Carnegie-Mellon University is making available a free add-on for Firefox 3.0 that’s intended to increase browser security.

The Firefox add-on was developed at the university’s School of Computer Science and College of Engineering and is available for free download. The Perspectives software not only protects Firefox users against attacks that might occur because of the recently disclosed software flawin the DNS, but it also defends against some digital certificate problems.

The extension provides two primary benefits:

1. If you connect to a website with an untrusted (e.g.,self-signed certificate)*, Firefox will give you a very nasty security error and force you to manually install an exception. Perspectives can detect whether a self-signed certificate is valid, and automatically overrides the annoying security error page if it is safe to do so.
2. It is possible that an attacker may trick one of the many Certificate Authorities trusted by Firefox into incorrectly issuing a certificate for a trusted website. Perspectives can also detect this attack and will warn you if things look suspicious.

* The same is true for HTTPS sites with certificates that contain mismatched domain names (e.g., www.gmail.com uses a certificate for mail.google.com) or certificates that are expired.

Because of the API used, the code only works in Firefox 3.x, not Firefox 2.x.

How it works, from the CMU web page:

“Perspectives is a new approach to help clients securely identify Internet servers in order to avoid “man-in-the-middle” attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by “network notaries” located in multiple vantage points across the Internet.”

Original Source: networkworld.com

I setup a SuSE Enterprise Linux (SLES) 10 SP2 web server last week, and wanted to do some basic hardening of the default Apache configuration.  Here’s what I did.

1. edit /etc/apache2/httpd.conf
2. Add RewriteEngine On
3. Add RewriteLogLevel 2
4. Add RewriteLog /var/log/apache2/rewrite.log
5. Add ServerSignature Off
   The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents
6. Add ServerTokens Prod
   This directive controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules
7. Add ErrorDocument 500 “Internal server error” to return a generic error message when http 500 error occurs
8. Add ErrorDocument 404 “An unknown error occurred, please try again later”  (http 404 = not found)
9. Add ErrorDocument 403 “An unknown error occurred, please try again later”    (http 403 = forbidden)
10. Save – exit httpd.conf
11. touch /var/log/apache2/rewrite.log to create the rewrite.log file
12. touch /srv/www/htdocs/.htaccess to create the .htaccess file
13. Edit the /srv/www/htdocs/.htaccess file
14. Add Options +FollowSymLinks –MultiViews
    Note: FollowSymLinks must be set to + for rewrite to work!
15. Add rewrite rules appropriate for your environment.  I’m using some rules that can be found in the Pauldotcom Security Weekly episode #94 show notes, which were based on a post by nullbyte.
16. Save – exit .htaccess
17. YaST – Network Services – HTTP Server
18. Server Modules tab – rewrite – toggle status to enabled – finish
19. From a terminal run: SuSEconfig
20. From a terminal run: /etc/init.d/apache2 restart
21. With a web browser, try to access a page on the server that does not exist, ie  http://server/nothere.html
22. View the  /var/log/apache2/rewrite.log 
    You should see the attempt logged

Tripwire has a free, Windows based security assessment tool called ConfigCheck for VMware ESX hosts.  It rapidly assesses the security of VMware ESX hypervisor configurations compared to the VMware Infrastructure 3 Security Hardening guidelines. According to the VMware website:

Tripwire ConfigCheck^TMis a free utility you can use to rapidly assess the security of your VMware ESX host configurations, according to the VMware security hardening guidelines. Co-developed by VMware and Tripwire, ConfigCheck provides an immediate assessment of the server configuration to ensure VMware Infrastructure environments are properly configured.

Tripwire ConfigCheck is simple & easy to use. To properly install & start-up the utility, follow these steps or read the blog posting:

To install and run ConfigCheck:

1. Download the file configcheck.zip to a Windows machine that has Java Runtime Environment (JRE) version 1.5, or higher.
2. Unzip the configcheck.zip file
3. Double click on the file configcheck.cmd
4. Accept the license agreement
5. Enter the ESX host and user credentials
6. Click the “Check Configuration” button

Once the check is complete you can click the test results to view remediation steps and view the Tripwire ConfigCheck Remediation Guide.  You can also listen to the Tripwire Podcast Operationalizing VMware ESX Best Practices – Introducing Tripwire ConfigCheck.

Earlier I discussed the multivendor DNS flaw and linked to Dan’s web page that contains a tool you can run to see if your DNS servers are vulnerable to cache poisioning.

Jose has developed a basic open source tool called CacheAudit that can be used to determine if the cache on your DNS server has been poisoned.  He describes the tool’s operation as:

“The overall concept was to take periodic dumps of the in-memory cache from the recursive server, validate these dumps against the authoritative name servers, and peer recursive name servers, alerting when something could not be validated.”

You can also view his presentation on Recursive DNS cache auditing.

By now, everyone on the Internet is aware of the fundamental flaw in DNS that all major vendors released security patches for this week.  Dan Kaminsky, the security researcher who discovered the cache poisoning bug, has developed a test for this flaw that you can find at his web site. 

Many people have downplayed this flaw, saying it’s not as serious as some speculate, since only recursive DNS servers are at risk.  Maybe that’s true, but who uses these DNS servers?  All DNS clients, from workstations to servers to routers.  And if the DNS servers have their caches poisoned, they can redirect these unsuspecting clients to potentially malicious web sites.

Dan, who is an expert in all things DNS, has this advice for network administrators:

“If it recurses, patch it.  I don’t care if it’s firewalled.  Patch it, or kill it.”

Dan has purposely not released details on the DNS vulnerability so that users will hopefully have time to patch their systems prior to exploits being developed.  Dan is scheduled to reveal all the details at Blackhat on August 7th, so stay tuned.  For more details, see the CERT vulnerability notes for VU#800113.  Dan was also interviewed by Rich at the Network Security Podcast, where he goes into more detail on the issues.

Also note that the ISC has put out a temporary patch for BIND 8, but because of legacy issues, they are suggesting BIND 8 be retired.  The ISC has some nice documentation on the BIND 8 to BIND 9 migration process.

Sun has disclosed multiple security vulnerabilities within their Java product, which are summarized here.  The categories of vulnerabilities include:

1) Security Bypass
2) Exposure of system information
3) Exposure of sensitive information
4) DoS
5) System access

The following Sun products are affected:

Java Web Start 1.x
Java Web Start 5.x
Java Web Start 6.x
Sun Java JDK 1.5.x
Sun Java JDK 1.6.x
Sun Java JRE 1.3.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.3.x
Sun Java SDK 1.4.x

The recommendation is to update your software immediately to a patched version:

JDK and JRE 6 Update 7:
http://java.sun.com/javase/downloads/index.jsp

JDK and JRE 5.0 Update 16:
http://java.sun.com/javase/downloads/index_jdk5.jsp

SDK and JRE 1.4.2_18:
http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.1_23 (for customers with Solaris 8 and Vintage Support Offering support contracts):
http://java.sun.com/j2se/1.3/download.html

If you are responsible for the web server or web application security, go read Microsoft Security Advisory 954462, Rise in SQL Injection Attacks Exploiting Unverified User Data Input immediately.  It contains important information on detecting and mitigating SQL injection vulnerabilities.

This advisory is not specific to only Microsoft products like the IIS web server and SQL database.  Other web servers and database programs are also vulnerable to these attacks.

You may also want to check out the Top 15 free SQL Injection Scanners and check your own web sites for vulnerabilities.

Cert has a document that show some specific steps you can take to secure your Internet web browser.  Detailed instructions, including screen shots are provided, along with explanations of what you are configuring and what the potential ramifications are.

The document focuses on IE, Firefox, and Safari and includes supplemental reference links to additional content.  They also include links to configuring similar options for Opera, Mozilla SeaMonkey, Konqueror, and Netscape.

Found via ts/sci security blog.

I will  be the first to admit that I am primarily a Windows and Linux user.  Not that I don’t like Macs, but the majority of my client base is single platform on the desktop (Windows) and either Windows or Linux servers. 

My lack of exposure to Macs, and subsequent lack of OS X-specific security understanding was made apparent to me this past week when I met with a large new educational client that was previously 95% Mac on the desktop.  Now they are down to about 50-50 Mac/PCs with a new mandate to become single platform, meaning converting from OS X to strictly Windows on the desktop.

I’m going to be making recommendations that will help this migration process, but in the meantime I have to make an assessment of their existing network and computing infrastructure, including down to the desktop level.  One of the assessment items includes workstation security, and like I said before, this is a major hole in my IT skillset, so I’m taking a crash course in OS X security this week.

I wanted to find a few online resources to prep with before I jumped head on into this project.  I know no one can become a security guru in a week, but everyone has to start somewhere.  I’m hoping my Linux security background will make digesting the OS X security information easier, but that is to be seen.

Here’s some of the resources I’ve found online that others may find usefull:

• Securing Leopard by Sebastien at secure thoughts
• Securing Leopard Quick Checklist by Sebastien at secure thoughts
• Securing Mac OS X (Tiger) by Stephen at Corsaire
• Apple Mac OS X v10.3.x “Panther” Security Configuration Guide by the NSA
• Keeping your Mac locked down: a Mac OS X security primer by Erik at Arstechnica.com
• Mac OS X Security Configuration Guide (Tiger) by Apple
• Mac OS X Server Security Configuration Guide (Tiger) by Apple
• Client Security Configuration Guide (Panther) by Apple
• Server Security Configuration Guide (Panther) by Apple
• Common Criteria Configuration and Administration Guide Setting up and administrating the Common Criteria configuration using Mac OS X or Mac OS X Server by Apple

I’ve also ordered Foundations of Mac OS X Leopard Security by Charles Stephen Edge Jr.

I was performing a little security audit today, and used PWdump to dump the contents of the SAM file from a Windows 2000 Domain Controller.

I took the results from PWdump and imported them into LMcrack.  It took 47.11 seconds to enumerate 617 of the 2272 account passwords.

Next I ran Richard Mueller’s DocumentGroups.vbs script which dumped the group membership of all the domain’s Active Directory accounts to a file.

Now I had a list of user and their passwords, plus a list of user account group memberships.  Are you suprised that three users with Domain Admin membership were on the cracked.dic list? 

I bet the entire process, from PWdump to LMcrack to DocumentGroups.vbs took all of ten minutes.   The local network admin was not happy with the strength of his user’s passwords.  Maybe now he’ll start enforcing stronger passwords.