
on their systems at any given time. At the Addressing PCI not only protects businesses
same time, unlike other companies, the re- and merchants from cardholder fraud, but also
tailed often have no option of not caring for satisfies a broader mandate for information
logging. protection and security. Several retailed stated
that complying with PCI makes them auto-
The importance of effective and efficient log matically compliance with SOX, due to more
data management in payment networks can- stringent and more specific requirements de-
not be underemphasized. In fact, the result of scribed in the PCI standard. Additional bene-
data mismanagement can be devastating. Re- fits include improved operational efficiencies
tail Ventures Inc., for example, lost personal through broad compliance (even likely with
customer information from 108 stores in its future regulations!), reduced IT administration
DSW Shoe Warehouse subsidiary, an incident and maintenance costs, reduced IT labor
that involved 1.4 million credit cards used to costs and greater IT productivity. At the same
make purchases. The lost data consisted of time, some see complying with PCI as another
account numbers, names, and transaction compliance burden for companies, especially
amounts. Similarly, CardSystems was sued in if IT resources are limited and focused on a
a series of class action cases alleging it failed day-to-day grind of “firefighting.” To cost-
to adequately protect the personal information effectively and efficiently comply with PCI,
of 40 million consumers. At an individual cost companies should look at log management
of $30 per consumer the costs of repairing the and intelligence (LMI) solutions to simplify the
damage could be as high as $1.2 billion. What process of collecting, storing and managing
is interesting is that in a latter case, only a log data to both satisfy the reporting and
smaller number of cards was “confirmed sto- monitoring requirements, audit log collection
len”, while the rest were not “confirmed safe,” requirements as well as enable better incident
since there were no logs to prove that they response and forensics.
were not.
Addressing PCI not only protects businesses and merchants from cardholder fraud, but also
satisfies a broader mandate for information protection and security.
PCI Compliance Combats Fraud and Im- According to recent FBI survey, financial fraud
proves Security is the second-largest category of hacking
events on the Internet today. Similarly, Gartner
In most cases, when a customer clicks the estimates that 20-30% of Global 1000 compa-
“buy” button on a web site, a number of things nies suffer losses due to mismanagement of
happen on the backend. An application server private and confidential information.
connects to a database, multiple records are
updated and sometimes a connection to a The costs to recover from these mistakes
separate payment application is initiated. could reach up to $5-20 million per company,
as it happened in a few recent cases affecting
All those activities generate log files in various both commercial and government entities.
places: on the servers, applications, data-
bases as well as on network and security in- PCI Requirements Center on Security and
frastructure components. Authorized Access
At the same time, the attackers know that Complying with PCI, merchants and service
there might be vulnerabilities in these proc- providers not only meet their obligations to the
esses and technologies that leave data unpro- payment system but create a culture of secu-
tected. Internal threats such as insider misuse rity that benefits everyone, including the top
are of even greater concern in this case, since executives.
there are no perimeter defenses stopping
such attackers. The security requirements of PCI extend to all
system components that are connected to the
cardholder data environment:
www.insecuremag.com 36
• Network components: firewalls, switches, tion and authentication mechanisms, initializa-
routers, intrusion prevention and detection tion of audit logs and creation or deletion of
systems, proxies and content filters, wireless system-level objects. It also recommends re-
access points as well as other network and cording audit trail entries for each event, in-
security appliances cluding user ID, type of event, date and time,
• Servers: web, database, authentication, do- success or failure, origination of event, and
main name service (DNS), mail, network time the identity of the affected data or component.
protocol (NTP), directory and others
• Applications: all purchased and custom The PCI standard goes on to say that compa-
apps, internally and externally facing web ap- nies should “review logs for all system com-
plications, Intanet applications, etc ponents at least daily,” and the review should
include servers that handle intrusion detec-
What is even more important is that compa- tion, authentication, authorization and ac-
nies must be able to verify and demonstrate counting.
their compliance status and to do so rapidly,
whenever an audit takes place. Such proof of The interesting thing is that, in the mind of
compliance is a fundamental and critical func- many retailers, “review logs daily” does not
tion that identifies and corrects potential pit- mean that a person would be poring through
falls in the network, and ensures that appro- the logs every single day. An automated sys-
priate levels of cardholder information security tem can do this just as well, and in fact better.
are maintained. In case of such “automated review,” alerts
would be generated in case traces of mali-
PCI requirements revolve around the following cious, suspicious or fraudulent activity are
goals: seen in logs. At the same time, a human ana-
lyst might review reports and alerts that high-
• Build and maintain a secure network light such activity as needed.
• Protect cardholder data in transit and at rest
• Maintain a vulnerability management pro- In addition, PCI specifies that “an audit trail
gram should be retained for a period consistent with
• Implement strong access control measures its effective use, as well as legal regulations,”
and audit them on a regular basis and that the “audit history usually covers a pe-
• Continuously monitor networks and systems riod of a t least one year, with a minimum of 3
• Maintain an information security policy months available online.” Thus there are also
* Maintain audit trails of all of the above activi- log data retention (and the corresponding log
ties data destruction requirements!) requirements.
Log data plays a central role in meeting sev- One should not that log data is implicitly pre-
eral of these goals. Specifically, without log sent in many other PCI requirements, not only
data, companies cannot verify and audit ac- the directly relevant Requirement 10. For in-
cess controls, other security safeguards and stance, just about every claim that is made to
policies or even monitor their networks and satisfy the requirements, such as data encryp-
systems as well as conduct incident response tion or anti-virus updates, requires log files to
activities. actually substantiate it. So, even the require-
ment to “use and regularly update anti-virus
The PCI specification highlights the necessity software” will likely generate requires for log
of log data collection and management for data during the audit, since the information is
meeting the key requirements. For example, present in anti-virus audit logs.
Requirement 10 specifies that companies
should “track and monitor all access to net- It is also well-known that failed anti-virus up-
work resources and cardholder data.” The re- dates, also reflected in logs, expose the com-
quirement specifies that companies “imple- pany the malware risks, since anti-virus with-
ment automated audit trails to reconstruct out the latest signature updates only creates a
events for all system components.” These false sense of security and undermine the
events include user access, actions taken, in- compliance effort.
valid logical access attempts, use of identifica-
www.insecuremag.com 37
Similarly, the requirement to “establish, docu- mate many of the required tasks, such as
ment, and distribute security incident re- monitoring, analysis and retention.
sponse and escalation procedures to ensure
timely and effective handling of all situations” LMI for PCI Compliance
is unthinkable to satisfy without effective col-
lection and timely review of log data. A comprehensive LMI solution that can collect,
aggregate and centrally store all data from
Thus, logs value to PCI program goes much these network entities is essential to meet the
beyond Requirement 10. Only through careful goals of the PCI standard. LMI enables satis-
log data collection and management can fying the audit, monitoring, data protection, log
companies meet the broad requirements of data collection and retention, identity access
PCI. Such detailed log data management re- and change management cited in PCI re-
quires embedded intelligence in the log man- quirement documents.
agement solution to make the data secure,
accessible and easy to organize and to auto- Let’s look at some of the above requirements
in more detail.
To provide the necessary data protection Access and change management are critical
measures, companies should implement an to meeting PCI compliance as well as other
LMI solution that enables administrators to set regulations and IT governance frameworks,
alerts on and report on all applications, de- such as ITIL, COBIT or ISO. Strong access
vices, and systems. and change control measures ensure that only
authorized users can access or take action on
This enables them to provide evidence that critical data.
infrastructure has been configured properly
and are misconfigured systems are not provid- The PCI standard mandates that companies
ing a backdoor for intruders – or a front door maintain a complete record of access (both
to insiders through which vital information can failed and successful), activity, and configura-
leak. tion changes for applications, servers and
network devices. Such log data allows IT to
Alerts can provide administrators with early set up alerts to unusual or suspicious network
warning of misuse and attacks, allowing them behavior and provide information to auditors
to isolate and fix the problem before damage with complete and accurate validation of secu-
occurs or data is lost. And, of various data ac- rity policy enforcement and segregation of du-
cess policies and processes not being fol- ties.
lowed.
LMI allows administrators to monitor who has
Crucial to any implementation of LMI is secur- permission to access or make changes to de-
ing the log data itself, both at rest and in tran- vices and applications in the network. It also
sit. This not only serves to reduce the risk of enables administrators to create a complete
this vital information leaking, but also prevents audit trail across devices and protect network
it from being altered or lost thereby reducing resources from unauthorized access or modi-
its relevance, immutability and forensic quality. fications.
www.insecuremag.com 38
An effective LMI solution will support central- • Creation of reports that organize the log data
ized, automated storage of collected data al- quickly and automatically, so that administra-
lows for faster, more reliable data retrieval tors can deliver detailed network activity in-
during an audit or while investigating suspi- formation and proof of compliance to auditors.
cious behavior. • Setting of alerts based on changes to indi-
vidual devices, groups of devices or the net-
Network and System Monitoring work, to minimize network downtime and loss
of data due to malicious attacks, security
PCI compliance necessitates ongoing moni- breeches, insider misuse or performance is-
toring of network activity to validate that proc- sues.
esses and policies for security, change and • Fast data retrieval from securely stored, un-
access management, and user validation are altered raw log files. Immutable logs are criti-
in place and up to date. cal in litigation and attestation.
• Integration with existing network manage-
Logging and monitoring allow for fast problem ment and security solutions to reduce mainte-
isolation and thorough analysis when some- nance and administration and leverage exist-
thing goes or is about to go wrong. With the ing architecture.
automated monitoring capabilities delivered by • The ability to contextualize log data (compar-
an LMI solution, companies can better miti- ing application, network and database logs)
gate risk and reduce downtime, because they when undertaking forensics and other opera-
can address data critical for problem resolu- tional tasks.
tion and threat mitigation rapidly, before dam-
age spreads. Ongoing and automated moni- By now the reader should be convinced that it
toring gives administrators greater insight into is impossible to comply with PCI requirements
the payment network at all times so that un- without log data management processes and
usual user activity, unauthorized access or technologies in place.
even risky insider behavior can be identi-
fied—and stopped—immediately. Complete log data is needed to prove that se-
curity, change management, access control
Components of an Effective LMI Solution and other required processes and policies are
in use, up to date and are being adhered to. In
To use log data to unleash its full value for addition, when managed well, log data can
compliance, operations excellency and secu- protect companies when legal issues arise; for
rity, companies should implement a log man- example, when processes and procedures are
agement solution that provides the following in question or when a discovery process is ini-
critical capabilities: tiated as a part of an ongoing investigation.
• Collection and aggregation 100% of all log Not only does log data enable compliance, but
data from enterprise data sources including it allows companies to prove that they are im-
firewalls, VPN concentrators, web proxies, plementing and continuously monitoring the
IDS systems, email servers and all of the processes outlined by the requirements. In
other systems and applications mentioned in fact, that is the ONLY way to prove it!
the PCI standard.
Dr. Anton Chuvakin, GCIA, GCIH, GCFA (www.chuvakin.org) is a recognized security expert and book author.
A frequent conference speaker, he also represents the company at various security meetings and standard
organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Infor-
mation Security Management Handbook" and the "Hacker's Challenge 3".
Anton also published numerous papers on a broad range of security subjects, such as incident response, in-
trusion detection, honeypots and log analysis. In his spare time he maintains his security portal
www.info-secure.org and several blogs.
www.insecuremag.com 39
Microsoft claims that the Windows Mobile operating system is secure enough
for the enterprise. That’s not quite true, since unlike Windows XP, handhelds
don’t have advanced security architecture. For example, Pocket PC has no
Kerberos authentication, Encrypting Filesystem, or a built-in firewall. In fact,
even the much-touted Mobile2Mobile “secure” signing process for .DLLs and
.exes can be bypassed with a simple buffer overflow, thus potentially allowing
malware to take over your device.
However, once you understand limitations, some were angry, threatening, and even dis-
you can then plan your Windows Mobile missive. For us, it doesn’t matter if software
rollout more carefully. Fortunately, there is a has bugs. All software has flaws; that’s why
great deal of 3rd party security software out you should always use “layered” security. It is
there. Unfortunately, much of it is completely the responsiveness of a developer, and their
insecure. Sadly, Windows Mobile developers willingness to fix the product, that helps us
have not yet been held up to the same scru- define a quality developer.
tiny as desktop software developers. For in-
stance, you may think your ‘encrypted’ or ‘se- This is not an attempt to criticize any vendors.
cure’ data is safe on a Pocket PC because the We selected the target applications at random
vendor stated as much, when in reality the using the search engines provided by reseller
data is insecure. websites. We are also not disparaging the
Windows Mobile platform. In fact, we love it
In this paper, we expose some weaknesses in and use it every day. We simply want to make
3rd-party security software for Pocket PC. it stronger, and more secure. And by raising
Note that we are not assigning blame to any user awareness, perhaps more people will
of the developers; in fact, some of them re- pay more attention to how their data is stored.
sponded quickly and were eager to get feed- The principle of “security through obscurity”
back and to fix the bugs. On the other hand, has long been a discredit.
www.insecuremag.com 41
Background ware that will help them remain productive, yet
keep their data secure inside an encrypted file
According to the 2005 Pointsec Mobile Usage in the event the device is lost or stolen. On the
Survey, an estimated 22% of PDA owners surface, these programs are an excellent idea.
have lost their devices. Combine this with the
statistic that 81% of those lost devices had no Financial information, passwords, credit card
protection (e.g. PIN or encryption), and the numbers, and even project files can all be
problem just got worse. Yet the same survey locked up and secured. In addition, passwords
indicates that 37% of PDAs have sensitive in- that are entered into the PDA for service ori-
formation on them, such as passwords, bank ented programs (e.g. remote access, email,
account information, corporate data and more. chat, etc.) are protected from prying eyes us-
ing masking techniques so an attacker can
If you think PDA security isn’t a real subject, learn that information. Unfortunately, as we
just consider the possibility that there is discovered, more often than not the security
someone out there right now with your name, mechanisms are nothing but an illusion at
email, phone number, and birth date and more worst, or terribly flawed at best. The end result
stored on a digital device that was just left in a is that the user is placing their trust in a bro-
taxi cab – not a comforting thought. ken program that is insecure. This paper will
address many of the issues we found and
Thankfully, a security conscious person can what you can look for when investigating the
find, download, and install a plethora of soft- quality of your ‘secure’ program.
THERE ARE NUMEROUS WINDOWS MOBILE VENDORS THAT STORE SENSITIVE INFORMA-
TION IN THE REGISTRY WITH FLAWED ENCRYPTION SCHEMES, OR EVEN IN PLAINTEXT! IF
THE END USER KNEW ANYONE COULD SEE THIS DATA, WHAT WOULD THEY SAY?
The Windows Mobile Obfuscation Shell Now, what kind of details can you find out on
the Windows Mobile 5 platform? For starters,
Before we examine the details of the flaws, it the Task List only mentions the names of the
is important to understand the nature of the open applications that have graphical inter-
operating system. The reason for this is be- faces. All others are not listed! How can a user
cause it is our belief that Windows Mobile plat- find out if there is a hidden program that is
form creates an environment conducive to eating up memory? Is there a way to find out
poorly designed security software. what executes when the device is rebooted?
Not for the average user.
In contrast, if there is a problem on the Win-
dows XP (desktop) operating system, it is In fact, the only way a user can examine what
fairly easy for you to find out what is happen- is occurring behind the scenes is via the Vis-
ing. For starters, a Ctrl-Alt-Del will allow you ual Studio 2005 program that runs on a desk-
access to an informative Windows Task Man- top system – and only if the PDA is synced up
ager that provides all sorts of information to that same system. There are some third
about the programs running on the computer. party programs that give access to some of
In addition, it is simple to find out what is con- this data, but these are not free or as informa-
figured to run at startup via the ‘msconfig’ tive as Visual Studio.
command. Next, you can look inside the regis-
try with ‘regedit’ or use the command line to The point is this – average Windows Mobile
quickly access and view files. And if this isn’t users are relatively blind about what their de-
enough, there are many free tools available vice is doing. As this paper will illustrate, there
that can expose almost anything about the are numerous Windows Mobile vendors that
operating system to its owner. All in all, thanks store sensitive information in the registry with
to certain tools, Windows XP is a fairly open flawed encryption schemes, or even in plain-
operating system. text! If the end user knew anyone could see
this data, what would they say?
www.insecuremag.com 42
History has taught the security community that encryption methods, thus exposing the origi-
software vendors will not code secure soft- nal value. In this section we will highlight how
ware unless forced to do so by consumers. you can find these passwords, with numerous
The Pocket PC software market is a prime examples to prove the point.
example of this ‘law’, which is why Airscanner
performed this research. No more excuses… There are several tools that will assist in your
registry viewing. The first is the registry viewer
The rest of this paper will be examining many included with Visual Studio. This program is
different programs and their flaws. As you will not free, but you can obtain a 120 day trial
see, blindly trusting a software vendor to keep version from Microsoft’s website. To augment
you data safe is very risky. We hope that our this program, we also used an internal (Airs-
research will help convince you to thoroughly canner) tool that dumps the entire registry,
research a product before relying on it to keep and a free program called PHM Registry Edi-
you secure. tor (phm.lu/Products/PocketPC/RegEdit/).
When you use a program that requires a The first group of examples stores the user
password, you assume it will be kept secure. account information in plaintext right under
This assumption is dangerous, especially on a their registry key in the HKLM\Software or
Windows Mobile device. Typically, third party HKCU\Software branch. Figure 1 illustrates
passwords are not encrypted. If they are, then how a program called Verichat stores your
it is a fairly simple matter to crack many of the user information.
If you note, both the username and password Some store the information in the registry, and
are very simple to read. others simply keep it hidden in a configuration
file.
The following is a list of programs that were
examined and found to have similar issues.
www.insecuremag.com 43
• Verichat – Chat program
o HKCU\Software\PDAapps\VeriChat\client#
• IM+PPC – Chat program
o \Program Files\IMPlus\implus.cfg
• Agile – Chat program
o \HKCU\Software\AgileMessenger
• MSN Messenger Force
• Imov Messenger – Chat program (Enterprise version is encrypted)
• File Transfer Anywhere – File transfer program
o \HKLM\Software\TTXN\File Transfer Anywhere
• NeoFTP – FTP client
o \Program Files\neoFTP\FTP_Hosts.lst
• Thunderhawk – Web browser
o thconfig.txt
• RemoteKeyboard – PC to PDA keyboard
o \HKCU\Software\TransCreative\RemoteKeyboard\PassCode
The above list represents those products that crypted password of ‘ssssssss’ should be
do not protect the user information. The key posted. Note that there is nothing between the
thing to realize is if someone was able to gain semicolon and the 0x0D and 0x0A. As you
access to a PDA for even a few seconds, the can see, the password is basically blank! Un-
listed registry entries could be quickly viewed fortunately, this represents just one of many
or copied out to an external memory card. such defunct passwords that could be se-
lected.
Password Exposure Bugs
Although not related to password storage, it is
To help protect against such easy attacks, important to note BullGuard stores its virus
some programs do encrypt the user informa- pattern matching information in a plaintext file
tion. Unfortunately, these protections are that lists the virus and its pattern. For exam-
sometimes flawed, which results in exposed ple, the following is the entry for the WinCE
account information. This can occur either Duts virus.
through a software bug, or by implementing a
weak/flawed proprietary method of encryption. WinCE-Duts.A(frk)=04001be50fe0a0e128f01b
The following illustrates a few examples. e508001be50fe0a0e128f01be53380bde85468
6973
BullGuard Antivirus
The reason this is a bad idea is because a
BullGuard is an antivirus program that re- malicious program can simply patch the virus
quires a valid account to update the virus da- definition file with an incorrect value, thus en-
tabase. Each time the update occurs, the AV suring it won’t be considered a virus. Sec-
software sends the email address and pass- ondly, BullGuard includes an auto delete func-
word used to register the software via an en- tion that could become an attack tool if mali-
crypted channel to their server. This protects cious program inserted a pattern that matched
that information during transmission. Unfortu- all executable and dll files on the PPC (i.e.
nately, a weak encryption scheme is used to ReallyBadVirus=4d5a9000).
protect that password that is stored on the lo-
cal device. Abidia and OAnywhere
In addition to being able to decrypt existing The mobile device is an excellent tool for re-
passwords, we discovered that certain pass- motely monitoring services. In the case of
words are ‘shortened’ thanks to a flawed en- Abidia and OAnywhere, this service is
cryption algorithm. Figure 2 illustrates this eBay.com and Overstock.com account moni-
bug. The highlighted data is where the en- toring.
www.insecuremag.com 44
Figure 2: Bullguard Registry Entry
Once the PDA software is installed and con- secure enough given the time involved to
figured, the application will poll the online auc- crack it. However, during this investigation, we
tion websites for updates on items selling, discovered that the executable file itself could
buying, etc. The dangers for this type of pro- be used to decrypt the password. As previ-
gram are three fold. First, the user account ously mentioned, if a program stores a pass-
information must be securely stored on the word it must maintain the confidentiality of the
device. Second, if the program ever has to data at all times. In the case of Abidia, it was
handle the sensitive data, then it must be able fairly simple to follow the execution path and
to ensure the confidentiality of that information hook into the program after it decrypted the
during program execution. Third, the program password, which we then were able to display
must securely transmit the data to the service on the PDA’s screen.
provider.
Finally, we examined the data communication
In the case of Abidia, the user information is process to ensure the user account informa-
stored in an XML file in the program directory. tion was securely transmitted. We discovered
Fortunately, the eBay account data is en- that the program interacts with an API inter-
crypted (e.g. ebaypass="2F6DD0EEDA61 face on Abidia’s servers, which serves as a
68A7FE2A3AC47436A8720399FB4797D proxy to eBay. The following is an actual cap-
E422E"). After reviewing the encryption ture of the plaintext HTTP POST request send
scheme, we determined that it appeared to be from our Windows Mobile device.
POST
/api/get.php?user=sethfogie&pass=mypassword&serial=&imei=22363230F8403111
1800%2D0050BFE45CE5&site=US&dbg=y&name=buy HTTP/1.1
Host: api.abidia.com
User-Agent: Abidia-Wireless/2.5.3 (PocketPC; 240x320; WindowsMobile/5.1.70)
Accept: text/html
Content-Language: en-US
Connection: Close
Content-Length: 93
Content-type: application/x-www-form-urlencode
In case you missed it, take a close look at the over a regular HTTP session, anyone in the
POST string. Abidia does not encrypt the user data transmission path (including Abidia) can
or password. Since this was all performed capture the account information.
www.insecuremag.com 45
It is dangerous enough to trust a third party
company with user account information, but 0x21 0x70 0x6d 0x6f 0x6e 0x65 0x79 0x21
the fact the username and password are sent
NAK p m o n e y NAK.
as plaintext is very insecure; particularly if you
are using a wireless connection and/or a pub-
In other words, the protection of the password
lic hotspot.
(and the financial data) is tied directly to the
word ‘pmoney’ (sound familiar?). Despite the
Windows Mobile WEP Key
key selection, a ROT-N scheme is always a
bad idea because it is trivial to do a pattern
The Odyssey client included with the original
analysis on the encrypted data and deduce
(WM2003) Dell X50v stores the WEP keys as
the key.
an encrypted strings in the registry. When the
network connection is made to the secure
In this section we looked at several examples
network, the driver pulls these values from the
of how not to protect user account information.
registry, decrypts them, and then incorporates
Unfortunately, this problem is wide spread
the key into the communication process.
through out Windows Mobile programs. Be
However, during this process, the driver writes
sure you understand the dangers associated
the decrypted value back into the registry. The
with trusting a program to keep your user ac-
problem is not Odyssey’s, as that program
count information secure, and always use
does encrypt the key, but is instead a flaw in
unique passwords.
how all three (Windows Mobile, Dell wireless
driver, Odyssey) work together.
Data Protection Programs
The following illustrates: Byte 5 - 9 list my en-
tered WEP keys for each entry. This next section takes a look at programs
KEY1=aabbccddee that implement password protection schemes
that are meant to keep data secure. Unlike the
"HTCWEPDefaultKey1"=hex: previous section that focused only on user ac-
01,00,00,00,aa,bb,cc,dd,ee,8c,f6,36,1d,af,90, count information, this section targets pro-
17,5b,00,f6,36,1d,af,00,00,00... grams that were designed to store sensitive
data such as banking transactions, stock in-
After we notified the vendors, this problem has formation, credit card numbers, and lists of
been fixed in current versions of Windows passwords. In this case, an attacker would
Mobile and there is a ROM update that will have access to a much larger chunk of sensi-
correct the problem for the Dell Axim X50v. tive data that the user is assuming is secure.
According to the website, “PocketMoney is the This section addresses a common problem
most robust financial management tool for the that exists in numerous ‘secure’ programs. Al-
Pocket PC.” With it, you can “Store the institu- though some programs obscure the issue, all
tion, phone, account number, expiration date, of the following titles can all have their security
limit, fee for each account. Now you can even mechanisms bypassed by a small change in
password protect your PocketMoney data the registry. Note how some companies try to
from prying eyes!” hide this fact by placing the registry key in un-
usual locations, or by burying the flag inside a
To keep the information safe, PocketMoney large registry string.
requires a user to enter a password before
opening its data file. An ‘encrypted’ version of It should also be mentioned that a malicious
the password is stored in the registry at the user can often just copy the ‘protected’ data
HKLM\SOFTWARE\Handmark\PocketMon- file off the target device and onto a device that
ey\Password key. Unfortunately, the password has no protection enabled. Since the data it-
is protected via a ROT-N function using the self is not truly protected, an alternate device
following seed value: will be able to open it without the need of a
password.
www.insecuremag.com 46
PocketKeeper password protection if they want their palm
(sic) secure.” We, the users, beg to differ!
PocketKeeper is program to manage daily
out-of-pocket expenses with multiple accounts WebIS Money
different currencies, intuitive register, custom-
izable categories, budget, multiple report WebIS Money states it includes “…secure
charts, and password protection. It has two password protection to your data to safeguard
levels of security – a global level that restricts it in case your PDA is lost or stolen.” Unfortu-
access to the program, and an account level nately, this protection can be disabled by re-
that secures each account. moving the following key from the registry.
PocketExpense Pro creates a .vol file that Password\Credit Card\PIM Management Pro-
contains all its financial information. Included grams
in the file are the settings associated with the
password option. In this program, all the pref- The following programs are used to store sen-
erences are stored in a large hex string in the sitive information, such as password lists, web
registry. However, it is possible to disable the site login information, credit card numbers and
password by changing the hex at 0x7D94 more. Due to the nature of the data, these
from 0xF4 to 0xD4. programs need to be secure. If an attacker
can access the ‘protected’ information, they
Inspiration will have gained access to a wealth of infor-
mation.
Inspiration is a project management program
that uses ‘built-in security features’ to “…keep As illustrated, the previous financial programs
files from accidentally being modified when do not protect your data. Although most ven-
handhelds are shared between multiple us- dors use security as a selling point, in reality a
ers.” Therefore, it is fair to say that the pass- simple registry tweak will allow anyone access
word was never meant to offer any true secu- to this sensitive data. Even the vendors admit
rity. their software is insecure and recommend al-
ternative steps to secure the data.
However, if an attacker wanted to remove the
password requirement, they would only have Password Master 1.0 – Free version
to overwrite the encrypted password value
that is stored in the project header. Specifi- Password Master 1.0 allows you to “Keep all
cally, bytes 0x95 – 0xA3 need to be set to your passwords, Credit Card Numbers and
0x20 0x00 0x20 0x00 etc. other details in a single place. Carry your
money or details virtually everywhere.” Ac-
Microsoft Money for Windows Mobile 2006 cording to their website, “Since all the details
you enter are sensitive data, the Password
MS Money for Windows Mobile 2006 is a fi- Manager helps you to create a Secure Login
nancial tracking program that can be used in- to the records. You can create a Master
dependently or with the MS Money application Password, which will work as your Master key
that runs on many desktops. for all the virtual locks you know.”
The program can be configured to require a Unfortunately, if someone deletes the follow-
password when it is launched. However, this ing key from the registry, the master key will
password does not encrypt the data, which be reset, thus allowing full access to the data.
stored as plaintext in data stores in the Data-
bases folder. \HKEY_CURRENT_USER\Software\Da-
ta\Password Master\Pref\dt
The password is stored in the registry at
HKLM\SOFTWARE\Microsoft\Money2000 This version of the program is free. The ven-
CE\Options\Display in an encrypted format. dor’s website provides this tool, but also ad-
However, the encryption scheme used to pro- vertises their Password Master 3.5 version
tect the password from viewers is a weak pro- that requires a payment. We look at this ver-
prietary algorithm and can be cracked using sion later in this section.
the following equation:
www.insecuremag.com 48
Passman 1.2 Therefore, using the same technique outlined
previously, an attacker only has to obtain the
Passman 1.2 is a password management secure file and overwrite a few bytes of hex in
program that can create and store a list of the header to gain access to that file, and the
passwords. It includes an option for a startup ‘secured’ contents within. In this case, the hex
password and also provides for ‘512bit en- range is from 0x2A - 0x5B.
cryption’ of the data. Both protection meas-
ures can be cracked. In addition to the overwrite vulnerability, this
program also was found to have a bug in the
To bypass the startup password, a malicious ‘hint’ feature that enables a user to obtain their
user only has to set the startpasswdenabled password if they forget it based on a question/
registry key to ‘0’. answer. However, if the user never configures
the hint option, the program will give up the
\HKEY_CURRENT_USER\Software\passman password regardless of a correct hint/answer
\preferences\startpasswdenabled. combination. While this is a security risk, it is
based on a software bug – not a broken secu-
However, if the database is encrypted, the ac- rity model.
tual data will still be secure. Unfortunately, the
password used to encrypt the database is it- It is important to note that Password Master
self not properly protected. The following 3.5 also includes a desktop companion that
equation will decrypt the password stored in operates in the exact same way as its mobile
the registry, thus giving an attacker full access counterpart. This desktop based program also
to the database. suffers from the header overwrite bug.
www.insecuremag.com 49
Miscellaneous Information Disclo- tion. Finally, the connection is made and the
user can control the PDA remotely from the
sure Bugs
PC client.
Not all Windows Mobile related security prob-
We discovered a few problems with this pro-
lems are related to failed protection schemes.
gram that can expose the password used to
This section will outline several other program
authenticate the connection as well as capture
and bugs that were found during the research
the clipboard contents of the PC. The first is-
project.
sue was discovered when we created a cus-
tom UDP packet that contained our “server’s”
Remote Keyboard
IP address and passed it onto the network.
The Remote Keyboard listener on the PDA
From the vendors website, “Remote Keyboard
detected this packet, and immediately tried to
is a program that connects PC keyboard and
connect to our computer on port 8123. Upon
mouse to your Pocket PC over ActiveSync
seeing this, we then created a small and sim-
connection or TCP/IP network.” This is a
ple ‘server’ that emulated the login process.
handy program for power users who need to
As guessed, once the PDA had connected to
enter a lot of text into the PDA.
the ‘server’ and negotiated the connection, it
sent the ‘server’ the authentication password.
Once installed, the client on the PC sends out
UDP packets containing an IP address to port
Using this captured password, we then tel-
23 that are detected by a listener on the PDA.
neted to the PC service running on port 8123
Upon detection, the PDA will connect back to
and discovered that the program dumped the
port 8123 on the specified IP address. At this
entire contents of the clipboard onto the wire
point the PC will query for the correct pass-
after a successful login. The following pro-
word, which is provided by the PDA applica-
vides a screenshot of this bug.
ActiveSync 3.8 ers rely on this feature for their day to day
synchronization needs, Microsoft still provides
ActiveSync is ‘the’ program used to sync a AS 3.8 as a download.
Windows Mobile device to a PC. It is the
most-downloaded Windows Mobile software As we discovered in mid-2005, the AS3.8
application of all time. Contained in this pro- service on the PC opens up port 990 on any
gram are functions used to upload software, existing interface (i.e. wired, wireless, PPP,
sync up emails, and much more. Version 4.0 etc.). This port allows access to the Active-
and above have restricted any form of network Sync service, which can be abused to spawn
based synchronization; however, as many us- a password box on the PC users screen
www.insecuremag.com 50
(figure 5). If a user enters a value in this dialog data to gain access to the protected PDA or
box, the characters of the password are re- create a connection between an attacker’s
turned to the attacker, who can then use this PDA and the target PC.
Seth Fogie is a former United States Navy Nuclear Engineer and one of the most widely read technical infor-
mation security authors in the world.. At the present time he's a member of the Airscanner Mobile Security
Team. They focus on exploring security threats and on reverse engineering malware for embedded and hand-
held wireless platforms.
www.insecuremag.com 51
Virus attacks have firmly established themselves as the leading IT security
threat. Not only do they result in financial losses, but they also serve as a ve-
hicle for many other security threats, such as the theft of confidential informa-
tion and unauthorized access to sensitive data. The antivirus industry has re-
sponded by coming up with a number of new approaches to protecting IT in-
frastructures - to name a few, these include proactive technologies, emer-
gency updates during outbreaks, significantly more frequent antivirus data-
base updates, etc. This article will provide more information on the newest
technologies used by antivirus companies and help users to judge the effec-
tiveness of these technologies more objectively. In this article, we will focus
on proactive technologies.
Virus attacks cause enormous damage and, shorter response times to new threats that can
equally important, the number of types of ma- cause outbreaks, as well as more frequent an-
licious code is growing at an increasing rate. tivirus database updates. This article provides
In 2005, growth in the number of malicious a detailed analysis of the proactive protection,
programs exploded: according to Kaspersky often promoted by vendors as a panacea for
Lab, the average number of viruses detected all existing and even all possible viruses.
monthly reached 6,368 by the end of the year.
Overall growth for the year reached 117% An Introduction to Proactive Technologies
compared with 93% for the previous year.
Contemporary antivirus products use two
Likewise, the nature of the threat itself has main approaches to detect malicious code -
changed. Malicious programs are not only signature-based and proactive/heuristic
much more numerous, but also significantly analysis. The first method is sufficiently sim-
more dangerous than ever before. The antivi- ple: objects on the user’s computer are com-
rus industry has responded to the challenge pared to templates (e.g., signatures) of known
with a number of new approaches to antivirus viruses. This technology involves continually
protection, including proactive technologies, tracking new malicious programs, and
www.insecuremag.com 53
creating their descriptions, which are then in- An analyzer usually begins by scanning the
cluded in the signature database. Therefore, code for suspicious attributes (commands)
an antivirus company should have an effective characteristic of malicious programs. This
service for tracking and analyzing malicious method is called static analysis. For example,
code (that is, antivirus lab). The main criteria many malicious programs search for executa-
used to evaluate how effectively the signature- ble programs, open the files found and modify
based approach is implemented include new them. A heuristic examines an application’s
threat response times, frequency of updates code and increases its “suspiciousness
and detection rates. counter” for that application if it encounters a
suspicious command. If the value of the
The signature-based method has a number of counter after examining the entire code of the
obvious shortcomings. The primary disadvan- application exceeds a predefined threshold,
tage is the delayed response time to new the object is considered suspicious.
threats. There is always a time lag between
the appearance of a virus and the release of The advantages of this method include ease
its signature. Contemporary viruses are capa- of implementation and high performance.
ble of infecting millions of computers in a very However, the detection rate for new malicious
short time. code is low, while the false positive rate is
high.
Thus, proactive/heuristic methods of virus de-
tection are becoming increasingly popular. Thus, in today’s antivirus programs, static
The proactive approach does not involve re- analysis is used in combination with dynamic
leasing signatures. Instead, the antivirus pro- analysis. The idea behind this combined ap-
gram analyzes the code of objects scanned proach is to emulate the execution of an ap-
and/or the behavior of the applications plication in a secure virtual environment
launched and decides whether the software is (which is also called an emulation buffer or
malicious based on a predefined set of rules. “sandbox”) before it actually runs on a user’s
computer. In their marketing materials, ven-
In principle, this technology can be used to dors also use another term - “virtual PC emu-
detect malicious programs that are as yet un- lation”.
known, which is why many antivirus software
developers were quick to advertise proactive A dynamic heuristic analyzer copies part of an
methods as a panacea for the rising wave of application’s code into the emulation buffer of
new malware. However, this is not the case. the antivirus program and uses special “tricks”
To judge the effectiveness of the proactive to emulate its execution. If any suspicious ac-
approach and whether it can be used inde- tions are detected during this “quasi-
pendently from signature-based methods, one execution”, the object is considered malicious
must understand the principles upon which and its execution on the computer is blocked.
proactive technologies are based.
The dynamic method requires significantly
There are several approaches which provide more system resources than the static
proactive protection. We will look at the two method, because analysis based on this
which are the most popular: heuristic analyz- method involves using a protected virtual envi-
ers and behavior blockers. ronment, with execution of applications on the
computer delayed according to the amount of
Heuristic Analysis time required to complete the analysis. At the
same time, the dynamic method offers much
A heuristic analyzer (or simply, a heuristic) is a higher malware detection rates than the static
program that analyzes the code of an object method, with much lower false positive rates.
and uses indirect methods of determining
whether it is malicious. Unlike the signature- The first heuristic analyzers became available
based method, a heuristic can detect both in antivirus products sufficiently long ago, and
known and unknown viruses (i.e., those cre- all antivirus solutions now take advantage of
ated later than the heuristic). more or less advanced heuristics.
www.insecuremag.com 54
Behavior Blockers Today’s behavior blockers are able to monitor
a wide range of events in the system. Their
A behavior blocker is a program that analyzes primary purpose is to control dangerous activ-
the behavior of applications executed and ity – that is, analyze the behavior of all proc-
blocks any dangerous activity. Unlike heuristic esses running in the system and save infor-
analyzers, where suspicious actions are mation about all changes made to the file sys-
tracked in emulation mode (dynamic heuris- tem and the registry. If an application performs
tics), behavior blockers work in real-life condi- dangerous actions, the user is alerted that the
tions. process is dangerous. The blocker can also
intercept any attempts to inject code into other
First-generation behavior blockers were not processes. Moreover, blockers can detect
very sophisticated. Whenever a potentially rootkits - i.e., programs that conceal the ac-
dangerous action was detected, the user was cess of malicious code to files, folders and
prompted to allow or block the action. Al- registry keys, as well as make programs, sys-
though this approach worked in many situa- tem services, drivers and network connections
tions, “suspicious” actions were sometimes invisible to the user.
performed by legitimate programs (including
the operating system) and users who didn’t Another feature of behavior blockers that is
necessarily understand the process were of- particularly worth mentioning is their ability to
ten unable to understand the system’s control the integrity of applications and the Mi-
prompts. crosoft Windows system registry. In the latter
case, a blocker monitors changes made to
New-generation behavior blockers analyze registry keys and can be used to define ac-
sequences of operations rather than individual cess rules to them for different applications.
actions. This means that determining whether This makes it possible to roll back changes
the behavior of applications is dangerous re- after detecting dangerous activity in the sys-
lies on more sophisticated analysis. This helps tem in order to recover the system and return
to significantly reduce the number of situations it to its state before infection, even after un-
in which the is prompted by the system and known programs have performed malicious
increases the reliability of malware detection. activity.
Unlike heuristics, which are used in nearly all making support) is an essential part of any
contemporary antivirus programs, behavior contemporary antivirus solution.
blockers are much less common. One exam-
ple of an effective new-generation behavior To summarize, a behavior blocker can prevent
blocker is the Proactive Defence Module in- both known and unknown (i.e., written after
cluded in Kaspersky Lab products. the blocker was developed) viruses from
spreading, which is an undisputed advantage
The module includes all of the features men- of this approach to protection.
tioned above and also, importantly, a conven-
ient system that informs the user of the dan- On the other hand, even the latest generation
gers associated with any suspicious actions of behavior blockers has an important short-
detected. Any behavior blocker requires input coming: actions of some legitimate programs
from the user at some point; so the user must can be identified as suspicious. Furthermore,
be sufficiently competent. In practice, users user input is required for a final verdict regard-
often do not have the knowledge required, ing whether an application is malicious, which
and information support (in effect, decision- means that the user needs to be sufficiently
knowledgeable.
www.insecuremag.com 55
Proactive Protection & Software Flaws gram by antivirus experts and is obtained by
analyzing the behavior of known viruses.
Some antivirus vendors include statements in Thus, proactive technologies are powerless
their advertising and marketing materials that against malicious code that uses completely
proactive/heuristic protection is a panacea for new methods for penetrating and infecting
new threats, which does not require updating computer systems, which appeared after the
and therefore is always ready to block attacks, rules were developed – this is what zero-day
even for those viruses that do not as yet exist. threats are all about. Additionally, virus writers
Moreover, brochures and datasheets often work hard to find new ways of evading behav-
apply this not only to threats that use known ior rules used by existing antivirus systems,
vulnerabilities, but to so-called “zero-day” ex- which in turn significantly reduces the effec-
ploits as well. In other words, according to tiveness of proactive methods.
these vendors, their proactive technologies
are capable of blocking even malicious code Antivirus developers have no choice but to
which uses unknown flaws in applications update their set of behavior rules and upgrade
(those for which patches are not yet avail- their heuristics in response to the emergence
able). of new threats. These types of updates are
certainly less frequent than in the case of virus
Unfortunately, either the authors of these ma- signatures (code templates), but still need to
terials are insincere or they don’t quite under- be performed regularly. As the number of new
stand the technology well enough. Specifi- threats increases, the frequency of such up-
cally, combating malicious code is described dates will inevitably rise as well. As a result,
as a fight between virus writers and automatic proactive protection will evolve into a variant
methods (proactive/heuristic). In reality, the of the signature method, albeit based on “be-
fight is between people - virus writers versus havior” rather than code patterns.
antivirus experts.
By concealing the need to update proactive
The proactive protection methods described protection from users, some antivirus vendors
above (heuristics and behavior blockers) are in effect deceive both their corporate and per-
based on “knowledge” about suspicious ac- sonal clients and the press. As a result, the
tions characteristic of malicious programs. public has a somewhat erroneous idea of the
However, this “knowledge” (i.e., a set of capabilities of proactive protection.
behavior-related rules) is input into the pro-
Proactive vs. Signature-Based Methods hard drive. Up to 11 different file formats are
affected (including Microsoft Word, Excel,
Despite their shortcomings, proactive methods PowerPoint, Access, Adobe Acrobat). The vi-
do detect some threats before the relevant rus overwrites all useful information with a
signatures are released. An example of this meaningless set of characters. Another dis-
can be seen in the response of antivirus solu- tinctive characteristic of Nyxem is that it only
tions to a worm called becomes active on the third of each month.
Email-Worm.Win32.Nyxem.e (Nyxem).
A research group from Magdeburg University
The Nyxem worm (also known as Blackmal, (AV-Test.org) carried out an independent
BlackWorm, MyWife, Kama Sutra, Grew and study to assess the time it took different de-
CME-24) can penetrate a computer when a velopers to respond once Nyxem emerged. It
user opens an email attachment containing turned out that several antivirus products were
links to pornographic and erotic sites or a file able to detect the worm using proactive tech-
on open network resources. It takes the virus nologies, i.e. before the signatures were re-
very little time to delete information on the leased:
www.insecuremag.com 56
Proactive detection of Nyxem by behavior blockers
Fortinet Suspicious
McAfee W32/Generic.worm!p2p
Overall, eight antivirus products detected antivirus programs are capable of detecting
Nyxem using proactive methods. Does this, threats that do not as yet exist, solutions can
however, mean that proactive technologies be tested on viruses that appeared recently,
can replace the “classical” signature-based e.g., within the past three months. Naturally,
approach? Certainly not. To be valid, analysis antivirus programs are run with signature da-
of the effectiveness of proactive protection tabases released three months ago, so that
should be based on tests involving large virus they are confronted with threats that were
collections, not individual viruses, however then “unknown” to them. Andreas Clementi’s
notorious. focus is on the results of this type of testing.
One of the few widely acknowledged inde- Based on the results of testing conducted in
pendent researchers who analyze proactive 2005, the heuristics used in the Eset, Kasper-
methods used by antivirus products on large sky Anti-Virus and Bitdefender solutions were
virus collections is Andreas Clementi the most effective.
(www.av-comparatives.org). To find out which
It should be noted that the high detection rates Naturally, signature-based methods have
demonstrated by heuristic analyzers have a shortcomings as well, but so far, the antivirus
downside: their false positive rates are also industry has been unable to come up with
very high. To operate normally, an antivirus anything capable of replacing this classic ap-
program should strike a balance between de- proach. Consequently, the primary criteria to
tection rates and false positive rates. This is measure the effectiveness of antivirus solu-
also true of behavior blockers. tions will continue to include not only the qual-
ity of proactive protection, but response time
The results of the analyses conducted by to new virus threats (the time it takes to add
AV-comparatives.org and AV-Test.org provide the relevant signature to the database and de-
a solid illustration of the fact that proactive liver the update to users) as well.
methods alone are incapable of providing the
necessary detection rates. On the following page you’ll find information
on average response times demonstrated by
Antivirus vendors are perfectly aware of this leading antivirus vendors for major antivirus
and, for all their rhetoric on proactive tech- threats during 2005. The Magdeburg Univer-
nologies, continue to use classical signature- sity research group (AV-Test.org) analyzed the
based detection methods in their solutions. time it took developers to release updates
Tellingly, developers of purely proactive solu- containing the relevant signatures.
tions (Finjan, StarForce Safe'n'Sec) must pur-
chase licenses for “classical” signature-based The analysis covered different variants of 16
technologies from third parties and to use in worms that were most common in 2005, in-
their products. cluding Bagle, Bobax, Bropia, Fatso, Kelvir,
Mydoom, Mytob, Sober and Wurmark.
www.insecuremag.com 58
Average response time 2005
10 to 12 hours Symantec
18 to 20 hours CA eTrust-VET
Source: Ranking Response Times for Anti-Virus Programs (Andreas Marx of AV-Test.org)
Oleg Gudilin works at Kaspersky Lab, a leading developer of secure content management solutions that pro-
tect against viruses, Trojans, worms, spyware, hacker attacks and spam.
www.insecuremag.com 59
Gartner IT Security Summit 2006
18 September-19 September 2006 - Royal Lancaster Hotel, London, UK
http://www.gartner.com
If you want your event included in the HNS calendar e-mail us at press@net-security.org
www.insecuremag.com 60
Installing a side instance of MySQL for testing purpose is a task that many
administrators can perform without breaking a sweat. If you need to do that
only once in a while, you need just to read the manual carefully, or to have
some experience in this matter, and the task is accomplished quite easily.
If, however, your skills are below the Guru production server. Another reason is to try dif-
level, even to get this task done just once you ferent versions of MySQL on a piece of code
may find yourself in trouble. And, let’s face it, when hunting a bug. Or you are a consultant,
even experienced administrators, when they your customers are all using different versions
need to do this several times, with different of the DBMS, and you need to test your pro-
versions of MySQL, may have trouble doing it cedures in an environment that is as close as
right. It would be nice to have a tool that takes possible to the your clients are using. I don’t
care of the dirty details for you and gets the know about you, but in my job I have all the
job done quietly, without interfering with exist- above needs, sometimes all at once.
ing installations, and without side effects.
After having performed the task of installing a
Such a tool exists, it’s The MySQL Sandbox side instance of MySQL dozens of times, I re-
(sourceforge.net/projects/mysql-sandbox/). It alized that I was perhaps wasting too much
is a framework for testing features under any time, especially in terms of responsiveness,
version of MySQL from 3.23 to 5.1. Without since I could not answer to emergency prob-
fuss, it will install one server under your home lems as quickly as I would like. Therefore, I
directory, and it will provide some useful forced myself to put together most of my ex-
commands to start and stop it, and to use it pertise into a Perl script, and the MySQL
within the sandbox. Sandbox was born. Now, when I need to test
something in any version of MySQL from the
There are many reasons for installing a side ancient 3.23 to the bleeding edge one in the
server. One is testing a potentially dangerous Beta branch, I can do that in a few seconds.
application, and you don’t want to try it on a Literally.
www.insecuremag.com 61
With this package you can play with MySQL Installation
5.x without need of using other computers.
The server installed in the sandbox use non- To show you the simplest installation, let’s as-
standard ports and sockets, so that they won’t sume that you have already a MySQL binary
interfere with existing MYSQL installations. installation, in its default location of /usr/
local/mysql.
Getting started
Unpack the distribution package in one empty
To use MySQL Sandbox you need a few directory and run the install script. For exam-
things: ple:
To better understand the options, look at Figure 1. below - Basic Sandbox directory organization
www.insecuremag.com 62
Putting aside the other options for now, let’s rectory (red colored in the figure) and the
focus on the directories. basedir is where you data directory is just below it.
get the binaries from, i.e., in this case /usr/
local/mysql. If you type Y, or just press ENTER, the instal-
home_directory is your $HOME, (/home/ lation progra will create /home/johndoe/
johndoe). It could be anywhere, but it should mysql_sandbox5_0/, which will contain every-
be a place where you’ve got all necessary thing you need to work with this side instance.
writing privileges. Your $HOME is just a safe as-
sumption. Under this directory, the installation Just cd to that directory, and use the
process is going to create the sandbox_di- ./start.sh command. You will see the follow-
ing:
$ ./start.sh
/usr/local/mysql ~/mysql_sandbox5_0
~/mysql_sandbox5_0
sandbox server started
sandbox server started
Your server is now installed and ready for use. Go ahead and try it out..
$ ./use.sh
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 1 to server version: 5.0.22
Type 'help;' or 'h' for help. Type 'c' to clear the buffer.
After that, you may look around. There is a a current_options.conf, containing the op-
configuration file my.sandbox.cnf, containing tions used by the installation to create your
the starting options for you server. There is a sandbox. Should you need to recreate it, use
USING file, containing a reminder of which ver- the installation script again with this file as a
sion and basedir you were using. And there is parameter.
$ cd /install_directory
$ ./install.pl -f current_options.conf
$ ./stop.sh
The server will go down quietly. You may The reason is that in such a location you in-
erase the whole directory if you wish. There stall the current production release, and if you
are some more interesting things that you can upgrade it, the sandbox will point to a version
do. that is different from the one you originally in-
tended.
Advanced installation
I keep different versions grouped in a direc-
The above installation was easy. But actually I tory, conveniently named so that they can be
don’t recommend installing a sandbox from easily accessed.
/usr/local/mysql.
www.insecuremag.com 63
Figure 2. Advanced Sandbox directory organization
Usually I unpack the max package, and re- ating system (or compile it if you must) and for
name the unpacked directory to the simple each version you may need to use, and un-
version name so pack them in the same directory. Rename
mysql-max-5.0.21-linux-i686.tar.gz be- them appropriately, so that each directory is
comes 5.0.21. If I have several packages of named after a version number, and you are
the same version (it happens when testing the ready to install.
source code) I add a letter to the end.
If you want to achieve the same result as in
My side servers organization is something like the default installation, you should specify
the one shown in Figure 2. where the basedir option, so that the installa-
tion program will create appropriate configura-
If you want to get the same organization, just tion files and scripts.
download the binary packages for your oper-
./install --basedir=/opt/mysql/5.0.21
Should you run this command, though, you will get a different result.
As a security measure the Sandbox installer But let’s take a look at some of the more in-
will refuse to overwrite existing directories, un- teresting features. The complete list is always
less you instruct it explicitly to do so with the – available using ./install.pl --help.
force option.
www.insecuremag.com 64
Building the data directory You can control the creation of the mysql da-
tabase with the -datadir_from=[source].
By default, the mysql database comes with
two users. The datacharmer user has been The default value for [source] is archive, and
granted all privileges except grant. This user this will use the packaged mysql database that
can connect from any host. The root user has was just described:
got all privileges, including grant. This user
can connect only from localhost.
--datadir_from=archive
--datadir_from=dir:/home/johndoe/my_default_mysql_db
--datadir_from=script
Type 'help;' or 'h' for help. Type 'c' to clear the buffer.
Database changed
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.01 sec)
Query OK, 0 rows affected (0.00 sec)
After that, you can run the script without additional arguments.
$ ./use.sh
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 2 to server version: 5.0.22
Type 'help;' or 'h' for help. Type 'c' to clear the buffer.
www.insecuremag.com 65
Using the installation wizard your sandbox installation without memorizing
too many things. Just run this one:
There are a few more options worth mention-
ing, but I won’t get into detail about them now. ./install.pl --interactive
You would not remember them all (heck, I
don’t remember them, even though I wrote the Then the installation program will turn into a
whole thing!). I will mention the only one wizard (a text-based one, but a wizard none-
you’re going to need if you want to fine tune theless) that will guide you step-by-step
through all the available options. The output
looks like this:
~/install/mysql_sandbox ~/install/mysql_sandbox/docs
Enter the values for each option
To leave the interactive choice and accept default values
for the remaining options, enter 'default'
To go to the previous item, enter 'back'
To quit the installation without any action, enter 'quit'
-----------------------------------------------------------------
home_directory
The home directory. (default: $HOME (/home/johndoe))
Your choice: (default value [/home/johndoe])
-----------------------------------------------------------------
sandbox_directory
Where to install the sandbox, under home-directory
Your choice: (default value [mysql_sandbox])
-----------------------------------------------------------------
sandbox_port
The port number to use for the sandbox server.
(Default: 3310)
Your choice: (default value [3310])
Thirteen more options follow (and possibly performing any action at all. To re-enter the
more, depending on how much time has previous option, type back.
elapsed between my writing and your reading
this piece). For each option, you could either Testing recent software on an older ver-
press ENTER, accepting the default value, sion
which is shown in brackets, or insert the value
that is appropriate for your needs. If you have Let’s say you developed an application, you
already changed what you wanted, and don’t tested it with the current production ready ver-
want to go through the rest of the options list, sion (5.0), and it works fine. Before releasing
you could enter default, and you leave the to the wide public, though, you want to test it
wizard, accepting default values for the re- with earlier versions, to prevent unpleasant
maining options. surprises to your support department.
If you want to cancel the installation, just enter Using the Sandbox, the task is easy. For ex-
quit and the program is terminated without ample, to install the latest release from ver-
sion 4.0, you should enter:
$ ./install.pl --basedir=/opt/mysql/4.0.27
--sandbox_directory=mysql_sandbox_4_0_27
--install_version=4.0 --sandbox_port=4027
--no_ver_after_name
www.insecuremag.com 66
That will create a sandbox directory with a dis- ier. Starting from Sandbox 1.5, there is an ad-
tinct name, and a port with the same number ditional installing program, called
as the version itself. If that does not sound express_install.pl. To accomplish exactly
easy, you are right. It’s easier than doing it the same result, you can enter
manually, but the task can become even eas-
$ ./express_install.pl /opt/mysql/4.0.27
If you are using /opt/mysql/ as your binary express install will generate for you the nec-
repository, you can even omit the path. The essary options for you.
$ ./express_install.pl 4.0.27
Executing ./install.pl --basedir=/opt/mysql/4.0.27
--sandbox_directory=mysql_sandbox_4_0_27
--install_version=4.0
--sandbox_port=4027
--no_ver_after_name
If you want, you may add some options to sion (or the complete basedir) is passed to
express_install.pl. Everything after the ver- install.pl. For example:
-----------------------------------------------------------------
home_directory
The home directory. (default: $HOME (/home/johndoe))
Your choice: (current value [/home/johndoe]) quit
www.insecuremag.com 67
Using the Sandbox to perform a main plying the following options during to the in-
MySQL installation stallation program.
home_directory = /usr/local/
sandbox_directory = mysql
sandbox_port = 3306
datadir_from = script
install_version = 5.0
basedir = /usr/local/mysql
my_file = large
operating_system_user = johndoe
db_user = datacharmer
db_password = datacharmer
force = 1
no_ver_after_name = 1
verbose = 0
The force option is necessary because it will So the best usage for the Sandbox would be
overwrite existing files. Running install.pl to install a new data directory in an appropri-
with the above parameters will get you an in- ate partition with enough free storage. It will
stallation very close to the default one. In ad- save time and you’ll get the same result as if
dition to that, you will have three bash scripts you’d done it manually. Only neater.
(_start.sh_, stop.sh, use.sh), but you can
also start and stop the server using the normal Creating a sandbox using an existing
mysql.server script. my.cnf with a given version
So why would you do that? Actually, you
shouldn’t. I am showing you how to do it so When you are testing an existing application,
that you would get acquainted with the tool’s or hunting for a bug, it’s often important to
flexibility. The main reason why you shouldn’t setup a server with a specific my.cnf.
do that is that putting your data under the You know already that the myfile option will
/usr/ directory is seldom a good idea. You accept a {small|large|huge} keyword, and it
may use a symbolic link for the data directory, will find a sample configuration file from
but in general you should avoid having your $BASEDIR/support-files. Something that is
data in the same place where you keep your also stated in the help text, but you may over-
applications. look, is that you can instead supply the full
path of an existing my.cnf. For example:
The installation program will skip from the a) Sandbox server not started yet
given installation file those options that are
indispensable to setup a proper sandbox, and When you enter ./start.sh, usually you see
will include all remaining options in the final the welcoming message sandbox server
my.sandbox.cnf, inserting a comment in the started, and your are ready to use it. Some-
file to remind you the origin of such options. times you see a message saying sandbox
server not started yet. That may be bad news,
Troubleshooting but it may only mean that the server is still
building the files that are necessary for its
Nothing is perfect and MySQL Sandbox is no functioning. For example, if your setup calls
exception. There are a couple of things that for a huge InnoDB tablespace, it may take a
can go wrong. while before the server is up and running.
www.insecuremag.com 68
In these cases, have a look at the The message may say: Character set informa-
hostname.err file in the data directory. If the tion not found in ‘/opt/mysql/x.x.xx/share/
last message is along the line of “file such and mysql/english/errmsg.sys’
such did not exist. new to be created”, it
means that you have to wait a few seconds. You look at
/opt/mysql/x.x.xx/share/mysql/english/,
Look at the data directory, if you see a .pid and indeed the errmsg.sys file is there. I think
file, everything was fine. If you don’t, than it’s a bug, but since it only happens in older
back to the error log, and try to figure out what versions, and only in Debian distributions, I
was wrong. will let it at that. The workaround that I found
needs a root intervention. You need to set a
b) Character set information not found symbolic link between your basedir and /usr/
local/mysql. After that, the server will start.
One of the cases that may happen, but only in
some Linux distributions, is that a old version I never had this problem on a non-Debian sys-
sandbox will complain about something along tem.
the lines of not finding a file that actually ex-
ists.
Giuseppe Maxia is a systems analyst and database designer with 20 years of IT experience. He deals with
data analysis and migration, performance optimization, general wizardry and is the founding partner and CTO
of Stardata s.r.l.. Giuseppe has spoken at several Open Source conferences (MySQL UC 2003, 2004,
OSDBCon 2005, Linux Expo, Webbit and more), in his home country and abroad. He is a well known contribu-
tor to PerlMonks and several mailing lists on MySQL and databases. You can find out more about him at
www.datacharmer.org
www.insecuremag.com 69
How to keep sensitive data locked down across applications, databases, and
files, including ETL data loading tools, FTP processes and EDI data transfers.
Many consider the insider threat to represent functions for encryption and security enforce-
the greatest vulnerability and exposure to en- ment among the modules of a distributed
terprise resources. Database attacks are on computer system.
the rise even as the risks of data breaches are
increasing. Several industries must deal with The guiding concept, continuous protection of
legislation and regulation on data privacy. data, suggests that encryption functions
placed at low levels, and typically imple-
This article will review how to protect sensitive mented with native platform-based toolkits,
data wherever the data resides: at application- may be redundant and of little value when
level; within databases, files and operating compared with the cost of supporting them at
systems; and in storage. We will address the that low level. The principle suggests that En-
management of associated encryption keys, terprise levels of Data Protection and Key
access control and reporting - helping organi- Management may be cost effective in many
zations mitigate risk and reduce costs, while configurations. We also include a set of best
protecting consumer, employee and partner practices that ensure not only a successful
information. The approach safeguards infor- PCI audit, but a sustained improvement in the
mation by cryptographic protection from point- security and protection of sensitive data, and
of-creation to point-of-deletion, to keep sensi- the limiting of theft and its costly aftermath.
tive data locked down across applications, da-
tabases, and files - including ETL data loading Whether you decide to implement encryption
tools, FTP processes and EDI data transfers. inside or outside the data store, we recom-
This design principle optimizes placement of mend that:
www.insecuremag.com 70
• encrypted information be stored separately opment and maintenance. In short, the busi-
from encryption keys, ness problem of IT security is to prioritize that
• strong authentication should be used to which simplifies and enhances the user expe-
identify users before they decrypt sensitive rience, to support revenue and revenue
information, growth, while reducing enterprise liability and
• access to keys should be monitored, audited expenditure
and logged,
• sensitive data should be encrypted end-to- Today’s IT security solutions will need to be
end, while in transit in the application and continually updated, however, in ever faster
while in storage in enterprise data stores. cycles, to remain effective - more frequent
patches, upgrades, support, and perhaps re-
We introduce a system-solution example that placement - to provide the same level of value
complies with these requirements and pro- tomorrow. To date initiatives have focused on
vides a cost-effective implementation. data in backup and storage systems. However
regional and vertical mandates - such as U.S.
The business problem state breach notification laws (e.g., California
Senate Bill 1386), the European Union Data
The business problem of IT security is, how- Privacy Directive, Japan's Personal Informa-
ever, more severe than the technical prob- tion Protection Act and the Payment Card In-
lems. Because current user access control dustry standard - are driving companies to
solutions involve different components for take an aggressive stance on protecting data-
authentication, authorization and administra- at-rest. Organizations are seeking to avoid the
tion (AAA), a solution can fail at any of these financial and brand integrity costs associated
components. For example, one required com- with compromised data, while positioning
ponent upgrade may no longer interoperate themselves to take advantage of "safe har-
with another component, alienating users, bors” which often protect companies from
leading to lost business, and perhaps, to se- penalties if appropriate steps have been taken
curity breaches. The result is that IT manag- to protect sensitive information.
ers face continual, onerous cycles of devel-
Security gaps in enterprise security attacks. A network attack tries to interfere with
client and/or server systems in transactions, in
Continual development and maintenance not terms of their communication processes. For
only make IT security more expensive than it example, an attack may try to gain or deny
appears, they also make IT security solutions access, read files, or insert information or
less secure, by increasing the number and the code that affects communication.
potential extent of security gaps that may exist
at any time. Data attacks try to tamper with, and/or read,
data in files or messages, by deleting, chang-
In a broad generalization, two types of attacks ing, reading, or inserting false data.
can exploit security gaps: network and data
www.insecuremag.com 71
Trust, risk and the weakest link A comprehensive approach to enterprise
data protection
The conventional risk model used in IT secu-
rity is that of a linked chain - the system is a New business models rely on open networks
chain of events, where the weakest link is with multiple access points to conduct busi-
found and made stronger. We should question ness in real time, driving down costs and im-
this approach because it fails to solve the proving response times to revenue generating
problem of how to provide a secure IT system, opportunities. By leveraging the ability to
even when a recognized weak link is made quickly exchange critical information and im-
stronger. The strengthening of any link, even if prove their competitive position, enterprises
made much stronger, would not make the sys- are introducing new vulnerabilities that can be
tem less vulnerable, and might make the sys- exploited to gain unauthorized access to sen-
tem more vulnerable, because the security of sitive information. By establishing appropriate
the system would still depend on a weakest enterprise architecture key management, with
link (which might be the newly “hardened” encryption at application-, database- and file-
link). Further, such solutions are actually level, the organization maximizes benefits
based on the illogical presumption that "no while minimizing potential pitfalls to opera-
part will fail at any time" - if a critical part fails, tional processes farther down the line. Each
the system fails. In short, there is an inevitable type of application and storage method may
single point-of-failure - that weakest link. need a different approach to lock down data.
This paper reviews a practical implementation
Making the link stronger will not make the sin- of a transparent approach to keep sensitive
gle point-of-failure go away - at most it may data locked down, utilizing policy driven en-
shift it. cryption and key management for data-at-rest
and in-transit across enterprise systems. The
The need to know and the segregation of encryption solution operates at the field, re-
duties cord and file levels to suit the operational
needs for each type of application and data
The technical objective of information security storage system.
may be stated as: “avoid unnecessary con-
centration of information and power; allow The primary vulnerability of the database
enough concentration to make a task possible and file level encryption
to execute." An all-knowing, all-powerful entity
would be the perfect attacker and could break The primary vulnerability of database- and file-
any security measure. This is why we often- level encryption is that they do not protect
times talk about "need to know" and "separa- against application-level attacks - the encryp-
tion of powers." We name these principles, tion function is solely implemented within the
respectively, information granularity and DBMS. The application protection solution in-
power granularity. stitutes policies and procedures that enable
software developers to effectively build secu-
These concepts mean that information should rity into enterprise applications, employing ex-
not be provided in its entirety to a single entity. ternal filters to block attacks.
This is the reason business information and
power should be carefully distributed, for ex- Hackers, crackers, internal attacks and busi-
ample, among local employees, the office ness evolution are facts of life; as a result, se-
management, the enterprise management and curity threats, leaks and lack of scale will con-
the customer. And, contrary to what many ad- stantly plague user access control solutions
vocate for IT security solutions, there should based on password lists, access control data-
be no single point of control in an IT security bases, and shared secrets. With more users,
system. This can be the single point of failure more applications and more revenue depend-
- no matter how trustworthy a single point of ing on Web resources, it is more important
control is, its failure or compromise leaves no than ever before to provide remote user ac-
recourse for recovery. cess while protecting the enterprise's re-
sources. With multiple administrative domains
and the need for quick response to market
www.insecuremag.com 72
changes, managers often need centralized from its point of entry until it is validated or
user administration and control delegation to used by the target applications. This ad-
be effective. For end-to-end web security, dresses an inherent limitation in most Secure
consider implementing application-layer en- Socket Layer (SSL) implementations that ter-
cryption security to protect PINs and other minate encryption at the web servers and cre-
sensitive data in communications between ate the potential exposure of clear text in the
web browsers and hosts. App-level protection form of sensitive user credentials and busi-
ensures sensitive information is protected ness transactions.
A framework that includes the following com- The challenge to get the parts together
ponents
The challenge is to get the parts together -
This security solution helps companies protect expertise in database encryption, application
themselves through a framework that includes security and file encryption to be applied in the
the following components: integrated solution:
1. Encryption key management: enables or- 1. Protection of sensitive data in any place
ganizations to manage encryption keys gen- where data reside will include an enterprise
erated by disparate enterprise applications key management and crypto support (or re-
helping to guarantee the seamless flow of pro- mote access to crypto support) on all major
tected information, with minimal intrusiveness. OS platforms.
www.insecuremag.com 73
Such requirements need to be clearly formu- deployment, development and maintenance
lated, decidable and, as much as possible, cycles. The solution should minimize the
complete. An end-to-end design is important probability of patches, upgrades and support
to assure effectiveness, because attacks and during the lifetime of an IT security system.
errors are hard to detect and prevent at inter- The solution also needs to integrate core se-
face points. Because there are no paper trails, curity services and eliminate known or costly
non-repudiation is also essential for Internet weak links such as password lists, access
and IT security systems. Non-repudiation is control databases, shared secrets, and client-
often defined as providing proof that a particu- side PKI.
lar act had actually been performed - exam-
ple, as demonstrated by a trusted time-stamp. What are these core security services, what
However, we may view the concept of non- else is required in order to solve both the
repudiation much more strictly - as in prevent- technical and business problems of IT secu-
ing the effective denial of an act. The first rity? We first need to look at the security gaps
definition describes the component quality that can be exploited, and what security serv-
used in the IT system, where a weak compo- ices are necessary to prevent such breaches.
nent may compromise the whole system. The Second, we need to realize that it is the com-
stricter definition focuses on the need to con- bination, and interoperation, of security prop-
tinuously evaluate all potential and existing erties that can provide the resiliency required
threats, verifying any additional security de- of a secure IT system. An IT security system
sign features that might be necessary to miti- needs to have the equivalent of several inde-
gate risks stemming from the most likely or pendent, active barriers, controlling different
most damaging threats to the customer envi- security aspects but complementing each bar-
ronment, and eventual changes in that envi- rier’s function. Lastly, an IT security solution
ronment. needs to be highly scalable, supporting any-
where from hundreds to millions or tens of mil-
An effective data protection solution lions of users, compatible with the current in-
frastructure and standards, and extensible.
An effective data protection solution needs to
deal with an extensive list of security proper- Security management must be based on a
ties. A secure IT system must not "pop" like a security policy
balloon when subjected to an attack, or fail
silently, leaving no trace of the attack. There Several key elements of a comprehensive se-
should be no single point of failure. There curity policy:
must be multiple channels of communication
and correction, even if the channels are not • Trust - qualified reliance on information,
100% independent. We intuit an increase in based on factors independent of that informa-
reliability by using multiple channels of infor- tion
mation. This correlates well with our percep- • Access control - granting access to informa-
tion of how trust may be defined - we know tion objects based on the trusted identity of
from experience that we trust more when we users - limiting access to system resources to
have more evidence to support trust. In an IT authorized users, processes or systems - vali-
security system, we define trust as qualified dated before decryption of data items is
reliance on information, based on factors in- authorized
dependent of that information. More precisely, • Audit and maintenance of historical logs of
trust is that which is essential to a communi- all transactions, reviewed to maintain ac-
cation channel but cannot be transferred using countability for all security relevant events.
that channel. This covers archived data with support for
adding strong encryption over time.
A true end-to-end encryption solution • Authentication - corroboration of a credential
or claim; the ability to establish and verify the
To cope with the accelerated risks and obso- validity of a user, user device or other entity -
lescence typical of IT security solutions, en- also, the integrity of the information stored or
terprises need an End-To-End IT security so- transmitted. This should cover integration with
lution that can provide shorter, less expensive, LDAP, X.500, i500 product, Active Directory
www.insecuremag.com 74
implementation, and other derivations and im- • Non-repudiation - the ability to prevent the
plementations of user directories. effective denial of an act; the ability to prove
• Authorization - conveyance of rights, power the origin and delivery of transactions and
or privilege to see, do or be something, includ- data-at-rest changes.
ing The Open Group, OASIS, and other XML- • Security management - a defined process to
based authorization standard. perform system security functions such as
• Confidentiality - ensuring that data is not audit, credential management and configura-
available or disclosed to unauthorized indi- tion management. Security management must
viduals, entities or processes, to include sepa- be based on a security policy - the set of laws,
ration of duties/power/roles. rules, and practices that regulate how an en-
• Integrity - ensuring that data is not altered or terprise manages, protects, and distributes
destroyed in an unauthorized manner. sensitive information.
www.insecuremag.com 75
The Continuously Secure Data Protection sion, authentication and authorization are not
System sufficient for this end-to-end E2E purpose.
Our vision is that security needs to “own” an Providing an E2E-encryption solution for IT
end-to-end property; otherwise, security security and user access control, the Continu-
breaches are possible at security point- ously Secure Data System establishes the
interfaces, which may allow gaps in protec- medium to integrate a number of core capa-
tion. As it is clear from the previous discus- bilities in IT security solutions including:
The Continuously Secure Data System also data in an unencrypted state at-rest on any
recognizes the need to bind a system of trust system.
to IT security solutions, to communicate trust
not only machine-to- machine, but also How to encrypt data if a binary format is
human–to-machine. We need to provide these not desirable
capabilities in a scalable system, supporting
hundreds of users, to millions or tens of mil- If data is to be managed in binary format,
lions, and which is compatible with existing “varbinary” can be used as the data type to
infrastructure, current & evolving Internet store encrypted information. On the other
standards, with as much backward compatibil- hand, if a binary format is not desirable, the
ity as possible. Finally, the Continuously Se- encrypted data can be encoded and stored in
cure Data System must take business drivers a VARCHAR field. There are size and per-
into account - quicker and less expensive de- formance penalties when using an encoded
ployment, development and maintenance cy- format, but this may be necessary in environ-
cles; less need for integration with other ments that do not interface well with binary
(changing) products; ease-of-use; and close formats, if support for transparent data-level
back-end to front-end integration so that leg- encryption is not used. In environments where
acy systems can be reliably used. it is unnecessary to encrypt all data within a
data store, a solution with granular capabilities
Policy-driven data protection is ideal. Even if only a small subset of sensi-
tive information needs to be encrypted, addi-
Such data protection solution helps ensure tional space will still be required if transparent
that data is encrypted everywhere it may re- data-level encryption is not used. Secure
side, with minimal intrusiveness and maximal data-level encryption for data-at-rest can be
separation of duties. Application code and da- based on block ciphers.
tabase schemas are sensitive to changes in
data type and data length. Our policy-driven The proposed solution is based on transpar-
solution allows transparent data-level encryp- ent data level encryption with Data Type
tion that retains data field type or length. Data Preservation that Does Not Change ASCII
Transformation and Protection DTP can be Data Field Type or length. The solution pro-
added to reduce the need for changes to data vides a cost effective implementation, avoid-
structures and applications. The field-level en- ing changes of Millions of Lines of Business
cryption approach is very useful when dealing Code in larger enterprise information systems.
with EDI/FTP/flat files being transferred be- The solution also provides an effective last
tween discrete systems. At no time is sensitive line of defense: selective column-level data
www.insecuremag.com 76
item encryption, cryptographically enforced bers, patient names, etc. Some data values
authorization; key management based on are not good candidates for encryption -- i.e.,
hardware or software, secure audit and report- Booleans (true and false), or other small sets
ing facility, and enforced separation of duties. like integers 1-10. These values, and column
The method is cryptographically strong, works names, may be easy to guess, so you want to
with any DBMS and OS, works with different decide whether encryption is really useful.
character sets, no application or database Creating indexes on encrypted data is a good
changes, no programming language depend- idea in some cases. Exact matches and joins
ence, fail safe, requires no DBA intervention. of encrypted data will use the indexes you
Data loader functions normally and queries create. Since encrypted data is essentially bi-
function normally. Enhanced search capabili- nary data, range checking of encrypted data
ties based on partial encryption of data can would require table scans. Range checking
easily be added with this approach. will require decrypting all the row values for a
column, so avoid it if it is not tuned appropri-
The optimal place to encrypt data will al- ately, with an accelerated search index.
ways depend on the situation
Searching for encrypted value within a
Give careful consideration to the performance column
impact of implementing a data encryption so-
lution. First, enterprises must adopt an ap- Searching for an exact match of an encrypted
proach to encrypting sensitive fields only. value within a column is possible, provided the
Such a solution allows the enforcement mod- same initialization vector is used for the entire
ule to be installed with the file system, at the column. On the other hand, searching for par-
database table-space level, or at column-level tial matches on encrypted data within a data-
to meet different operations needs. It allows base can be challenging and may result in full
the encrypt/decrypt of data as the database table scans if support for accelerated index-
process reads or writes to its database files. search on encrypted data is not used. One
This enables it to perform cryptographic op- approach to performing partial searches, with-
erations in file system block segments, in- out prohibitive performance constraints - and
stead of in individual cell, rows or columns. without revealing too much sensitive informa-
tion - is to apply an HMAC to part of the sensi-
Allow optional granularity and implementa- tive data and store it in another column in the
tion layers for the data encryption same row.
Compared to triggers, stored procedures, ex- Encrypted columns can be a primary key
ternal API calls and network round-trips, there
is very little overhead in some operational Encrypted columns can be a primary key or
situations. Furthermore, this solution can de- part of a primary key, since the encryption of a
crypt data before it is read into the database’s piece of data is stable (i.e., it always produces
cache. Subsequent hits of this data in the the same result), and no two distinct pieces of
cache neither incur additional overhead. Nor data will produce the same cipher text, pro-
does this architecture diminish database index vided consistent use of the key and initializa-
effectiveness. It depends on the situation if tion vector. However, when encrypting entire
this exposure will meet your security require- columns of an existing database, depending
ments. on the data migration method, database ad-
ministrators might have to drop existing pri-
Encrypt a few very sensitive data elements mary keys, as well as any other associated
reference keys, and re-create them after the
Encryption, by its nature, slows most SQL data is encrypted. For this reason, encrypting
statements. With care, the amount of over- a column that is part of a primary key con-
head should be minimal. Also, encrypted data straint is not recommended if support for ac-
will have a significant impact on your data- celerated index search on encrypted data is
base design. In general, it is best to encrypt a not used. Since primary keys are automati-
few very sensitive data elements in a schema, cally indexed, there are also performance
like Social security numbers, credit card num- considerations, particularly if support for
www.insecuremag.com 77
accelerated index-search on encrypted data is scan regardless of whether an index exists.
not used. For this reason, encrypting a column that is
part of an index is not recommended, if sup-
Plan before encrypting information in in- port for accelerated index-search on en-
dexed fields crypted data is not used.
The use of initialization vectors together tagram Transport Layer Security (DTLS): It
with certain encryption modes should be noted that although the client and
server use the same sequence number space,
If you are using AES-CTR Advanced Encryp- they use different write keys and counter
tion Standard and DTP is functionally equiva- blocks. There is one important constraint on
lent to a stream cipher; it generates a pseudo- the use of counter mode ciphers: for a given
random cipher stream that is XORed into key, a counter block value MUST never be
plaintext to form ciphertext. The cipher stream used more than once. This constraint is re-
is generated by applying the AES encrypt op- quired because a given key and counter block
eration on a sequence of 128-bit counter value completely specify a portion of the ci-
blocks. Counter blocks, in turn, are generated pher stream. Hence, a particular counter
based on record sequence numbers (in the block value when used (with a given key) to
case of TLS), or a combination of record se- generate more than one cipher text leaks in-
quence and epoch numbers (in the case of formation about the corresponding plaintexts.
DTLS.) AES Counter Mode is typically used Given this constraint, the challenge then is in
as a Transport Layer Security (TLS) and Da- the design of the counter block.
www.insecuremag.com 78
Database file encryption will leave your dition to the encryption functions at the NAED.
live database in clear When a user requests secured data, the secu-
rity system manages the process of retrieving
This solution's policies can selectively encrypt encrypted data from the database, ensuring
individual files and do not require that “the en- that the request is from an authorized user,
tire database” be encrypted. Database admin- and performing the decryption process. In this
istrators can assign one or more tables to a topology, the encryption agent handles the re-
table-space file - policies may then specify quest and retrieves the encrypted data from
which table-spaces to encrypt. In this way, you the database. It sends the encrypted data
encrypt only the database tables that have over the network to be decrypted by the
sensitive data, and leave the other tables un- NAED. Inside the NAED are the keys and al-
encrypted. This said, in some situations, some gorithms to decrypt the data. Once decrypted,
customers choose to encrypt all database files however, we have clear-text information that
because there is little performance penalty needs to be sent back over the wire to the da-
and no additional implementation effort in do- tabase server. This requires that we re-secure
ing so.
the information for transit, typically through a
secure communication process such as SSL.
Central encryption appliances vs. distrib- When the data arrives at the agent on the da-
uted encryption engines tabase server, it has to be returned to clear-
text, and then it is served up to the calling ap-
Network-attached encryption (NAED), as a plication.
network-attached encryption appliance was
implemented by my teams at IBM, involving Exposing an encryption appliance will in-
work with nCipher, Eracom and Chrysalis troduce an additional point of attack.
(SafeNet) starting in 1994. Our research and
benchmarking is reported here. A NAED is a An integrated central and distributed solution
hardware device that resides on the network, can protect from this vulnerability. Denial-of-
houses the encryption keys and executes all service attacks are another related concern
crypto operations. This topology has the with network-attached engines. Since the en-
added security of physically separating the gine is available over TCP/IP, an attacker
keys from the data. However, this added secu- could flood the engine with traffic and block
rity comes at a heavy price; performance can legitimate cryptographic requests. If required
be 10-1000 times less efficient than alterna- information can’t be decrypted, then a cus-
tive methods. SAN /NAS proxy encryption per- tomer may not be able to place an order or
forms close to line-speed, but it is less feasi- access account information. If the database
ble from a scalability perspective in a terabyte stores encrypted records that are critical for
configuration compared to a host based file business operation, a successful denial-of-
encryption solutions using software. The service attack could have severe conse-
heavy price paid for such network-attached quences.
encryption? Benchmarks reveal a throughput
of between 440 and 1,100 row-decryptions Scalable, centralized life-cycle cycle man-
per second. This example debunks the gener- agement for encryption keys
ally held myth that NAEDs off-load work from
the database. Further, a network-attached en- Well-worn though it may be, the saying that
gine does not provide high availability, unless “the chain is only as strong as its weakest link”
multiple engines are configured into a high clearly applies to efforts of organizations to
availability cluster. secure sensitive data and ensure data privacy.
Keys are the foundation of all encryption-
An off-load of work with the network- based security solutions. If a hacker, internal
attached appliance? or external, gains access to your private keys,
the security of all data formerly protected by
The short answer is “no,” there isn’t an off- encryption is gone. Not reduced - gone. That
load of work since this solution must perform is a risk currently assumed by companies that
one encryption operation in the database, store private keys used for data encryption in
which is the same for other topologies, in ad- insecure locations whether Web, application,
www.insecuremag.com 79
or database servers. These servers are typi- discovery. An intruder who compromises your
cally not secure because there are many peo- keys can launch “eavesdropping” attacks us-
ple with access to them, the servers are often ing the stolen key to hack into vital data re-
misconfigured, and they often aren’t kept up to positories. This could result in data theft, loss
date with the latest security patches. Addition- of privacy for your employees and customers,
ally, keys are usually stored in an easily read- and damages to brand credibility and cus-
able plaintext format. Even organizations that tomer confidence. Stringent security defenses
make efforts to protect private keys with protect each sensitive element of the system -
passwords find that these passwords aren’t each protected by its own unique, randomly
protected properly, are chosen poorly, and generated key. Private keys are stored en-
usually must be shared between multiple ad- crypted with several Triple-DES encryption
ministrators. These keys are vulnerable to keys that are nested.
Effectively and efficiently manage encryp- magnetic stripe data and consumer data at
tion keys point of entry.
Our encryption key management solution en- Protect at the point of entry and through-
ables organizations to effectively and effi- out the information life-cycle
ciently manage encryption keys generated by
disparate enterprise applications, helping to The capability to protect at the point of entry
guarantee the seamless flow of protected in- helps ensure that the information will be both
formation, with minimal intrusiveness. One of properly secured and fully accessible when
the primary elements of modern cryptography needed at any point in its enterprise informa-
most often recommended by regulations and tion lifecycle. Regulatory compliance and in-
industry standards is the concept of a data dustry security standards such as the PCI
encryption key. Encryption requires that a key Data Security Standards DSS continue to mo-
be used to initially encrypt a piece of sensitive tivate large corporations to develop and adopt
information and is subsequently required to an encryption strategy for their high-risk data
decrypt that information when needed by ap- stores and applications. Recent high-profile
plications. Not only is it important to effectively security breaches exposing personal identity
protect this key against misuse, it is also im- information have made the need for better in-
portant to ensure that the key is quickly ac- formation protection obvious to the public.
cessible by applications when needed. Tradi- However, effectively implementing an encryp-
tionally, applications that use encryption tech- tion strategy has traditionally required applica-
nology have had to handle the management tion developers and data architects that pos-
of encryption keys on their own - creating a sess a high level of security knowledge. On-
host of incompatible solutions. going administration and management of en-
cryption technology is also a major concern as
The Key Manager is designed to help compa- more applications and data stores require it in
nies alleviate these problems by centralizing order to protect data.
the life-cycle management of encryption keys
across their information infrastructure. Key The Key Manager solution provides a secure
Manager works across a wide variety of oper- storage of encryption keys. All keys in the key
ating platforms and development environ- vault database are encrypted using a pro-
ments to ease integration and ongoing ad- tected master encryption key. This multi-layer
ministration of applications that use encryp- hierarchy of keys ensures the highest level of
tion. It is also easily integrated into retail point- protection against attack with a hierarchy in
of-sale terminals, reservation systems, pay- which each key is protected by a parent key.
ment systems and other applications to pro- Authentication and authorization for system
tect sensitive information such as credit card administrators is performed using the included
Access Manager.
www.insecuremag.com 80
Access Manager is designed to provide the Secure key backup
necessary separation of duties and adminis-
trator roles required for strong security over A weak link in the security of many networks is
the Key Manager system as well as to meet the backup process. Often, private keys and
specific PCI standard requirements. certificates are archived along with configura-
tion data from the backend servers. The
How to reduce the risk of memory attacks backup key file may be stored in clear text or
protected only by an administrative password.
Memory attacks may be theoretical, but cryp- This password is often chosen poorly and/or
tographic keys, unlike most other data in a shared between operators. To take advantage
computer memory, are random. Looking of this weak protection mechanism, hackers
through memory structures for random data is can simply launch a dictionary attack (a series
very likely to reveal key material. Well made of educated guesses based on dictionary
libraries for use as Local Encryption Services words) to obtain private keys and associated
go to great efforts to protect keys even in certificates. Private keys should never be ex-
memory. ported from the product in clear text. The
backup file should be password protected and
Key-encryption keys are used to encrypt the then encrypted using an internal key.
key while it is in memory and then the en-
crypted key is split into several parts and When private keys are backed up from the so-
spread throughout the memory space. Decoy lution platform, they should be encrypted
structures might be created that look like valid twice, once using an administrative backup
key material. Memory holding the key is key and a second time with the internal Re-
quickly zeroed as soon as the cryptographic pository key. This type of key management
operation is finished. These techniques re- makes it impossible for attackers to launch
duce the risk of memory attacks. Separate dictionary attacks and other password-
encryption can also be used for different data. guessing techniques aimed at exposing an
These encryption keys can be automatically administrative password and unlocking the
rotated based on the sensitivity of the pro- backup file. Your private keys can never be
tected data. Dedicated Encryption Services exported in clear text and cannot be released
are also vulnerable to memory attacks. How- without cracking several layers of triple-DES
ever, a well made Dedicated Encryption Serv- encryption, ensuring secure preservation of
ice runs only the minimal number of services. key data in all backup and storage activities.
An optional hardware security module an HSM. Keys stored in the HSM are pro-
when FIPS 140-2 Level 3 is required tected from physical attacks and cannot be
compromised even by stealing the HSM itself.
Best practice - taking response time, added Any attempt to tamper with or probe the card
overhead and path length into account, that will result in the immediate destruction of all
always occur invoicing a remote hardware private key data, making it virtually impossible
routine invocations - network-attached encryp- for either external or internal hackers to ac-
tion is to use the HSM for optional key man- cess this vital information. If we compare the
agement operations. This is the only general response time for a query on unencrypted
solution that proves to be scalable in an en- data with the response time for the same
terprise environment. The solution includes an query over the same data (some or all of it
optional, tamper-resistant hardware security encrypted), response time over encrypted
module (HSM), including HSM's certified to data will increase due to the cost of decryption
FIPS 140-2 Level 3, the widely accepted as well as additional overhead and path length
standard of government-specified best prac- that always occur with a remote hardware rou-
tices for network security. Private keys are tine invocations (Network-attached encryp-
generated and stored in encrypted form within tion). On z/OS there are ways to avoid this by
www.insecuremag.com 81
using native z/OS silicon implementation of master keys, key encryption keys, and data
encryption algorithms. encryption keys, the process keys of different
categories being held in the encryption de-
Centralized control of all key management vices; wherein the encryption processes are of
operations at least two different security levels, where a
process of a higher security level utilizes the
The Key Manager solution provides a central- tamper-proof hardware device to a higher de-
ized administration of all key management gree than a process of a lower security level;
operations across applications and data wherein each data element which is to be pro-
stores that employ encryption, to help simplify tected is assigned an attribute indicating the
the deployment and ongoing administration of level of encryption needed, the encryption
the overall encryption solution. Key life-cycle level corresponding to an encryption process
management includes policy-based key gen- of a certain security level.
eration, retrieval, automated expiration, dis-
tributed and local caching, central archival and With such a system it becomes possible to
restoration, as well as audit logging. combine the benefits from hardware and soft-
ware based encryption. The software-
It also includes robust fail-over and availability implemented device could be any data proc-
features to help ensure maximum uptime for essing and storage device, such as a personal
critical applications that require access to computer.
keys. The solution the use of standard data-
base technologies combined with strong secu- The tamper-proof hardware device provides
rity protections. And it eases implementation strong encryption without exposing any of the
by presenting simple programming interfaces keys outside the device, but lacks the per-
for developers, eliminating the need to under- formance needed in some applications.
stand keys or their management. This reduces
development time as well as implementation On the other hand the software-implemented
risks. device provides higher performance in execut-
ing the encryption for short blocks, in most
A secure mechanism for key rotation implementations, but exposes the keys result-
ing in a lower level of security.
Data privacy solutions should also include an
automated and secure mechanism for key ro- Support for PCI Credit card key manage-
tation, replication, and backup. One easy solu- ment requirements
tion is to store the keys in a restricted data-
base table or file. But, all administrators with The solution supports PCI key management
privileged access could also access these requirements and helps companies meet
keys, decrypt any data within your system and these guidelines. A robust, open architecture
then mask their intrusion/attack. leverages proven cryptographic toolkits and is
built using industry-standard security practices
Database security in such a situation is based and protocols. The product also integrates
not on industry best practice, but on an em- with other security technologies including
ployee honor code. If your human resources authentication. Many companies facing the
department locks employee records in file PCI compliance issue are wondering how they
cabinets where one person is ultimately re- can enforce the PCI regulations without sig-
sponsible for the keys, shouldn’t similar pre- nificantly increasing staff and IT costs.
cautions be taken to protect this same infor-
mation in its electronic format? All fields in a With the potential result of non-compliance
database and different encryption keys do not being severe damage to the financial health
need the same level of security. and the brand reputation of an enterprise, or-
ganizations want to protect themselves to the
With tamper-proof hardware and software im- fullest while minimizing necessary costs.
plemented, the encryption being provided by
different encryption processes utilizing at least
one process key in each of the categories
www.insecuremag.com 82
After an initial PCI compliance audit is com- that the hybrid database encryption solution is
pleted, there are a host of initiatives organiza- the most successful offering for most applica-
tions should consider in order to stay in front tion environments.
of emerging security threats and evolving
compliance mandates. This paper presented a design principle that
helps guide placement of functions for encryp-
This session offers an overview of the PCI tion and security enforcement among the
mandate, including which organizations are modules of a distributed computer system.
affected, which specific rules pertain to en- The principle suggests an enterprise approach
cryption, and an overview of encryption solu- to data protection. Whether you decide to im-
tions that help address these mandates. Also plement encryption inside or outside the data
included is a case study outlining a sample store, we recommend that encrypted informa-
deployment, a set of best practices that en- tion should be stored separately from encryp-
sure not only a successful PCI audit, but a tion keys, strong authentication should be
sustained improvement in the security of sen- used to identify users before they decrypt
sitive data that can help mitigate the threats of sensitive information, access to keys should
data theft and its costly aftermath. be monitored, audited and logged, sensitive
data should be encrypted end-to-end, while in
Conclusion transit in the application, and while in storage
in enterprise data stores.
This paper presents experience from many
years of research and practical use of cryptog- We present this solution as an example of a
raphy for safeguarding information from the system that complies with these requirements,
point of acquisition to the point of deletion. We and provides a cost-effective implementation.
use the key concepts of security dictionary, Sensitive data is never in an unencrypted
type-transparent cryptography, and propose state at-rest on any of the systems, including
solutions on how to transparently store and temporary files and tables.
search encrypted database fields. We showed
Ulf T. Mattsson is the CTO of Protegrity. Ulf created the initial architecture of Protegrity’s database security
technology, for which the company owns several key patents.
His extensive IT and security industry experience includes 20 years with IBM as a manager of software devel-
opment and a consulting resource to IBM's Research and Development organization, in the areas of IT Archi-
tecture and IT Security. Ulf holds a degree in electrical engineering from Polhem University, a degree in Fi-
nance from University of Stockholm and a master's degree in physics from Chalmers University of Technology
www.insecuremag.com 83