You are on page 1of 99

It’s been a busy year so far.

We’ve attended the RSA Conference 2007 in San Francisco and met with
some very interesting people from the security industry. A roundup of product and service releases is
presented in this issue.

As you’ve been requesting, this issue delivers more interviews. There are articles for all levels of
knowledge and with Vista being out, we cover its security improvements.

We’re attending the Black Hat Briefings & Training in Amsterdam in March. If you’re attending, be sure to
drop me an e-mail and we’ll grab a drink.

Mirko Zorz
Chief Editor

Visit the magazine website at

(IN)SECURE Magazine contacts

Feedback and contributions: Mirko Zorz, Chief Editor -

Marketing: Berislav Kucan, Director of Marketing -


(IN)SECURE Magazine can be freely distributed in the form of the original, non modified PDF document.
Distribution of modified versions of (IN)SECURE Magazine content is prohibited without the explicit
permission from the editor. For reprinting information please send an email to
or send a fax to 1-866-420-2598.

Copyright HNS Consulting Ltd. 2007.
F-Secure Messaging Security Gateway goes virtual to tackle spam

F-Secure announced the availability of its next-generation messaging security

solutions, F-Secure Messaging Security Gateway appliance which blocks spam
and viruses already at the gateway level. Version 4 comes with improved us-
ability, mail queue management and support for more complex email infrastruc-
tures. While the Messaging Security Gateway is available in three different
physical hardware configurations, it’s now also available utilizing VMware’s vir-
tualization platform. All four versions feature the same anti-spam, anti-virus and
anti-phishing features as well as an optional zero-hour protection against fast-
spreading email viruses. (

Anti-data-leakage protection with Content Inspection Appliance 1500

Code Green Networks announced the release of its

Content Inspection Appliance 1500 (CI-1500) for small
and mid-sized organizations in business and govern-
ment. The affordable, appliance-based solution
enables IT and security managers to easily monitor
content flows, discover data leaks, and implement
automated policies to prevent them. Using patent- pending technology and residing at a com-
pany’s Internet gateway, the Content Inspection Appliance 1500 monitors content flows on the
corporate network and automatically enforces content protection policies. If it detects the unau-
thorized transmission of sensitive information, it invokes a management- defined policy to log,
alert, block, or re-route the transmission. ( 4
Bluefire Mobile Security Enterprise Edition released

Bluefire announced the release of the Bluefire Mobile Security Enterprise

Edition version 4.0. The product was designed with full support for Microsoft’s
Windows Mobile 5.0 Smartphone OS devices. Version 4.0 allows IT adminis-
trators the flexibility to customize the software to fit their specific needs. The
product is now even more customized to meet the needs of large organiza-
tions with the addition of two new features – Secure key recovery for data
residing on SD cards and the support for remote SQL instances assists large
organizations in leveraging their existing data centers.

Core Security Technologies releases CORE IMPACT 6.2

Core Security Technologies announced CORE IMPACT 6.2, which

includes enhancements that enable organizations to more effec-
tively test their security defenses against increasingly prevalent
client-side attacks that rely on social engineering, such as spear
phishing and e-mails with malicious content. The new version also
features enhanced encryption and authentication capabilities to
help testers more easily meet secure communication requirements
during penetration tests, as well as expanded target platform sup-
port for testing networks with AIX systems. (

New format of 3M Confirm products with Floating Image Technology

3M announced the launch of a new format of the 3M Confirm authentica-

tion products with floating image technology that helps to protect against
counterfeiting and tampering. This new format offers multi-layered overt
and covert security features, and allows for the incorporation of additional
security and tracking features into the same label. Confirm authentication
products with floating image technology from 3M feature an optically vari-
able device (OVD) – a unique, overt security feature. The OVD image appears to “float” above or
“sink” below the surface of the label and then disappear as the viewing angle changes, which en-
hances the brand with a visually attractive “wow” factor. Dramatic movement of the image is easy
to detect and recognize using only the human eye, enabling quick and easy authentication that
helps to prove the label and product are genuine. (

The first managed authentication service for Mac OS X

CRYPTOCard announced the launch of CRYPTO-MAS, the first Man-
aged Authentication Service to fully support Apple’s Mac OS X. Devel-
oped for small- and medium-sized businesses that either do not want the
headache of managing their own authentication solution, or do not have
the resources to install and administer two-factor authentication,
CRYPTO-MAS makes it simple to eliminate unauthorized network access
by protecting employees against shoulder surfing, social engineering, and
other forms of password theft. ( 5
Tenable Network Security releases passive Vulnerability Scanner 3.0

Tenable Network Security released version 3 of its Passive Vulnerability

Scanner. Major enhancements include near real-time access to network
vulnerability data and alerts as well as the availability of Tenable Policy
Libraries which can monitor data streams and identify systems accessing
pornographic or social networking sites, and inspect plain text email or IM
traffic for credit card or social security information. In addition to the new
capabilities available in the 3.0 release, Tenable’s Passive Vulnerability
Scanner continues to provide network discovery and intelligence by identify-
ing and observing systems that are active on the network. (

Certicom launches Suite B Web security power bundle

Certicom released the Suite B Web Security Power Bundle to make

it easy for IT managers to attain Suite B and FIPS compliance with
security modules for web browsers, servers, and key communication
protocols. As part of the U.S. government’s crypto modernization
program, the National Security Agency recommended that communication devices and services
use a specific set of cryptographic algorithms, known as Suite B, to protect classified and unclas-
sified communications. The private sector is also beginning to implement the Suite B algorithms in
products and services as Suite B has redefined what is considered industry best practice for cryp-
tographic implementations. Certicom’s family of Suite B products and services is the industry’s
most comprehensive set of cryptographic modules, including proven and optimized implementa-
tions for all of the Suite B requirements. (

Sophos releases WS1000 web control platform

Sophos launched the WS1000, the industry’s first web control platform
designed to provide trusted content security, application control and
URL filtering in a single appliance. The WS1000 appliance ensures a
secure web browsing experience as it protects against all forms of
malware and productivity threats, all with no negative effect on user experience. It is designed for
organizations which require a complete platform-based solution from a trusted vendor that ad-
dresses all security needs including web-specific content security, application control and URL
filtering. Sophos’s WS1000 protection is powered by intelligence gathered from scanning billions
of web pages, identifying more than 5,000 new malware-hosting URLs daily. (

Pointsec releases Pointsec Device Protector

Pointsec Mobile Technologies released the Pointsec Device Protector
solution which extends its enterprise data protection to include com-
plete port and storage device management, effectively preventing
sensitive information from falling into the wrong hands. Pointsec De-
vice Protector effectively prevents or limits data transfers to these de-
vices through a configurable security policy and content filtering to ensure that corporate IT infra-
structure cannot be used for illegal distribution of copyrighted content or installation of malicious
software. ( 6
Microsoft said the number one point of interest with the development of Win-
dows Vista happened to be security. Windows Vista offers remarkable new
and rich features in comparison with Windows XP. However, we all have to
deal with the new security features Windows Vista introduced. It leaves no
doubt: Windows Vista will have a tremendous impact on business. So is it
really true? Are the new security features and the road ahead of us really that
impressive as Microsoft claims to be? Let's take a look.

It took a lot of time for Vista to see daylight. release concentrates most on items related to
The first announcements almost came at the security. It is major release of Windows, one
same time as Microsoft released Windows XP that would have impact on future releases and
back in 2001. Microsoft revealed its plans for functionality of OS’s such as Windows Vista.
a new OS that would be far more revolution-
ary than ever before. The codename was Longhorn contained at first many important
“Longhorn” and it would be released some- new developments like the Aero (Authentic,
where in 2003. At least that was the overall Energetic, Reflective and Open) interface
plan. In the end of that year there happened changes, the WinFS storage framework, Ava-
to be a major vulnerability in Windows XP that lon, Indigo (that concentrates on communica-
made way for the "Trustworthy Computing ini- tion and collaboration), and most important:
tiative". One of the results of that step is the Palladium, a framework for security.
introduction of Windows XP Service Pack 2
(SP2) which is a step towards a more strict Along the way it turned out to be a hard job
structure and measures taken by Microsoft to for Microsoft and several of too rigorous
make the OS more secure by nature. changes ended up in the trash like WinFS.
After several delays finally Microsoft came up
In the end of 2003 Microsoft finally came up with the long expected follow up of Windows
with the first beta of Windows XP SP2. This XP. 7
And then there is…. Windows Vista as an outcome. The result of this all is a desk-
top that is much harder to manage (tighten up
In the summer of 2005 the name finally the workstation to implement the security pol-
changes from codename “Longhorn” to Win- icy of your organization) and likely more sup-
dows Vista. Windows Vista comes in different port costs for your organization.
flavours. There are currently five versions:
Vista Home Basic, Home Premium, Business, User Account Control (UAC) is introduced
Enterprise Edition and Ultimate. For a com- with Windows Vista and offers increased se-
parison of features I recommend the reader to curity over previous versions of Windows be-
visit the Microsoft website. cause it is intended to prevent unauthorized
changes made by the end-user on the com-
After several delays and a complete strategy puter so that the system (system files) cannot
change the question states: what is left of the be altered. UAC is based upon the concept of
initial plans of Microsoft with the release of the so called “least-privilege”. In this principle,
Windows Vista? Well, let’s have a more in that sounds very familiar to security profes-
depth look at the security part of this all and sionals, an account is set up that has only the
see what this means for your business. minimum amount of privileges needed for that
end-user to perform the appropriate tasks.
Security at the beginning: startup This standard user within Windows Vista is
Windows Vista this least-privileged user. The fact is that UAC
relies upon two types of accounts: an admin-
Vista has Secure Startup which means that istrator account and a standard user account.
the entire hard drive can be encrypted prior to To be more exact in the definition of adminis-
boot, and the encryption key will be securely trator accounts: there are two different types
stored inside a Trusted Platform Module of administrator accounts that are defined for
(TPM) chip on the motherboard. Many of the Windows Vista.
methods used to circumvent permissions in
the past by, for instance, using NTFS for DOS First the powerful Administrator account, and
or just install a fresh copy besides the already second all the accounts that are part of the
installed OS will no longer work in simply Administrators group. The powerful adminis-
reading data from the NTFS partition. I’ll dis- trator account can perform all tasks on the
cuss this topic in the BitLocker part later on in system and it will not be prompted or con-
this article. fronted with dialog boxes. Surprisingly enough
the second type of administrator accounts
And there is Address Space Layout Random- (those members of the Administrators group)
izer or ASLR. ASLR makes it possible that the are running almost as standard users. Almost,
system files load at random memory offsets, because these users have the possibility to
every time the system boots up. This will elevate their privileges by simply click a but-
make it far more difficult to attack a system ton in a dialog box when prompted. The types
because attackers can't rely on files being in of authentication dialogs you'll see, however,
the same location every time. In earlier Win- will differ depending on which type of user ac-
dows versions system files always loaded to count is currently being used. A standard user
the same offset memory location account that is not part of an Administrators
group will not simply elevate privileges, the
Vista’s User Account Control user then must provide the appropriate cre-
dentials. Under UAC, the defined standard
Don’t we all like to have the administrator user can perfectly perform most daily tasks,
rights on our workstation? It’s simple and such as using business applications, browsing
gives us the biggest freedom. Windows users internet and type a letter in a word-processor.
are used to work with administrative privileges However, when there is the need to change
in both the enterprise organization and at settings that require administrator privileges,
home. This freedom does have a big down- like installing new software or change a sensi-
side: more helpdesk calls being made be- tive setting, this user will be confronted with a
cause of accidentally or deliberately made dialog box, asking this person to give the ap-
modifications of the OS with a variety of errors propriate credentials (in other words: type in 8
Different UAC policies

the account and password with sufficient the required credentials. Behaviour can be set
rights). In most instances, it will be perfectly by a policy “UAC: behaviour of the elevation
clear that a prompt will appear, because the prompt”.
setting will have an icon in the form of a shield
next to it. This indicates higher privileges are Running applications with UAC: virtualiza-
necessary. tion

Low profile administrators Although it will be certain that there are ex-
ceptions, most applications will run under
As already known by many of us: a common UAC using the administrator account or a
practice is to work with normal credentials on standard user account. Many applications will
the Windows platform. Even as an administra- not run on Windows XP without administrative
tor. When there is a need for more privileges privileges today because they attempt to
an administrator can use "run as…" and ele- make changes to locations that the user can-
vate the standard user privileges to true ad- not or may not access, such as C:\Program
ministrator rights. Files, C:\Windows, or HKEY_LOCAL_MA-
In Windows Vista you should run as a stan-
dard user rather than as an administrator, be- Windows Vista works with registry and file vir-
cause unauthorized changes can be more tualization to redirect attempts to write in one
easily made when you run as an administra- of the “forbidden” locations and in this way
tor. The great thing is: when an administrator converting per-machine file and registry en-
needs to use their administrator privileges, tries to per-user locations if the user lacks the
they don't have to use Run As because Win- administrative privileges.
dows Vista can automatically prompt them for 9
The shield indicating to elevate privileges.

This enables standard accounts to run appli- and as professionals we have to deal with this
cations that still need to write to areas of the phenomenon in the right way. For exceptions
registry or file system that only administrators an administrator can allow a standard user to
can access. The disadvantage is that this set- run certain applications without being con-
ting are not available to other users on that fronted with a dialog box asking them to give
machine, it’s stored in the users profile (not the appropriate credentials.
part of the roaming profile!).
This way the administrator can "elevate" the
Keep in mind that Microsoft gives us the life- privileges of the specific application and have
cycle time of Vista to work on our bad applica- it always run with those privileges. An admin-
tion behavior and that in the next OS this istrator can accomplish this by right-clicks the
downward compatibility feature would be dis- application, selects the Compatibility tab, and
appeared! So it is really important to think then select under Privilege Level: "Run this
about this fact and do something about mis- program as an administrator."
behaving or not so well written applications.
Roll out desktops with the standard user per-
Consequences of UAC and cost savings missions can result in cost savings because a
non-administrative user no longer has the
As mentioned before: running without admin- ability to accidentally or deliberately install an
istrative privileges can be really challenging application or otherwise affect system stability.
today since many applications expecting this This can decrease the helpdesk call being
in order to run correctly. In any way I recom- made.
mend not to disable UAC. UAC is here to stay 10
Run as... possibility

BitLocker BitLocker Drive Encryption provides full vol-

ume encryption of the system volume, includ-
Theft or loss of corporate intellectual property ing Windows system files and the hibernation
is an increasing problem and concern for or- file, which helps protect data from being com-
ganizations as I wrote in my article of Decem- promised on a lost or stolen machine.
ber 2006 of this magazine.
BitLocker provides three modes of operation:
Protection is particularly valuable with mobile
computers, which are more vulnerable to theft • Transparent operation mode
or loss. To provide a solution that is enterprise ready,
the Trusted Platform Module (TPM) 1.2 chip is
Windows Vista has improved support for data used and required to store the keys that en-
protection. You can find this support on the crypt and decrypt sectors on the hard drive.
document level by implementing Rights Man- This chip is present already on new mother-
agement client which allows organizations to boards today. The key used for the disk en-
enforce policies around document usage. At cryption is sealed (encrypted) by the TPM
the file-level by using Encrypting File System chip and will only be released to the OS
(EFS), this provides user-based file and direc- loader code if the boot files appear to be un-
tory encryption. EFS have the possibility to modified. TPM is in this case an implementa-
allow storage of encryption keys on smart tion of a so called Root-of-Trust. The pre-OS
cards, providing better protection of encryp- components of BitLocker achieve this by im-
tion keys. plementing a Static Root of Trust Measure-
ment. This is a methodology specified by the
And last but not least at the machine level by Trusted Computing Group (see also:
using the BitLocker Drive Encryption feature.
On a computer with the appropriate hardware, 11
Running a program with admin credentials

• User authentication mode BitLocker and encryption keys

This mode requires that the user provide
some authentication to the pre-boot environ- BitLocker full volume encryption seals the
ment in order to be able to load the OS. Two symmetric encryption key in a Trusted Plat-
authentication modes are supported: a pre- form Module (TPM) 1.2 chip. This is the so
boot PIN entered by the user or a USB device called Storage Root Key or SRK. It all works
inserted that contains the required startup key. with a chain of keys. The SRK encrypts the
FVEK or Full Volume Encryption Key. The
• USB-Key FVEK is then stored on the hard drive in the
The last possible mode is where the user OS volume.
must insert a USB device that contains a
startup key into the computer to be able to BitLocker stores blueprints of core operating
boot the protected OS. system files in the TPM chip. Every time the
computer is started, Windows Vista verifies
In this mode it is required that the BIOS on that the operating system files have not been
the protected computer support the reading of modified in an offline attack or that the hard
USB devices in the pre-OS phase. drive is tampered with. 12
The TPM chip

A scenario could be where an attacker boots tion is logical volume encryption. And as you
an alternative operating system in order to will know: volumes can be equal to an entire
gain control of the system. In case the files drive (or less than that) but also be spread out
have been modified, Windows Vista alerts the over more physical drives.
user and as a result TPM refuses to release
the key required to proceed with the boot- Manage BitLocker in the enterprise:
process and to decrypt the volume. What recovery mode
happens next is that Vista goes into recovery
mode thereby prompting the user to provide There can be situations where you do have to
an appropriate recovery key to allow access move a hard drive from one machine to an-
to the boot volume other. For example: the laptop display is dam-
aged and the support organization wants to
To get this all working you will need two NTFS hand out a spare machine to that affected
volumes: a “system volume” that is at least user.
1.5GB in size and a “boot volume” which con-
tains actually Vista itself. The system volume This can be a problem because TPM and the
is used to install BitLocker and is not en- hard drive are logically connected to each
crypted. If you meet the requirements, you let other on that specific machine. Fact is: the
BitLocker do its work, which can take quite a encryption keys to decrypt the volume are
while on larger hard drives. Once this process stored in the TPM of that particular machine.
is finished the end user won’t be aware of it. How can this problem be solved?
Data is encrypted on-the-fly. The official Mi-
crosoft statement is that BitLocker in combi- In that case recovery mode can be used and
nation with Windows Vista can only encrypt requires a recovery key that is generated
the operating system volume. Using built-in when BitLocker is enabled. However: that key
command-line tools, BitLocker can be used to is specific to that one machine. So for every
encrypt more than just the boot volume, but single machine there will be a specific key. Oh
additional volumes cannot be encrypted using no, I hear you say: how to manage that? For
the GUI. However, I’ve seen an article about enterprise organizations you will need infra-
the command line interface of BitLocker structure to manage and store all the specific
where it is possible to affect other volumes. recovery keys - that store will be the Active
You can find this article by following this link- Directory.
If you do not manage this properly there is a
Microsoft announced that in Longhorn it will real potential for losing data if a computer fails
be possible to encrypt multiple volumes. Take and its drive is moved to another computer
notice about the fact that we are talking every and the recovery key at that time is unavail-
time about volumes. BitLocker Drive Encryp- able. 13
Accidents Windows Vista does have built-in authentica-
tion support for passwords but also the use of
In case a hard drive crashes it would be pos- smart cards. In fact the whole GINA of Win-
sible in theory that the FVEK or Full Volume dows is reviewed and developed from scratch
Encryption Key could be unavailable and at by Microsoft. Windows Vista makes it possi-
that time the volume can’t be decrypted. For ble for developers to more easily add their
this there is also a solution. When BitLocker own custom authentication methods to Win-
seals or encrypts a key it is stored on the disk dows, such as biometrics and tokens. It also
as a binary large object or “blob”. The “blob” is provides enhancements to the Kerberos
the cryptographic keyhole where the decryp- authentication protocol and smart card lo-
tion key will “fit in”. So it takes both the blob gons. By making it easier for developers of
and the key to start decryption. There are mul- such solutions, the security professional will
tiple “blobs” on the disk so if one is not avail- have more choices for biometric, smart cards,
able or damaged another one will be tracked and other possibilities of strong authentication
and used. Pretty nifty I think! to implement.

BitLocker and backdoors Services hardening within Vista

So a great mechanism but safe by any Windows Service Hardening is a feature that
means? And by any means, we really mean restricts critical Windows services from doing
“by ANY means”. This is a topic that is heavily abnormal activities in the file system, registry,
discussed. According to Microsoft, BitLocker network, or other resources that could be
does not have a backdoor built in. So in other used to allow malware to install itself or attack
words: there is no way (even for law enforce- other computers.
ment or secret service) to get around the pro-
tection mechanism in a predefined way so the In the past Windows services are causing a
protected data is unveiled. large amount of attacks on the Windows plat-
See also form. This is rather easy to explain - an
attacker can rely on Windows services be-
So BitLocker according to my opinion is a cause it is almost always present and it is
great mechanism, Microsoft did a great job predictable code and the privilege level of that
and thought about it in an enterprise way. code is know by many.
However, be wise and really thoroughly think
about the process of implementation. Man- Windows Vista limits the number of services
agement is the key word and it is really impor- that are running and operational by default.
tant to consider this matter several times prior Today, many system and third-party services
to roll out this solution. run in the Local System context, where any
breach could wreck the machine. This in-
Smartcard support or two-factor- cludes things like disk formatting, unauthor-
authentication ized access to data and unintended installa-
tion of software. Windows Service Hardening
We all know: working with passwords is a reduces this damage potential of a compro-
weak protection method in comparison with mised service by introducing new concepts. I
other alternatives. Brute force attacks, dic- will briefly discuss some highlights.
tionary attacks and so on, all weaknesses in
working with passwords. For many organiza- On a per-service basis security identifier
tions, single-factor authentication (the good (SID). This makes it possible to identify spe-
old user-id and password) is not sufficient cific services and implement access control
anymore. Multi-factor authentication is the by working with ACLs. Services can be tight-
way to go. Something you know (a pin code), ened up by applying explicit ACLs to re-
you are (fingerprint / biometrics) or carry sources which are private to the service,
something with you that you own like a token which prevents other services as well and the
or smart-card. It all refers to multi-factor user from accessing that specific resource.
authentication. Furthermore applying a write-restricted ac-
cess token to the service process. 14
This access token can be used in cases Services are assigned to a network firewall
where the set of objects written to by the serv- policy, which will prevent unwanted or unpre-
ice is bounded. Write attempts to resources dicted network access outside the normal
that then do not explicitly grant the Service bounds of the service. The firewall policy is
SID access will fail. linked directly to per-service SID. It this case
an attack platform from the local machine to
Microsoft moved services from Local System the network is more difficult to accomplish or
Context to a less privileged account such as even prevented. These restrictions are under
Local Service or Network Service. This re- the firewall settings and they can be found in
duces the overall privilege level of the service, the registry:
which can be compared to the already dis- HKEY_LOCAL_MACHINE\SYSTEM\ControlS
cussed User Account Control (UAC). And then et001\Services\SharedAccess\Parameters\Fir
the removal of un-necessary Windows privi- ewallPolicy\RestrictedServices\Static\System.
leges on a per-service basis. The firewall is discussed in the next section.


Layered approach there are even API’s available. The new TCP/
IP-stack supports IPv6 and a dual IP layer-
Security is in most cases a layered approach architecture. I advise those of you who are
and Service Hardening provides a part of this interested in more to visit
concept and is just an additional layer of pro-
tection for services based on the security The firewall in Vista supports rules for incom-
principle of defense-in-depth. However it can- ing traffic, simply dropping all unsolicited in-
not guarantee services from being compro- coming traffic that does not correspond to
mised. traffic sent in response to a request of the
computer (solicited traffic) or traffic that has
The defense-in-depth strategy will certainly been specified as allowed (excepted traffic in
make it much harder to get an easy attack a pre-defined firewall-rule). It seems a dull
platform, Windows firewall, UAC, patch man- topic but is really crucial as it helps prevent
agement practices and Integrity Levels will fill the infection of computers by network-level
in other important layers. viruses and worms that spread most of the
times through incoming traffic. So far so good
Windows Vista Firewall and nothing really new.

At first, the Windows Vista firewall looks very What really is new, is the fact (in comparison
similar like that of Windows XP. In fact, the with windows XP) that Vista Firewall supports
user interface in Windows Vista is nearly iden- filtering for outgoing traffic or application-
tical to that of Windows XP. But the real secret aware outbound filtering which gives full bi-
lies underneath the surface. Most advanced directional control over traffic.
setting can’t be reached via the standard GUI
which is more targeted towards home-end- Since a whole bunch of business applications
users by all respect. You can really ultimately may use different ports, Microsoft decided to
tune the firewall settings by using Group Pol- not enable outgoing filtering by default. The
icy or the firewall MMC snap-in. I’ll return on default behavior of the new Windows Firewall
that later. will then be:

Besides the firewall that has changed, in Win- • Block all incoming traffic unless it is solicited
dows Vista the whole TCP/IP stack has been or it matches a configured rule.
re-written / re-designed. The new architecture • Allow all outgoing traffic unless it matches a
Windows Filtering Platform (WFP) did in- configured rule.
crease the performance significantly and 15
Another possibility is that the Firewall in Win- to simplify management in enterprise organi-
dows Vista will allow administrators to block zations. For better configuring there is an in-
applications from contacting or responding to tegration between both IPSec and the firewall.
other computers in the network, like peer- It will be much easier to use, requiring less
networking. The Windows Vista firewall set- effort to configure.
tings are configurable by Group Policy objects

Standard Firewall interface for end-users

Manage the Firewall settings dows Firewall can also be configured with an
MMC snap-in named Windows Firewall with
Like in Windows XP there is a GUI for con- Advanced Security.
figuration of the Windows Firewall item in
Control Panel. This mainly is simplistic and for With the new Windows Firewall with Ad-
enterprise organizations not very useful. You vanced Security snap-in, administrators can
can configure basic settings for the new Win- configure settings for the new Windows Fire-
dows Firewall, but you cannot configure en- wall on remote computers, which is not possi-
hanced features. ble for the current Windows Firewall without a
remote desktop connection. In enterprise or-
For more in-depth features and setting there ganizations it is more likely that you will be
are at first a whole lot of Group Policy settings using the Group Policies to manage setting in
which can be reached by firing up the Group a more central way.
Policy editor snap-in. Second the new Win- 16
For command-line configuration of advanced the fact not to change these settings manu-
settings of the new Windows Firewall, you can ally):
use commands within the netsh advfirewall.
Firewall setting are stored in the registry on HKEY_LOCAL_MACHINE\SYSTEM\ControlS
the local machine and the settings can be et001\Services\SharedAccess\Defaults\Firew
found under the following key (I have to stress allPolicy\FirewallRules

Registry-based settings of the firewall

Firewall profiles tor in other to set this up and to connect the

The firewall of Windows Vista works with pro-
files: the Private Profile for working on a home Firewall and IPSec
network, the Public Profile for connecting to
public networks and, last, the Domain Profile As you will know: IPsec is a protocol standard
for computers that join a domain. The Network to provide cryptographic protection for IP traf-
Location Awareness Service (NLA) detects fic. In Windows XP and Windows Server
network changes and notifies the Firewall. 2003, Windows Firewall and IPsec are con-
The firewall then can change a profile within figured separately. However, both the Win-
200 ms. If a user is not present in a domain, dows firewall and IPsec in Windows can block
the user will be asked for the appropriate pro- or allow incoming traffic. In this case it would
file: public or private. be possible to create overlapping or conflict-
ing firewall rules and IPsec rules.
Unfortunately Vista has at this time no way of
differentiating between a public and private All these setting are now combined in the new
network, so it will actually ask users whether Windows Firewall and can be configured us-
they are attaching to a public or private net- ing the same GUI and command line com-
work at the time that the connection is estab- mands. Another benefit is the configuration of
lished. In future versions it will be possible to IPsec settings are highly simplified. Further-
define a profile or there will be other available more there is a less complicated way of policy
profiles. In the case you want to define a pri- configuration, improved support for load bal-
vate network you must be a local administra- ancing and clustering and the possibility to
use more cryptographic suites. 17
Different profiles Vista Firewall

Network Access Protection ing the latest security updates, has old virus
signatures, or otherwise fails to meet your
Users who travel with their computers or have computer policy. This can be used to protect
specific roles in organizations are sometimes your network from remote access clients as
unable to connect to the corporate network for well as LAN clients.
days or even weeks. And then after a while
when they do connect, their connections I personally think that there is a lot of work to
might be so short that their computers do not do to make this a more mature service. Mi-
have the ability to fully download the latest crosoft’s current implementation of NAP is
updates, get security configuration settings, overall not that user-friendly or very useful in
and virus signatures the organization wants most larger environments. Besides that, not
them to receive. all network equipment can’t be used, big ven-
dors like Cisco do work in cooperation with
The Network Access Protection mechanism Microsoft.
improves the security around this type of us-
ers and their computer by ensuring that when Vista’s Integrity Level mechanism
they do connect longer or are back at the of-
fice after some time, the computer is first Before going more in detail on Windows
checked against a certain baseline. When the Internet Explorer 7, I’ll have to discuss Integ-
computer doesn’t meet the criteria at first the rity control. Sounds this familiar? Right. Vista
latest updates are installed and then, after the includes a new feature "Windows Integrity
criteria are met, users can connect to the cor- Control." This means every object that is hav-
porate network. This concept is also known as ing some kind of permission can also have an
network quarantining. extra label that identifies its integrity level.

Windows Vista includes an agent that can A user (subject) will be working with files and
prevent a Windows Vista-based client from folders (objects) which can have integrity lev-
connecting to your private network if it is miss- els. 18
Integrity levels are assigned within Vista to • Low S-1-16-4096 (0x1000)
processes (subjects) and objects and an in- • Medium S-1-16-8192 (0x2000)
tegrity policy restricts access granted by the • High S-1-16-12288 (0x3000)
Discretionary Access Control (DAC) security • System S-1-16-16384 (0x4000)
model. We start to work with integrity levels
within windows! IE7 and integrity levels

In reality this can have the consequence that And here comes the trick: Internet Explorer 7
software with a low(er) integrity level can’t standard works in a low integrity level context.
make changes to software of processes with
a higher integrity level. The user however is working in a medium in-
tegrity level context. If you would download a
So how does this work? Integrity levels are piece of code or software from the internet
defined by Security IDs (common known as there is a rule that is saying: no-write-up. The
SIDs). The RID defines the actual integrity lower integrity level can’t access or misuse
level. The integrity levels themselves are the process running in a higher integrity level
sometimes called "Windows Integrity Levels" context (for example a process running in the
or "Mandatory Integrity Levels." Right now the context of the user).
following primary integrity levels exists:

Integrity level policies are associated with ge- As stated before: the default policy is “no-
neric access rights and default the following write-up”. Security tokens in every process
rules exists: can be assigned an integrity level and admin-
istrators can change those levels between
• No-Write-Up which means that a lower In- “untrusted” and “high”. Administrators can't set
tegrity Level process cannot modify a higher integrity levels higher than "high" because
Integrity Level object administrators itself run in the integrity context
• No-Read-Up which means that a lower In- of "high" and no one can ever elevate (even
tegrity Level process having generic read administrators can’t) an object's integrity level
possibilities higher than their own level. You can see a
• No-Execute-Up which means that a lower process’ integrity level by typing the com-
Integrity Level process generic execute ac- mand: Whoami /all. There are also tools in the
cess market like that of Mark Russinovich (Micro-
soft Sysinternals). For more information visit 19
In this article I didn’t discuss all security
I believe Windows Vista is a huge improve- changes. Things like code integrity and driver
ment over the Windows XP version concern- signing, Windows Defender (Forefront Secu-
ing security (and other rich features). The de- rity) and the more that 3000 Group Policy
velopment really made a good step forward items that currently provided to you for Win-
from a security perspective. Windows Vista dows Vista. Some things need improvement
certainly will have a major impact on your like the quarantine function and USB blocking
business and more than ever needs a solid feature. Microsoft supports USB blocking on
plan and think over before starting to migrate. the Vista client by group policies. In my opin-
Many features presented and there is so ion not the way an enterprise organization can
much that you will at first be overwhelmed by deal with this problem.
all the changes made in this new OS.
Reading this article will give you a glimpse of
There are some topics that will need special all the radically changes and strategic plans
attention like legacy applications that probably and ideas of Microsoft for the future. I hope I
won’t work “out of the box” on Vista. Most of made clear that it is not a reasonable as-
the times these application present “show- sumption that Microsoft didn’t do anything in
cases”. If there anything goes wrong with this the past years to make Vista more reliable,
or doesn’t work anymore, you like the idea of secure and stable then earlier versions of
a holiday. This can really be a big issue for Windows.
you and the business you’re supporting.

Rob P. Faber, CISSP, MCSE, is an infrastructure architect and senior engineer. He is currently working for an
insurance company in The Netherlands with 22.000 clients. His main working area is (Windows Platform)
Security, Active Directory and Identity Management. You can reach him at 20
In the past couple of years, we definitely saw an up trend of portable devices
usage. From handhelds, to music players, these devices offer a number of
top notch options, one of them being an effective device for storing data.
With all the good characteristics this way of backing up or transferring data
offers, we can also identify a security threat that can be derived from this

This is something similar to the trend of organizations banning mobile

phones from some portions of their facilities. Almost every new mobile
phone has a quality built-in camera, so confidential data can be easily
snatched and digitalized.

With other portable devices there is a very GFI EndpointSecurity is installed and man-
similar problem - technology is evolving and aged from a central location. It is actually
every new device is smaller and more power- constructed out of two parts. The first one is
ful. It has become very easy to bypass some GFI EndPointSecurity user console that of-
default system barriers and easily move po- fers the administrator means of configuring
tentially insecure pieces of software from the various policies and installing remote client
device to a specific computer, or vice versa, software on to the network computers. The
taking home some protected company data. client software, regarded as GFI EndPoint-
Security agent, is a client side service that is
Security products such as GFI's Endpoint acting upon the protection policies from the
Security help in this line of work and add an main computer. Depending on the configura-
extra layer of security to your organization tion it will either allow or deny the user
network environment. access to the specific resource. 21
List of controlled devices.

The software in question provides a list con- agents and they are now ready to enforce it.
taining a number of portable device types For instance: if you denied access to digital
and places them in the appropriate groups. cameras, as soon as the user tries to con-
nect it to her computer, the software will deny
Besides the general selection of media like the request and properly log all the possible
floppies, CD and DVD ROM discs, GFI End- information about the event.
point has the following categories: Storage
Devices (flash and memory cards, readers The whole process works upon a set of user
and set of multimedia players), PDA devices, groups that GFI EndPointSecurity installs by
Network adapters (Bluetooth, WLAN and in- default (there is also an advanced option of
frared), Modems (mobile phones and smart- setting custom groups):
phones), Digital cameras and a selection of
other devices ranging from ZIP to tape • GFI_ESEC_Device_ReadOnly and
drives. • GFI_ESEC_Device_FullAccess.

GFI EndPointSecurity's line of work is pretty These groups hold information on how the
straightforward. I will go into more details users' computers will react to configured
about all the parts of the whole process later, devices.
but the process is pretty simple - you define a
unique protection policy for a group of com- Bottom line, when the remote user plugs in a
puters. device, in our case a digital camera, the
agent identifies if the device is being moni-
During the configuration steps you specify tored and than checks the Active Directory or
the resources users of some groups or Local Users and Groups to verify if the user
domains can or cannot access. With a click is a member of the privileged group. The
of a button, that policy is updated to the client actions are directly connected with groups. 22
Listing of computers added to the Workgroups protection policy.

Users can be added to the group via the group users by computer types (i.e. note-
product's user console or Active Directory/ books and desktops), or it will be better to
Local Users management console. The struc- control them when they are described by
ture of the user console is quite spartan so it departments (marketing, tech support etc).
is a piece of cake to customize specific
devices for controlling purposes, as well as Besides being a mechanism of control, GFI's
adding users to the precise groups. product offers some versatile logging possi-
bilities. When an action is triggered, the
The most important part of the configuration agent logs to a local event log, as well as to
process is setting up the protection policies. the SQL Server if the administrator enabled
By default, GFI EndPointSecurity offers three this option. The SQL logs can be read and
policies: Servers, Workgroups and Laptops. exported in a number of ways, and the event
These are, of course, just samples and it is logs can be inspected with different tools, the
simple to rename them or create your own. easiest of course being the Event Viewer.

I would recommend customizing this listing to The logging is working just fine, even in the
the maximum, because when you start occasion when a client computer is a note-
grouping your computers in these policies book and it periodically gets disconnected
you will need to think about optimization. As from the network. All the device access pro-
every designated policy has its own set of tection procedures will still be active and all
rules, you need to plan on wether you will the events will be saved into a buffer. 23
Protection policy properties with default users.

As soon as the computer connects to its graphical IT-level, technical and management
"mother" network, the event data will be reports based on the portable devices usage
collected and stored. This is a nice touch, as events recorded by GFI EndPointSecurity. It
it makes the integrity of a centralized logging also enables administrators to pull together
place intact. “Top 20” reports that cover the 20 users,
machines, devices and applications which
I'll mention one more thing - in mid 2006, GFI peaked connection activity. This addition is
released a ReportPack add-on, a full-fledged free for all registered users of GFI EndPoint-
reporting companion to GFI EndPointSecu- Security.
rity. It allows administrators to generate

Default protection policies. 24
More than two years ago, GFI had seen a worked like a charm. As you can see from
need for security solution that would take this article, the software concept is pretty
care of portable devices. Released under straight forward and every decent Windows
their LanGuard product line, Portable Stor- administrator shouldn't have any problems in
age Control started with blocking unwanted deploying the solution.
USB connections. In the mean time, the
software was totally re-done and re-branded Bottom line is that the software proved to be
as GFI EndPointSecurity. fast, stable and quite efficient. If you need to
manage user access to the external devices
I tested this software in a couple of scenarios from the computers in your network, you
(mainly networks with Microsoft Windows XP should definitely check GFI Endpoint.
Professional SP1 and SP2 computers) and it

Tim Wilson is a long time system and network administrator and currently is employed by a Information Secu-
rity consultancy based in California. Besides enjoying his computer hours, Tim enjoys travelling with his family
and playing clarinet for a local jazz band. 25
Linux Administration Handbook, 2nd Edition
by Evi Nemeth, Garth Snyder, Trent R. Hein
Prentice Hall, ISBN: 0131480049

The first edition of the this title, released about five years ago was one of the
definitive resources for every Linux system. Now, the authors have
systematically updated this classic guide to address today’s most important
Linux distributions and most powerful new administrative tools. Here you can
find best practices for storage management, network design and
administration, web hosting, software configuration management,
performance analysis and much more. System administrators should
especially appreciate the up-to-date discussions of such difficult topics such
as DNS, LDAP, security, and the management of IT service organizations.

Design for Trustworthy Software: Tools, Techniques, and Methodology of

Developing Robust Software
by Bijay K. Jayaswal, Peter C. Patton.
Prentice Hall, ISBN: 0131872508

This book presents an integrated technology, Design for Trustworthy Software

(DFTS), to address software quality issues upstream such that the goal of
software quality becomes that of preventing bugs in implementation rather
than finding and eliminating them during and after implementation.

“Design for Trustworthy Software” can be used to impart organization-wide

learning including training for DFTS Black Belts and Master Black Belts. It
helps you gain rapid mastery, so you can deploy DFTS Technology quickly
and successfully. 26
Step into Xcode: Mac OS X Development
by Fritz Anderson
Addison Wesley Professional, ISBN: 0321334221

Xcode is a powerful development suite that Apple uses to build applications

ranging from Safari to iTunes. But because Xcode is complex and subtle,
even experienced Mac programmers rarely take full advantage of it. Mac
developer Fritz Anderson has written the definitive introduction and guide to
using Xcode to build applications with any Macintosh technology or

The book should help you master Xcode’s powerful text editor, industry-
standard gcc compiler, graphical interactive debugger, mature UI layout and
object linkage editor, and exceptional optimization tools. One step at a time,
you’ll develop a command-line utility, then use Xcode tools to evolve it into
a full-fledged Cocoa application.

Ubuntu Unleashed
by Andrew Hudson, Paul Hudson
Sams, ISBN: 0672329093

The book aims to provide the best and latest information that intermediate
to advanced Linux users need to know about installation, configuration,
system administration, server operations, and of course security. Written by
renowned open source authors, it includes detailed information on hot
topics such as wireless networks, and programming in PHP, Perl and
others. It thoroughly covers all of Ubuntu’s software packages, including up-
to-date material on new applications, Web development, peripherals, and
programming languages.

It also includes updated discussion of the architecture of the Linux kernel

2.6, USB, KDE, GNOME, Broadband access issues, routing, gateways,
firewalls, disk tuning, security, and more.

Cisco Network Admission Control, Volume I: NAC Framework Architecture

and Design
by Denise Helfrich, Lou Ronnau, Jason Frazier, Paul Forbes
Cisco Press, ISBN: 158705-2415

Cisco Network Admission Control, Volume I, describes the NAC architecture

and provides an in-depth technical description for each of the solution
components. This book also provides design guidelines for enforcing
network admission policies and describes how to handle NAC agentless
hosts. As a technical primer, this book introduces you to the NAC
Framework solution components and addresses the architecture behind
NAC and the protocols that it follows so you can gain a complete
understanding of its operation. Sample worksheets help you gather and
organize requirements for designing a NAC solution. 27
Mr. Gibson is the Chief Security Advisor for Microsoft in the UK. This role
comes on the heels of his retirement from a 20-year career as a Supervisory
Special Agent with the Federal Bureau of Investigation. During this period,
Gibson was a recognized expert in investigating complex, international
money laundering schemes, asset identification and confiscation, and
intellectual property theft. From early 2000 - mid 2005, Mr. Gibson was as-
signed to the FBI’s Legal Attache office, US Embassy London, as an Assis-
tant Legal Attaché. There, he was responsible for all FBI cyber, hi-tech, cyber-
terrorism, and infrastructure investigations in the UK. His leadership resulted
in the creation of a model cyber program adopted by all Legal Attache offices
around the world.

What has been your biggest challenge in live in the bricks and mortar world are some-
the role of Chief Security Advisor for Mi- times largely ineffective in the cyber world.
crosoft? Has your background expertise The Internet is global, and criminals are not
helped shape your role in the company? bound by jurisdiction, political relations, or
other restrictions due to anonymity and ability
Most people only know of ‘criminality’ on the to hide in plain sight.
Internet through anecdotal reports. Until
someone is personally affected by identify Yes, my background has been a key driver in
theft, social engineering, auction fraud, or shaping my role in the company. I know
other type fraudulent e-commerce activity, it criminals, how they behave and the tools they
is something for someone else to deal with. use, particularly in internationally complex
This should not be a surprise, as this is gen- cyber criminality. As the single point of con-
erally how people behave in the bricks and tact for all UK law enforcement and security
mortar world. However, the rules by which we services at the US Embassy London in 28
relation to cyber investigations and laws re- industry, manufacturing, finance, and gov-
lated thereto, I had many opportunities to ernment to name a few. Knowing what I do
work with a variety of agencies in a number about the kinds of attacks against its applica-
of countries. And each success was due to tions, operating systems, and processes, by
an understanding of the different cultures, ruthless organized crime groups and people
laws, and priorities. This understanding was using every conceivable method to steal,
bolstered by having been a lawyer in the US compromise, extort, blackmail, or otherwise
prior to my appointment as a Special Agent, make life miserable for their own personal
FBI, and qualification as a Solicitor in Eng- gain, we all can be mighty proud of the ex-
land / Wales, and the truly exceptional law traordinary efforts Microsoft has and contin-
enforcement and government representa- ues to put into making all computer users
tives, without whom success would have more safe on the Internet. But remember,
been hard fought. With this background, I am criminal attacks against systems is an
better able and proud to represent Microsoft Industry-wide problem, which is why Micro-
UK in my role as Chief Security Advisor. soft is working with industry partners, gov-
ernment, and educational institutions to help
Windows Vista has just been released and ensure understanding of the problems and
Microsoft has already announced the develop better solutions.
Vista Service Pack 1. Some see this as a
sign that Microsoft knowingly released the It's important to remember that no software is
OS with security problems while others 100% secure. We’re working to keep the
believe it to be a step forward in security number of security vulnerabilities that ship in
awareness and applaud Microsoft for our products to a minimum. Trustworthy
starting work on a collection of patches Computing is a long-term initiative and those
this early. What's your take on this situa- changes do not happen overnight. We’ve
tion? made progress and our efforts are resulting in
significant improvements in the security of
Microsoft’s operating systems / platforms, our software. We have every confidence that
applications, and processes are used by mil- - together with our industry partners - we'll
lions of people in nearly every country on this continue to meet the constantly evolving chal-
planet. It’s software products are used in lenge of security to help our customers and
mission critical devices and processes (in the the industry become more secure.
UK, the NHS is a prime example), defence


Did Microsoft use a different approach to attack surface area, which in turn improves
testing security while developing Win- system and application integrity and helps
dows Vista? organizations more securely manage and iso-
late their networks.
The release of Windows Vista is the first Mi-
crosoft operating system to use the Security Too often software is developed by bolting
Development Lifecycle (SDL) from start to security technology onto an application and
finish and was tested more prior to shipping declaring it secure. The SDL was developed
than any previous version of Windows. to provide a step-by-step process integrating
secure development into the entire software
Building on the significant security advances lifecycle from start to finish. We have already
in Windows XP Service Pack 2, Windows seen the benefits of this process as it was
Vista includes fundamental architectural first used for Windows Server 2003 and re-
changes that will help make customers more sulted in a 56% decrease in the number of
secure from evolving threats, including security bulletins, compared to Windows
worms, viruses, and malware. These im- Server 2000.
provements minimize the operating system’s 29
By having the most deployed OS in the ahead of the cyber criminal. So for example,
world, Microsoft is always under the mi- as I’ve already mentioned, our Security De-
croscope and has to tackle a myriad of velopment Lifecycle is used to ensure rigor-
security challenges. What are the ones ous testing of software code in products such
that you expect to cause problems in the as Windows Vista. In addition, our MSN Hot-
near future and what strategies does Mi- mail service blocks 3.4 billion spam mes-
crosoft use to fight them? sages per day.

As I always say, it’s about people, process Finally, at Microsoft, we’re committed to pro-
and technology and at Microsoft our security viding guidance to help businesses and con-
strategy is very much aligned to these three sumers act and secure their digital lives. In
areas. The threat landscape is continually the UK alone, according to recent figures
evolving and challenges appear in the form of from APACS (the UK payments association),
malware, inappropriate security policies and online banking fraud alone cost £22.5m in
the regulatory environment. Our security ef- 2006. Therefore we are deeply engaged in
forts are therefore focussed on the area of customer education programs such as our
partnerships, innovation and prescriptive partnership with GSOL. In fact, a big part of
guidance. Microsoft is working in partnership my role is to liaise between customers and
with Government and industry groups to our internal development teams, finding out
thwart security threats. So for example, in the what the problems are and seeing how they
UK, we are an active member of the Gov- can be resolved. My number one message is
ernment backed Get Safe Online program, that prevention is the best defense! You don’t
which aims to educate consumers and busi- need to wait to protect yourself today. There
nesses on the importance of security. are numerous resources available (both from
Microsoft and across the industry) to help
We are continually developing our products protect against the growing severity of infor-
to protect computer users and stay one step mation security threats.


When discussing Windows Vista, Micro- scape. Microsoft cannot do this alone, and
soft is emphasizing that it is the most se- we will continue to partner and collaborate
cure Windows ever. Do you believe you'll with industry, government and academia to
be able to stand behind that in a year or better protect customers and adapt to evolv-
two? What makes you so certain of Vista's ing security threats.
security features? After all, we live in a
world of constant evolving threats. Does In the past, Microsoft's security head-
'more secure' = 'secure'? aches were coming from full disclosure
lists where researchers publicly disclosed
As mentioned previously, whilst no software vulnerabilities in Microsoft products with-
is 100% secure, we are confident that Vista is out reporting them to the company. Today,
the most secure and thoroughly tested ver- the threat landscape is changing with 0-
sion of Windows we have ever produced. Our day vulnerabilities in Windows Vista being
customers expect and deserve a computing sold to the highest bidder and not re-
experience that is safe, private and reliable. ported at all. How does Microsoft deal
Trustworthy Computing has fundamentally with this problem?
changed the way we develop and help our
customers manage Microsoft software and Due in part to recent reports of security vul-
services. Threats to security and privacy con- nerabilities in a wide range of software, secu-
stantly evolve and the holistic nature of rity is a growing concern for more and more
Trustworthy Computing highlights Microsoft’s computer users every day.
commitment to facing this changing land- 30
The industry is responding in part by seeking There are many factors that impact the length
new opportunities to improve the way that of time between the discovery of a vulnerabil-
security information is gathered and shared ity and the release of a security update.
to protect customers while not aiding attack-
ers. Every vulnerability presents its own unique
challenges. We’ve been clear that bulletins
Microsoft is aware of iDefense offering com- can be released out-of-cycle, if necessary, to
pensation for information regarding security help protect customers if a level of aware-
vulnerabilities. Microsoft does not offer com- ness and malicious activity puts customers at
pensation for information regarding security risk in any way. In this case, the level of
vulnerabilities and does not encourage that awareness and malicious activity around a
practice. Our policy is to credit security re- vulnerability may prompt Microsoft to move to
searchers who report vulnerabilities to us in a a release schedule that would deliver a fix as
responsible manner. soon as one could be built and thoroughly
Since its inception, Microsoft Patch Tues-
days have been successful. Yet, many Creating security updates that effectively fix
critical vulnerabilities are announced vulnerabilities is an extensive process involv-
shortly after the batch of monthly patches. ing a series of sequential steps. When a po-
Shouldn't there be more frequent patch tential vulnerability is reported, designated
releases? product specific security experts investigate
the scope and impact of a threat on the af-
We investigate each security vulnerability re- fected product. Once they know the extent
port thoroughly to determine its impact to our and the severity of the vulnerability, they work
customers. In combination with that investiga- to develop an update for every supported
tion we also take a look at our engineering version affected. Once the update is built, it
processes to help determine how we can must be tested with the different operating
best deliver a quality update to our customers systems and applications it affects, then lo-
within the consistent time frame that our cus- calized for many markets and languages
tomers have requested, which is currently on across the globe. In some instances, multiple
a monthly cycle. vendors are affected by the same or similar
issue, which requires a coordinated release.



Internet Explorer has been hit by a variety viruses) and that isolate the potential impact
of vulnerabilities in the past and many of contamination.
patches have been released. Now that IE 7 In the interest of helping to better protect our
out, does Microsoft plan a better security customers, we delivered Windows XP SP2 in
strategy for the most used browser? 2004, which included a major security up-
grade to Internet Explorer. Building on that
Security is an industry wide issue and al- release, Internet Explorer 7 has been redes-
though there is no one solution, our approach igned and includes new security features to
to security spans across both technological help protect end users against spyware and
and social aspects. phishing attacks. A variety of new security
enhancements have been added to provide
In technology, we’re focused on designing end users with a host of new capabilities to
software that is resilient in the presence of make everyday tasks even easier, including
malicious code threats (such as worms and dynamic security protection to help keep
them safe online. 31
This is the PandaLabs list of the spyware most frequently detected by Panda
ActiveScan in 2006.

The top ranking spyware is Gator. This ad- In sixth place in the table is Lop, a type of
ware offers free use of an application if users adware with many variants. In most cases,
agree to view a series of pop-up messages this malicious code installs a toolbar with
downloaded by Gator. Some versions of this search features in Internet Explorer. It also
spyware replace banners on web pages vis- displays numerous advertising pop-ups. Wi-
ited with those created by the malicious code nantivirus, in seventh place, is categorized as
itself. a PUP, (Potentially Unwanted Program). It is
downloaded onto computers by other mali-
Second and third place in the Top Ten are cious code, such as, Downloader.LHW and
occupied by Wupd and Ncase respectively. exploits application vulnerabilities in order to
Both offer free use of an application in ex- spread. Winantivirus is also capable of dam-
change for displaying advertising messages. aging users’ systems.
They also monitor users’ Internet movements
and gather data about habits and prefer- CWS.Searchpmeup is in eighth place in the
ences. This information is then used to per- list. This malicious program changes the
sonalize the advertising displayed. Addition- Internet Explorer home page and the default
ally, Ncase changes the Internet Explorer search options. The web page that it sets as
home page, as well as the default search op- the home page uses several exploits to
tions. download malware onto computers. Next in
the ranking is Winfixer2005, a PUP that
The adware CWS is in fourth place. This can searches the computer for supposed ‘errors’
be installed without users’ consent or without and then demands that users buy the pro-
them being fully aware of the functionality of gram in order to repair them. Finally, in tenth
the tool. Emediacodec, in fifth place in the place comes, a spy program that
Top Ten, has similar characteristics. It uses a adds a toolbar to Internet Explorer and col-
series of techniques in order to prevent it be- lects information about the user, including
ing detected by antivirus companies. It can Internet pages visited, etc.
even terminate its own execution if it detects
that it is being executed in a virtual machine The information gathered by PandaLabs
environment, such as VMWare. about spyware in 2006 highlights the preva-
lence -seven of the Top Ten- of adware. 32
Position Spyware

1 Adware/Gator

2 Adware/WUpd

3 Adware/nCase

4 Adware/CWS

5 Adware/emediacodec

6 Adware/Lop

7 Application/Winantivirus2006

8 Adware/CWS.Searchmeup

9 Application/Winfixer2005

10 Spyware/

This type of malware has grown continuously the ranking, not only detect real errors or at-
throughout the year and is expected to con- tacks but also claim to have detected mal-
tinue doing so in 2007. Similarly, in 2006 ware which actually does not exist. Winfix-
there has been an increase in rootkits and er2005, in ninth place, is another example of
other malware that use similar techniques. A malicious code that promises to repair non-
rootkit is a tool used to hide the processes of existent errors.
malicious codes, making them harder to de-
tect. False codecs are variants of this type of
malware. EmediaCodec, in fifth place in the
Another significant aspect of the last year Top Ten, is a good example of this type of
has been the appearance of a new category malicious code. The way this malware oper-
of malware. Rogue antispyware claims to de- ates is quite simple. While the user is viewing
tect spyware or to repair errors. This increas- the Internet, they are offered certain videos,
ingly prevalent malware detects flaws or ma- normally pornographic. In order to see them,
licious code on computers but then demands they have to install a false codec which
that users pay for a registered version of the downloads adware. Normally these are not
program if they want to delete these threats. real codecs, but passwords that register in
WinAntivirus2006, in seventh place in the Top the system and have to be installed in order
Ten, is a good example of this new category. to see the videos.
Some of them, such as SpySheriff, 23rd in 33
Let us face it, modern e-mail communication relying on SMTP is fundamen-
tally broken - there is no sender authentication. There are lot of countermea-
sures in form of filtering and add-on authentication, but neither of them are
proved to be 100% successful (that is 100% hit ratio with 0% of false posi-
tives). Spammers always find new ways of confusing filters with random
noise, bad grammar, hidden HTML code, padding, bitmap-rendered mes-
sages etc. World is becoming an overloaded and unusable mailbox of spam. I
will nevertheless try to cover some of the spam problems and possible solu-
tions, but bare in mind that all of these are just no more than a temporary fix.

Product spam, financial spam, frauds, scams, world's total spam is around 85 billion mes-
phishing, health spam, Internet spam, adult sages per day (obviously this number is rather
spam, political spam, you-name-it spam. De- approximate) - and it is exponentially increas-
spite Bill Gates' brave promise in 2004 (“Two ing. We all know how much it is going to cost
years from now, spam will be solved”) e-mail (quick spam calculator:
spam has significantly increased worldwide in
the last two years in both volume and size, Spammers have undoubtedly adapted and
making over 70% of total e-mail traffic. Ac- evolved: up to now they used a single IP
cording to the First MAAWG Global Spam setup for delivering their unwanted e-mail,
Report ( from Q1 2006, usually hopping from one dialup to another.
around 80% of incoming e-mail was detected They have used open proxies, open mail re-
as abusive. A bit later in Q3 2006 various lays and other similar easy-to-track sources.
Internet service providers in the world have Unfortunately, it has changed - current spam-
reported an alarming increase of unsolicited ming methods now include huge networks
e-mail in a very short period due to the range (called botnets) of zombie-computers used for
of new spamming techniques involved. At the distributed spam delivery and Denial of Serv-
end of 2006 an estimated number of the ice attacks. 34
Various new viruses and worms are targeting paign as open war declaration and wiped
user computers, making them eventually into them off from the face of the Internet within a
huge spam clusters. Not only Microsoft Win- single day. Lessons have been learned: the
dows PCs are hacked, more and more Unix spammers are to be taken seriously and it
and Linux servers are affected too. And it is seems they cannot be dealt by a single uni-
not for the fame and the glory, but to enable form blow nor with a single anti-spam pro-
crackers to install and run scripts for the re- vider.
mote controlled spamming. In the meantime,
nobody knows how many spambots are cur- What can we do about spam? There are nu-
rently harvesting the Web in search of new e- merous commercial solutions against unsolic-
mail addresses, their new victims. There is ited e-mail (SurfControl, Websense, Bright-
nothing sophisticated in their attacks, only mail, IronPort, etc.) and some of them are
brute force and numbers. Spammers earn a rather expensive. Depending on the available
living by making and delivering spam and they budget, requirements and resources at hand,
do it darn well. an Open Source solution could be substan-
tially cheaper and possibly equally effective as
Reality check, 123 the commercial counterpart. There is a whole
range of readily available Open Source solu-
Due to the troublesome nature of the Internet tions for each of the popular anti-spam tech-
today, the spammers and the script kiddies niques for e-mail receivers. Some of them are
can easily put an anti-spam provider out of a in the core of the even most advanced com-
job by simply DDoSing them to death (and mercial solutions. As most of the readers
doing a lot of collateral damage) - and exactly probably know, anti-spam solutions are most
it happened to Blue Security effective when different methods are com-
( with their successful but bined together, forming several layers of
quite controversial Blue Frog service. A per- analysis and filtering. Let us name a few of
son known as PharmaMaster took their cam- the most popular...


Blacklisting recognized are Spamhaus and SpamCop, for

instance. Almost all FLOSS (Free/Libre/Open-
DNS blacklisting is a simple and cheap way of Source Software) SMTP daemons have full
filtering the remote MTA (Mail Transfer Agent) RBL support and so does Postfix, Exim,
peers. For every remote peer the SMTP serv- Sendmail, etc. For the SMTP services which
ice will reverse its IP and check the forward do not support DNSBL out of the box it is pos-
("A") record in the BL domain of DNSBL sys- sible to use DNSBL tests in SpamAssassin,
tem. The advantage of the method is in its low but that usually means no session-time
processing overhead: checking is usually checking. Another variant which Spfilter uses
done in the initial SMTP session and unsolic- is to store a several DNSBL exports in the
ited e-mail never hits the incoming queue. form of local blacklists for faster processing.
Due to the spam-zombie attacks coming from Of course, such a database needs to be syn-
the hundreds of thousands of fresh IP address chronized manually from time to time, pref-
every day, this method is today significantly erably on a daily basis.
less effective today than it used to be and no
more than 40% of total inbound spam can be Greylisting
filtered using this method. There are a lot of
free DNSBL services in world, but it is proba- The greylisting method ( is
bly best to use well known and reliable pro- a recent but fairly popular method which
viders (and there are even subscription-based slightly delays an e-mail delivery from any un-
DNSBL services) which do not enlist half of known SMTP peer. A server with the greylist-
the Internet overnight. Some of most widely ing enabled tracks the triplets of the 35
information for every e-mail received: the IP delivery since they interpret the temporary
address of every MTA peer, the envelope SMTP failure as a permanent error. Secondly,
sender address and the envelope recipient the impact of the initial greylisting of all new e-
address. When a new e-mail has been re- mail is substantial for an any company that
ceived, the triplet gets extracted and com- treats e-mail communication as the realtime-
pared with a local greylisting database. For alike service, since all of the initial e-mail cor-
every yet unseen triplet the MTA will reject the respondence will be delayed at least 300 sec-
remote peer with a temporary SMTP failure onds or more, depending on the SMTP retry
error and log it into a local database. Accord- configuration of the remote MTA peers. Fi-
ing to the SMTP RFC, every legitimate SMTP nally, the greylisting does not do any good to
peer should try to reconnect after a while and the big SMTP providers which have large
try to redeliver the failed messages. This pools of mail exchangers (ie. more than /24).
method usually requires minimum time to
configure and has rather low resource re- The problems can be fixed by whitelisting
quirements. As a side benefit it rate-limits the manually each and every of domains or net-
incoming SMTP flow from the unknown work blocks affected. Regarding the software
sources, lowering the cumulative load on the which does the greylisting almost every Open
SMTP server. Source MTA has several greylisting imple-
mentations available: Emserver, Postgrey,
There are still some mis-configured SMTP Milter-greylist, etc.
servers which actually do not retry the

Sender verify callout usually consists of several subtypes, so let us

state a few. Static filtering is a type which trig-
SMTP callback verification or the sender ver- gers e-mail rejection on special patterns
ify callout is a simple way of checking whether ("bad" words and phrases, regular expres-
the sender address found in the envelope is a sions, blacklisted URI, "evil" numbers and
really deliverable address or not. Unfortu- similar) typically found in the e-mail headers
nately, verification probes are usually blocked or a body of an e-mail itself. False positives
by the remote ISP if they happen too often. are quite possible with this method, so this
Further, a remote MTA does not have to reject type is best used in conjunction with policy-
the unknown destinations (ie. Qmail MTA based systems (often named as heuristic fil-
usually responds with "252 send some mail, ters) such as SpamAssassin and Policyd-
i’ll try my best"). To conclude: it is best to do weight. Such filters use the weighted results
verification per known spammer source do- of several tests, typically hundreds of, to cal-
mains which can be easily extracted from re- culate a total score and decide if the e-mail is
sults of the other methods (such as the con- a spam or a ham. In this way, a failure in a
tent analysis). The sender verification is sup- single test does not necessarily decide the
ported in most FLOSS MTA: Postfix, Exim, fate of an e-mail. At least several tests have to
Sendmail (via milter plugin), etc. indicate a found spam content to accumulate
the spam score enough for an e-mail to be
Content analysis flagged as a spam, so this results in a more
reliable system. Of course, weighted/scoring
The content-based filtering is probably the type of a filter can contain all of the other filter
core of most anti-spam filters available. It types for its scoring methods. 36
The next type of the content analysis is the Checksum-based filtering
statistical filtering which mostly uses the naive
Bayesian classifer for the frequency analysis A small but significant amount of unsolicited
of word occurrences in an e-mail. Such filter- e-mail is the same for every recipient. A
ing, depending on an implementation, re- checksum-based filter strips all usual varying
quires the initial training on an already pre- parts of an e-mail and calculates a checksum
sorted content and some retraining (albeit in from the leftovers. Such a checksum is then
much smaller scale) later on to obtain a compared to a collaborative or distributed da-
maximum efficiency. The Bayesian filtering is tabase of the all known spam checksums. Un-
surprisingly efficient and robust in all real life fortunately, spammers usually insert various
examples. It is implemented in the very popu- poisoning content (already mentioned hash-
lar SpamAssassin and DSPAM solutions, as busters) unique to an every e-mail. It causes
well as Bogofilter, SpamBayes, POPFile and the checksums to change and an e-mail is not
even in user e-mail clients such as Mozilla recognized as known spam any more. Two of
Thunderbird. Some implementations such as the most popular services for this typeare Dis-
SpamAssassin use an output of other spam tributed Checksum Clearinghouse and Vipul's
filtering methods for a retraining which gradu- Razor which both have their own software
ally improves the hit/miss ratio. Most of the and they are both supported in third-party
implementations (DSPAM, SpamAssassin) spam-filtering software such as SpamAssas-
have a Web interface which allows a per-user sin.
view of the quarantined e-mail as well as the
per e-mail retraining. It improves the quality of E-mail Authentication
either the global dictionary (a database of
learned tokens) or the individual per user dic- Finally, we are left with several methods of the
tionaries. DSPAM, for an instance, supports a authentication that basically try to ensure the
whole range of additional features such as: identity of a remote sender via some kind of
combining of extracted tokens together to ob- an automated process. The identification
tain a better accuracy, tunable classifiers, the makes it possible to reject all of the e-mail
initial training sedation, the automatic white- from the known spam sources, to negatively
listing, etc. score or even to deny an e-mail with the iden-
tified sender forgeries and to whitelist an e-
Another popular solution is CRM114 which is mail which is valid and comes from the known
a superior classification system featuring 6 reputable domains. This method should mini-
different classificators. It uses Sparse Binary mize the possibility of the false positives be-
Polynomial Hashing with Bayesian Chain cause a valid e-mail should get higher positive
Rule evaluation with full Bayesian matching scores (used for the policy filter) right from the
and Markov weighting. CRM114 is both the start or even completely bypass the spam fil-
classifier and a language. DSPAM and ters - which can be made more sensitive in
CRM114 are currently the two most popular return. There are several similar autentication
and most advanced solutions in this field, and mechanisms available: SPF (Sender Policy
they are easily plugged into most SMTP serv- Framework), CSV (Certified Server Valida-
ices. tion), SenderID and DomainKeys. They are
mostly available as third-party plugins for
Note that plain Bayesian filters can be fooled most popular OSS MTA, usually in the form of
with quite common Bayesian White Noise at- Perl scripts available at CPAN. Unfortunately,
tacks which usually look like random nonsen- neither of them is a solution recognized widely
sical words (also known as a hashbuster) in a enough to be used in an every SMTP service
form of a simple poem. Such words are ran- in the world.
domly chosen by a spammer mailer software
to reflect a personal e-mail correspondence DomainKeys and enhanced DKIM (Do-
and therefore thwart the classifier. Most of the mainKeys Identified Mail) protocol use a digi-
modern content analysis filters do detect such tal signature to authenticate the domain name
attacks - and so does SpamAssassin and of sender as well as content of a message. By
DSPAM. using a sender domain name and the re-
ceived headers, a receiving MTA can obtain 37
the public key of a such domain through sim- PASS) from a SPF policy. The problem is that
ple DNS queries and validate the signature of SPF breaks e-mail forwarding to the other
the received message. A success proves that valid e-mail accounts if the domain adminis-
the e-mail has not been tampered with as well trator decides to use SPF FAIL policy (hard
as that the sender domain has not been fail), although in the future SRS (Sender Re-
forged. writing Scheme) could eventually help it.

SPF comes in form of the DNS TXT entries in SenderID is a crossover between SPF and
each SPF-enabled Internet domain. These Caller ID with some serious standardization
records can be used to authorize any e-mail issues and does not work well with mailing
in transit from a such domain. SPF records lists (necessary Sender or Resent-Sender
publish the policy of how to handle the e-mail headers). CSV is about verifying the SMTP
forgeries or the successful validation as well HELO identity of the remote MTA by using
as the list of possible e-mail originating ad- simple DNS queries to check if the domain in
dresses. If none of those match the sender question is permitted to have a remote IP from
address in received e-mail, the e-mail is the current SMTP session and if it has got a
probably forged and the receiver can decide good reputation in a reputable Accreditation
on the future of such e-mail depending on Service.

Dinko Korunic is currently employed as a Senior Unix/Linux Security Specialist at InfoMAR (
He has previously worked with Croatian Academic and Research Network (CARNet) and University Comput-
ing Centre (SRCE) as Unix forensics specialist and a technical advisor. For the last decade, he has written and
held numerous lectures on advanced Linux and Unix topics. He has been a Unix (AIX, Irix, SunOS/Solaris,
Linux, OSF1/Tru64, Ultrix, *BSD) system administrator and a Unix system programmer. In his spare time he
writes Linux-related articles for local IT-specialist magazine Mrez@. Dinko can be reached at 38
WINDOWS - Cain & Abel

Cain & Abel is a password recovery tool for Microsoft operating systems. It allows easy recovery
of various kind of passwords by sniffing the network, cracking encrypted passwords using
dictionary and brute-force attacks, decoding scrambled passwords, revealing password boxes,
uncovering cached passwords and analyzing routing protocols.

LINUX - Nagios

Nagios is a host and service monitor designed to inform you of network problems before your cli-
ents, end-users or managers do.

MAC OS X - Pastor

Pastor is a tool to store all your passwords, website logins, program serial numbers, etc. RC4-
encrypted and password-protected.

POCKET PC - SignWise Pro

SignWise use personal hand-written signature to authenticate. Signatures are much more secure
than passwords or PINs in that they cannot be lost, forgotten, or shoulder-surfed, and are difficult
to forge.

If you want your software title included in the HNS Software Database e-mail us at 39
This article analyzes the main changes in Office 2007 that concern docu-
ments and users’ private data protection.

New file format used for data storage. Apart from binary files,
XML file format has a lot of auxiliary informa-
The format change does strike the eye. For tion that is why all XML files are packed by
instance, Word 2007 files have the extension ZIP archiver.
“DOCX” instead of traditional “DOC”. The
most files in the previous Office versions were Unfortunately, hyperlinks to XML-schemes are
OLE-containers consisting of several streams not available yet. Let us hope that Microsoft
with binary data. will fix it soon. In the example the file format is
quite readable and understandable. At least
At the end of 90s binary formats of Word and we can see here the language, the text itself,
Excel were documented and available for and page parameters. In documentation you
MSDN subscribers. However, Microsoft has can find descriptions of other tags.
closed these formats after a new release of
Office 2000 and up to Office 2003 they were Office 2007 is compatible with its previous
unavailable even for Microsoft partners. It versions. If you try to open a new format file in
prevented all developers from writing their Office 2003 you will be prompted to download
own software applications compatible with Of- a converter from Microsoft web-site and hav-
fice documents. ing in-stalled it on you computer you can eas-
ily work with new format files. Additionally, you
However, after Office 2007 had been released have an option to save files in a new format.
the situation changed drastically. A new file
format, Office Open XML, is completely open Office 2007 files protection: Word, Excel,
and documented. Documentation format is PowerPoint
available and everybody can download it from
the Microsoft website. Microsoft followed the Whereas Office regular file format is simple
path of a well-known project OpenOffice and clear, the format of protected files is not
which file format is also open and XML is that easy. 40
Here you can see a file “document.xml” which is “the body” of Word document:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>

<w:document xmlns:ve=""
<w:p w:rsidR="00021ED4" w:rsidRPr="00FC4BE5" w:rsidRDefault="00FC4BE5">
<w:lang w:val="en-US" />
<w:lang w:val="en-US" />
<w:t>Test Word file…</w:t>
<w:sectPr w:rsidR="00021ED4" w:rsidRPr="00FC4BE5" w:rsidSect="00021ED4">
<w:pgSz w:w="11906" w:h="16838" />
<w:pgMar w:top="1134" w:right="850" w:bottom="1134" w:left="1701" w:header="708"
w:footer="708" w:gutter="0" />
<w:cols w:space="708" />
<w:docGrid w:linePitch="360" />

A file protected with a password is an OLE- quickly. Now this operation needs 50000
container which includes encryption informa- SHA-1 sequential iterations. You would never
tion, encrypted stream itself and some auxil- notice it when opening a file because the
iary information. The encryption information whole process requires less than a second.
block is the same as in Office XP/2003. It in- However, when we start password search, the
cludes the name of cryptoprovider, hash and speed drops significantly. Initially estimated
encryption algorithms, key length, as well as the speed will be approximately 500 pass-
data for password verification and document words per second even on such cutting-edge
decryption. Though previous Office versions processors as Intel Core 2 Duo. Thus, using
allowed change cryptoprovider and key one computer it is possible to find 4-5 letter
length, Office 2007 has fixed encryption pa- passwords. There are considerable changes
rameters, as follows: AES encryption with 128 in the verification algorithm of “read-only”
bit key, SHA-1 hashing. The cryptoprovider password, document protection password,
«Microsoft Enhanced RSA and AES Crypto- book and sheet password in Excel. Previously
graphic Provider» supports encryption and the 16 bit hash was stored in the document.
hashing functions. Thus, it was possible to reverse it into any
suitable password. Now the hashing algorithm
However, in comparison with Office 2003 the is determined by record in XML-file where the
new version has a new algorithm of convert- number of hash iterations is defined as well.
ing passwords into keys. In previous Office
versions each password was hashed with an On the following page you can see that 50000
accidental byte set that was unique for every SHA-1 hash iterations and the password re-
document (salt). This operation needed only covery process will take very long time.
two SHA-1 iterations and was performed very 41
An example of “read-only” password record in Word 2007:

<w:writeProtection w:cryptProviderType="rsaFull" w:cryptAlgorithmClass="hash"

w:cryptAlgorithmType="typeAny" w:cryptAlgorithmSid="4" w:cryptSpinCount="50000"
w:hash="L419ICUXKWKS4zJGA1QoY80b6ds=" w:salt="gmd47MvIcN4OwJ5dPxZL6Q==" />

However, we still can change or delete this in its new version. It took Microsoft 10 years
password. We can either calculate the new (from the moment when Office 97 was re-
password hash, or simply delete this tag from leased) to create a good data protection sys-
XML-file. Document protection passwords are tem. “File open” passwords are really strong
stored in the same way, as well as passwords and you will need a long time to retrieve them.
for Excel books and sheets. Nevertheless, you still should have strong
passwords. Unfortunately, the human factor
Other Microsoft Office applications has always been and will be the weakest
point in any security. Even strong security sys-
Microsoft Access security system has under- tem in Office 2007 will hardly help you, if your
gone some radical modifications. Earlier a “file password is “John”, “love” or “sex”. A pass-
opening” password was stored in the file word like that will be instantly retrieved
header and could be easily extracted. Now in through the dictionary attack.
Access 2007 encryption goes in the same
way as in Word/Excel. So it is quite problem- One computer is definitely not enough to
atic to retrieve a password at once. Recover- recover strong passwords for Office 2007.
ing password by “brute-force” attack will take However, there are applications that can unite
long time. The user- and group-level protec- any number computers into a cluster in order
tion has been removed from Access from to search passwords. 1000 computers are
version 2007. PST-file security in Microsoft able to maintain the speed at 500,000 pass-
Outlook remained the same. 32-bit password words per second. So, we can recover rela-
hash (CRC32) is stored in the file and the tively strong passwords provided all corporate
password can be easily recovered. computers are joined together into a cluster.
But first and foremost one should carry out
Office 2007 password security and pass- dictionary attack. A strong security policy is
word recovery strategies meant only for “file opening” passwords. All
other passwords are still easy to retrieve,
First of all I would like to point out that Office change, or reset.
documents security is considerably enhanced

Andrey Malyshev is the CTO of ElcomSoft ( ElcomSoft's award-winning password file
protection retrieval software uses powerful algorithms, which are constantly under development. 42
We regularly conduct research into Wi-Fi networks and protocols in order to
gain a picture of the current state of affairs and to highlight current security
issues. We focus on Wi-Fi access points and mobile devices which support
Bluetooth. This latest piece of research was conducted in Paris, partly in the
city itself, and partly at InfoSecurity 2006, which was held in the French
capital at the end of November 2006.

It was very interesting to compare the data La Defense, the business district of Paris,
collected with similar data from InfoSecurity where InfoSecurity was being held, and other
which was held in London in spring of this locations in Paris. We collected data on ap-
year. It was also instructive to compare data proximately 1000 access points. We did not
on the security of Wi-Fi networks in the busi- attempt to intercept or decrypt any data
ness districts of these two world capitals. transmitted via wireless networks. We de-
tected more than 400 Wi-Fi access points at
As part of this research, we also planned to La Defense/ InfoSecurity, and more than 500
collect data about Bluetooth enabled mobile in other regions of Paris. This was the largest
devices at InfoSecurity itself, in the Paris number of access points which we’ve ever
Metro, and on the streets of the city. Until now, detected. London, where we conducted simi-
we haven’t managed to catch a single worm lar research in April, comes in second place.
for mobiles devices (Cabir or Comwar) in a However, we weren't able to collect separate
major city, but we were hopeful about our data for InfoSecurity, as the trade fair was be-
chances in France - after all, it was the birth- ing conducted within the Parisian business
place of Cabir, the first mobile worm. district itself.

Wi-Fi networks Transmission speed

We conducted our research between the 22nd As the graphs show, the data which we col-
and 25th of November 2006. We investigated lected in two different locations is practically 43
identical. Networks which transmit data at a China, Germany, and London, where they
speed of 54MB are the most common, with comprised up to 6% of the total).
the figure varying between 77% (La Defense)
to more than 85% (Paris), giving an average We can therefore conclude that Wi-Fi net-
of almost 82%. At CeBIT 2006 these networks works are more evolved in Paris in compari-
comprised a little over half (51%) whereas the son to networks in the other cities where we
analogous figures for China and London were have conducted research. The most surpris-
a mere 36% and 68% respectively. ing is the significant difference between the
Parisian data and the data from London, a city
This clearly indicates that there is far more we had previously considered to be setting
networking equipment utilizing newer versions something of a benchmark.
of 802.11 used in Paris than in London. It's
difficult to believe that this difference of more Network equipment manufacturers
than 15% is caused simply by the rapid evolu-
tion of Parisian networks in the six months The data we collected on network equipment
since we published our figures from London. manufacturers in Paris differed significantly
from data we collected in other locations. We
The second most common network speed is have therefore decided to analyze each data
11MB, with between 14% and 21% of all net- set individually.
works transmitting at this speed, and an aver-
age figure of 17.70%. More than 58% of all In total, equipment from 28 different manufac-
networks in China transmitted at this speed, turers was detected.
with 47% at CeBIT and 28.5% in London.
At La Defense, equipment from 19 different
The number of networks transmitting data at manufacturers was detected. Five manufac-
speeds between 22MB and 48MB did not ex- turers were found to be the most widespread,
ceed 1% in any area of Paris. This was sig- and equipment from these sources was de-
nificantly less than the number detected in ployed in more than 12% of networks de-
tected in the business region of Paris.

Manufacturers Percentage

Symbol 2,99%

Trapeze 2,99%

Airespace 2,14%

Cisco 2,14%

Aruba 1,92% 44
Equipment produced by the other 14 manu- Equipment from 21 manufacturers were de-
facturers was used in less than 8% of all net- tected in networks other regions of Paris. Of
works. Unfortunately, it was impossible to es- these, the equipment of 5 manufacturers was
tablish the manufacturer in more than 80% of the most common, and used in more than
cases (Fake, unknown, user defined). This 10% of the networks detected.
figure is far higher than that for CeBIT (66%)
and London (61%).

Manufacturers Percentage

Senao 4,17%

Delta (Netgear) 2,18%

Gemtek 1,59%

USI (Proxim Orinoco) 1,59%

US Robotics 1,19%

Equipment from the remaining 16 manufac- clear advantage in London. Equipment from
turers was used in less than 6% of networks. Cisco was detected in Paris, as was equip-
In 83% of cases, the equipment manufacturer ment produced by Aruba, which was the third
couldn't be established (fake, unknown, user- most common type of equipment in London.
defined), which is lower than the figures from Overall, it should be stressed that the market
other cities, and close to the figure for La De- share of equipment manufacturers not only
fense. differs strongly from country to country, but
also from region to region within a single city.
As the data shows, the equipment used in
each location varies in terms of manufacturer. The aggregate data for the top five equipment
The figures for Symbol and Trapeze at La De- manufacturers in the two locations is as de-
fense, and the high amount of equipment pro- picted in the table below.
duced by Senao in other locations are the
most striking figures when the Paris data is In 82% of all cases, the equipment manufac-
compared to London, with Cisco having a turer could not be established.

Manufacturers Percentage

Senao 4,17%

Trapeze 2,18%

Symbol 1,59%

Delta (Netgear) 1,59%

Linksys (GST) 1,19%

Traffic encryption around the world show that approximately

70% of all networks do not encrypt traffic in
Probably the most significant figure is the ratio any way. In Peking, we obtained a figure of
of protected to unprotected access points. less than 60%, at CeBIT approximately 55%,
Older data collected by war drivers in cities and in London 50% of networks which did not 45
use encryption. Our research in Paris was de- First of all, let's look at the data collected dur-
signed to find out whether unencrypted net- ing InfoSecurity together with the data col-
works were still more common than encrypted lected around La Defense:
ones, and whether London was the only ’digi-
tal fortress’.

La Defense / InfoSecurity

Only 37% of networks did not use any type of first encountered in London is general prac-
encryption! This is a stunning figure, which is tice, and shows that system administrators
slightly better than the figure for London's Ca- are well aware of the issue.
nary Wharf. The two regions are very similar:
a great many international banks, oil and in- Part of this data is naturally made up of ac-
surance companies, news agencies etc. could cess points at InfoSecurity. As we have previ-
be targeted by hackers on the hunt for infor- ously mentioned, such access points are usu-
mation of commercial value. ally configured in a hurry, often incorrectly,
and they can easily be targeted by hackers.
This is the lowest figure that we have come The security of the networks detected at
across so far. If we take into account that fact InfoSecurity London was worse than the se-
that some of the access points which make up curity of networks in the rest of the city. It's
this 37% are public access points which are quite possible that this was also the case in
located at the La Defense shopping centers, it Paris, as 37% was by far from the most sur-
seems to reinforce our assumption that the prising figure which we encountered.
high number of secure networks which we

Other regions of Paris 46
The figures for other regions of Paris turned access points belonging to home users also
our preconceptions of secure wireless net- implement encryption.
works upside. A figure of 22% isn’t only al-
most twice as good as the data we collected Undoubtedly, one of the reasons for these fig-
in the ‘protected’ business district, but it’s the ures is that wireless networks in Paris are bet-
lowest percentage of unprotected networks ter developed than in other cities, as is shown
that we’ve ever encountered in the course of by their use of newer protocols and the speed
our research. The general belief that approxi- of data transmission. Just as in London, we
mately 70% of networks are unprotected was should highlight the high level of computer lit-
in part borne out by China (59%), Moscow eracy and awareness of Wi-Fi security issues
(68%) and London (50%) but brought down among users. The data from Paris shows that
by the data from Paris. And not just by data the era of unprotected wireless networks is
from the business district, where one would gradually drawing to a close.
expect networks to be secure, but standard

Combined data for Paris

While the data collected in other regions of was 89% to 11%, at CeBIT 2006 58% to 42%
London slightly detracted from the high fig- and in London 95% to 5%.
ures collected at Canary Wharf, in Paris the
opposite was true. The high figures were We expected to find a high number of Peer
weakened by the public access points and the networks at InfoSecurity Paris (in London, ap-
access points established by InfoSecurity par- proximately 50% of the networks were of this
ticipants, bringing the average number of un- type.) This is because they are constructed
protected networks down. In spite of this, within the framework of an exhibition (a tem-
however, we returned a figure of less than porary space) and use multiple connections
30%! Paris is therefore awarded our unofficial between computers without network cables.
victor's palm for the city with the best pro- The high number of Peer networks found at
tected wireless networks, overtaking London La Defense might also be due to the fact that
(49%) and establishing a new qualitative wireless devices, such as printers, for in-
benchmark. Paris is the city with the fastest stance, are becoming more and more popular
and best protected Wi-Fi. in offices. The data collected shows that more
than 20% of access points both at the trade
Types of network access fair and in office buildings are of the Peer
type, and such networks are used exclusively
Wi-Fi networks are either made up of ESS/AP to connect devices to each other.
access points or via Peer/AdHoc computer-to-
computer connections. Data shows that ap- Figures from the other regions of Paris give a
proximately 90% of wireless networks are ratio of approximately 9 to 1. The results are
composed of ESS/AP access points. In China, closer to those from Peking than those from
the ratio of ESS/AP to Peer/AdHoc networks London. 47
Types of Network Access

Default configuration more than 300 used default SSID. London

gave us a figure of slightly higher than 3% in
Networks with default configuration are the the city itself, and approximately 1.5% at Ca-
juiciest morsel for hackers of wireless net- nary Wharf.
works. As a rule, Default SSID means that the
adminstrator of the access point has not One of the best ways of protecting a network
changed the name of the router. This may against war driving is to disable broadband
also be an indirect indicator of the fact that the spreading of the network identifier (SSID).
administrator account is still using the default Let’s take a look at the networks we detected
password. from this point of view.

The Internet is full of information about which The figures from La Defense are far better in
default passwords are used by different types terms of Default SSID than the figures from
of network equipment, and if a hacker knows Canary Wharf. Less than 0.5% is praisewor-
the origin of the equipment, s/he will be able thy.
to take complete control over such a network.
More than 8% of the networks in Peking re- SSID was disabled in almost 33% of net-
tained their default configuration, which is a works, almost the same as the figure for Lon-
worryingly high figure. The situation at CeBIT don, with the French having a slight edge.
was better - only two access points out of

SSID Broadcast — La Defense 48
Taking into account the fact that we already ures from La Defense (to be expected) but
know that wireless networks are highly still better than the 3.68% detected in London.
evolved in Paris, the figures from other re- The only area in which the English led the
gions of the city were not surprising. French was in terms of disabled SSID broad-
cast. In Paris, this was found in less than 26%
Default SSID was detected in 1.39% of net- of networks, in comparison to London’s 32%.
works, which was slightly lower than the fig-

SSID Broadcast — Other regions of Paris

Network components Around La Defense and at InfoSecurity 207

networks were detected. These networks con-
This section includes statistics on the number tained more than 400 access points.
of network access points in individual net-
works. Of course, a network has one or more As the data shows, the vast majority of net-
access points but how many access points is works (more than 84%) only have one access
common? point. Just as in London, networks with 4 ac-
cess points were fewer in number than those
made up of 2, 3, or 10 access points.

La Defense

On the other hand, there were some very access points. Many access points could not
large networks found, including two which had be included in this data as SSID Broadcast
10 and 11 access points respectively. How- has been disabled in the networks which they
ever, there were no networks composed of 7 were a part of (more than 150 access points). 49
The 84% of networks composed of a single networks composed of a single access point)
access point is a figure very similar to the was comparable to the data for Paris overall.
82% from Canary Wharf. We were interested
to see if the data for London overall (51% of

Other regions of Paris

And this is where we were surprised. Nearly Wireless devices such as printers, scanners,
95% of the 292 networks (made up of more etc are becoming more and more widespread,
than 500 access points) had only a single ac- making it easier to create office networks.
cess point. Was this due to home users, or to This is clearly shown by the gradually increas-
connections from small business? Whatever ing number of Peer networks.
the reason, it was all the more surprising in
light of the high level of encryption used in Finally, it’s not possible to identifiy a clear
these networks, which we mentioned earlier. leader among the manufacturers of Wi-Fi
equipment. Every country has its own prefer-
As for record breaking numbers, we found ences.
three networks with 14, 16 and 18 access
points respectively. These were undoubtedly Overall, it should be stressed that our re-
public access neworks. Overall, 292 networks search over the past two years shows that the
were found, not including the more than 100 number of networks which use some time of
access points where SSID was disabled. encryption (WEP or WAP) is steadily increas-
ing. In fact, one could say that the situation
Conclusions had changed radically over the past two years
- from 70% of networks in Moscow and 60%
The data gained from our Paris wardriving in Peking to 30% in Paris. This is surely not
leads us to draw the following conclusions: due to socio-economic factors. It’s a clear
global trend, which shows that both users and
• The vast majority of networks transmit data system administrators have recognized secu-
at a speed of 54MB a second. rity on open networks as being a serious is-
• There is an unprecedentedly high use of sue. The life of wardrivers is going to become
encryption in Parisian networks in comparison more difficult as it becomes more difficult to
with networks in other cities around the world. hack networks in order to steal data or simply
• Much of the data from the business regions to gain access to the Internet.
of Paris coincides with data collected from
similar regions of London. Bluetooth
• The majority of networks only have one ac-
cess point, which results from the widespread The most widespread method of transmitting
use of wireless networks among home users. data by WiFi is currently the Bluetooth proto-
col. Almost all modern mobile phones have a 50
wireless module which enables the exchange The research was conducted both within the
of data with similar devices, also making it InfoSecurity Paris exhibition hall, and around
possible to use the ‘hands free’ function. Blue- La Defense, the business district of Paris. Al-
tooth is an integral part of smartphones, PDAs though fewer Bluetooth devices were de-
and some laptops. tected than at InfoSecurity London, neverthe-
less, at least 30 - 40 devices could be de-
In the spring of 2006 at InfoSecurity in London tected at any one time within a 100 metre ra-
we conducted our first research into Blue- dius.
tooth. We detected more than 2000 Bluetooth
enabled devices in “visible to all” mode. We We also collected Bluetooth data while col-
decided to conduct similar research in Paris in lecting data about WiFi networks in other re-
order to gain comparative data which might gions of Paris. The areas investigated in-
support our conclusions. This report includes cluded the Paris Metro, the Gare du Nord (a
the data we gathered, and compares it to the major railway station), and areas with a high
data from London. We detected more than concentration of tourists.
1300 Bluetooth enabled devices in “visible to
all” mode; although this is fewer than the Types of device
2000+ detected in London, we believe that
this data is nonetheless representative. Let’s take a look at what Bluetooth devices we
We used Blue Soleil, Blue Auditor and BT
Scanner to collect data.

The graph clearly shows that the vast majority The second most popular type of device (if we
of devices are normal mobile phones. They exclude Unknown devices) is smartphones.
make up approximately 60% of the total, They make up approximately 14% of all de-
which is 10% less than the figure for London. vices detected, which is significantly less than
This is a fairly significant difference. This the 25% found in London. This is surprising,
might be due to the fact that approximately as France definitely is among the countries
14% of the devices couldn’t be identified cor- with the most smartphones in the world, and
rectly, which could account for the difference. is one of the most developed markets for such
Standard mobile phones do not have a fully devices. However, the statistics speak for
functional operating system, and they are only themselves.
theoretically vulnerable to viruses, e.g. mali-
cious programs written in Java for Mobile. In third place, with almost 5% were standard
cordless phones of the type often used in of-
However, all of these telephones are vulner- fices. This figure is higher than that for Lon-
able due to Bluetooth protocol issues which don, and laptops with Bluetooth were in third
we’ve written about before. place in London, making up approximately 3%
of all devices found. 51
The figures for Paris are of a similar level - Equipment manufacturers
more than 2%. We should stress that although
this isn’t a high number, the risk of hacker at- This figure is very significant: we can use data
tacks on such devices is greater than the risk about equipment manufacturers to establish
of attacks on a standard handset or smart- what operating system is being used (in the
phone. This is because the data saved on a case of smartphones/ PDAs) or get data
laptop is far more extensive and attractive to about an individual manufacturer's market
hackers than data stored on a telephone. share.

In terms of other devices, the number of Overall, we detected equipment from 39 dif-
PDAs (Palm sized PC PDA and Handheld PC ferent manufacturers (in contrast to the 35
PDA) detected was less than 2%. This is iden- which we detected in London.) 6 manufactur-
tical to the figure from the UK, which we see ers appeared to be the most popular, with
as confirmation of the fact that users of such their devices making up more than 38% of all
devices are very aware of Bluetooth security devices detected.
issues and take the appropriate precautions.
Unfortunately, in approximately 50% of cases,
All in all, we detected more than 1300 devices we were unable to establish the equipment
of 15 different types. The number of Uncate- manufacturer. This is a surprising figure, as in
gorised and Miscellaneous devices was less London the percentage of such devices was
than 1.5%, although we still classified this as only slightly over 25%. Could it somehow be
a type of device. The single blot on our statis- connected with grey market telephones?
tics was the 14% of Unknown devices.

Equipment manufacturers - Paris 52
Manufacturers Percentage
Noname 50,18%

Sony Ericsson Mobile Communications AB 9,69%

Nokia Danmark A/S 9,33%

TECOM Co., Ltd. 6,25%

Samsung Electronics Co., Ltd. 5,74%

Texas Instruments 4,59%

Inventel Systemes 3,16%

Other 11,06%

The data above shows that in Paris there is Texas Instruments is in a similar position, per-
no clear market leader among equipment haps explained by the limited prevalence of
manufacturers; this is in contrast to London, Motorola telephones. Interestingly, well known
where Nokia manufactured more than 30% of manufacturers such as USI and Murata aren't
devices detected. In Paris, Sony Ericsson is in among the list of leaders, having been
first place with 9.69% of the devices detected, squeezed out by Tecom and Inventel. How-
but Nokia is not far behind. However, the fig- ever, they do come just below the top six most
ures from London were very different, as popular manufacturers, together with LG and
these two companies had almost half of the Sharp. As we’ve mentioned in the past what
entire market share. The figure for Samsung, type of equipment different manufacturers
on the other hand, is very similar in both cit- produce, the following data may be of com-
ies: 5.74% in Paris and 4.52% in London. parative interest:

Brand Phone/Smartphone Phone/Mobile

Nokia 30% 70%

Sony Ericsson 12,5% 87,5%

Brand Phone/Mobile Phone/Cordless Other

Samsung 56,8% 40,7% 2,5%

Brand Phone/Smartphone Phone/Mobile PDA

Texas Instruments 56,8% 40,7% 2,5%

Accessible services allowed a friend's device to connect to yours

in order to exchange data, you are also mak-
The data on accessible services is of great ing it possible for your friend's device to make
interest to us as it illustrates the opportunities calls from your phone, send SMSs, read your
both for hackers to attack handsets and for address book etc. And of course, it could be a
viruses to spread. When a device establishes hacker in place of your friend, a hacker who
a Bluetooth connection with another device, it has used social engineering or a Bluetooth
makes it possible for the second device to use vulnerability to gain access to your device.
some of its services. For example, if you've The data we collected on accessible services 53
gives us a picture of what services could be • Telephony (making calls, sending mes-
accessed by remote malicious users. Let’s sages). This is used in more than 91% of de-
start by taking a look at the data for all serv- vices.
ices. We detected approximately 3800 serv- • Networking (provides Internet access and
ices on over 1300 devices, distributed as the ability to use an inbuilt modem). This is
seen above. Given the ratio of 3800 to ap- used in more than 66% of devices.
proximately 1300, this means that each de-
vice had, on average, around 3 accessible These figures are practically identical to the
services. Some devices had 5 or 6 accessible data we collected in London, with the differ-
services. As the graph shows, three services ence in all three cases being less than 1.5%.
were the most common: As we are primarily interested in smart-
phones, which are among the most vulnerable
• Object Transfer (sending/ receiving files). Bluetooth devices, it's worth taking a look at
This is used in more than 95% of devices. the data relating to them separately. As the
graph below shows, the ratio of devices: serv-
ices is approximately 1: 2.

There’s a slight difference between the figures of slightly more than 10%. The data from our
for smartphones and the data for other de- research supports our previous conclusions:
vices. With more than 93%, Object Transfer although some users of Bluetooth devices are
remains the most widespread accessible aware of the risks posed by cyber threats,
service, followed by Telephony with 91%, and user education is still needed.
Networking in third place, with the low figure

Alexander Gostev is the Senior Virus Analyst at Kaspersky Lab, a leading developer of secure content man-
agement solutions that protect against viruses, Trojans, worms, spyware, hacker attacks and spam. 54
Black Hat DC Briefings & Trainings 2007
26 February-1 March 2007 – Sheraton Crystal City

The 14th Annual Network & Distributed System Security Symposium

28 February-2 March 2007 – Catamaran Resort Hotel, San Diego, CA, USA

InfoSec World Conference & Expo 2007

19 March-21 March 2007 – Rosen Shingle Creek Resort, Orlando, FL, USA

WebSec Conference 2007

26 March-30 March 2007 – London, UK

Black Hat Europe 2007

27 March-30 March 2007 – Amsterdam, Netherlands

Business Continuity – the Risk Management Expo 2007

28 March-29 March 2007 – Excel, The Docklands, London

ARES Conference 2007

10 April-13 April 2007 – University of Technology, Wien, Austria

If you want your event included in the HNS calendar e-mail us at 56
Joanna Rutkowska has been involved in computer security research for sev-
eral years. She has been fascinated by the internals of operating systems
since she was in primary school and started learning x86 assembler on MS-
DOS. Soon after she switched to Linux world, got involved with some system
and kernel programming, focusing on exploit development for both Linux
and Windows x86 systems. A couple of years ago she has gotten very inter-
ested in stealth technology as used by malware and attackers to hide their
malicious actions after a successful break-in. This includes various types of
rootkits, network backdoors and covert channels.

How did you get interested in Windows Control feature which will hopefully force peo-
security? ple to work from restricted accounts. UAC is
still far from perfect - e.g. it's pretty annoying
When I started to play with Windows internals, that every single application installer (even if it
I already had a background with Linux user- is Tetris) asks for administrative credentials
mode exploitation and kernel programming. and the user has no real choice to continue
Move to Windows was a natural evolution and the installation *without* agreeing on that.
was mostly dictated by my curiosity. However, I see UAC as an important step to-
wards implementing the least-privilege princi-
What's your general take on the security ple in Windows.
aspects of Windows Vista? Is it much
more secure than Windows XP as Micro- Also, Microsoft introduced some anti-
soft is telling us? exploitation technologies, like e.g. ASLR and
invested a lot of money and time into improv-
Indeed, Vista introduced lots of security im- ing the quality of the code behind the operat-
provements comparing to XP. The most im- ing system and the applications.
portant one is probably the User Account 57
The introduction of BitLocker technology lieve this mechanism to be effective in stop-
which makes use of the Trusted Platform ping kernel malware. Also, the much dis-
Module (TPM) to assure the integrity of the cussed Kernel Patch Protection (AKA Patch
booting processes seems like an important Guard), should not be though of as an effec-
improvement. Of course, this should not be tive protection against kernel compromises,
though of as a silver bullet solution against as it's relatively easy to bypass by the mal-
rootkits and all other malware. ware authors. Still, I see those two mecha-
nism as useful when it comes to system com-
In the 64-bit version of Vista, Microsoft also promise *detection* (in contrast to prevention)
introduced the requirement that all kernel - at least when it comes to type I malware.
drivers must be digitally signed, but I don't be-

When we look at the quality of the advisories published these days, I have the
feeling that people are looking for cheap publicity.

In your opinion, what is the biggest mis- Naturally, from time to time we see a very in-
take Microsoft has made when it comes to teresting bug report, sometimes presenting a
security in 2006? new class of bugs or a new method of exploi-
tation. It's hard to overestimate the value of
I don't really see any particular, spectacular such reports for the security community, so if
mistake made my Microsoft in 2006 but there the author decided to release those informa-
are some things which I don't fully agree with, tion for free, I guess we all should only be
like e.g. the design of Integrity Level mecha- grateful to the author.
nism which prevents only against writes not
reads or issues regarding kernel protection or What is your opinion about Microsoft
the fact that they concentrate only on preven- Patch Tuesdays? Shouldn't there be more
tion (like most other OS vendors) and haven't frequent patch releases?
done anything to make systematic compro-
mise detection feasible. I guess these are just I guess there should be, but I can also under-
different points of view and I would not call stand that releasing a patch is a complicated
any of them a 'big mistake'. business process, because it requires lots of
testing, etc. I also realize that even if we had
What do you think about the full disclosure patches released on a daily basis, that still
of vulnerabilities? would not be a sufficient solution, as attackers
might still exploit some unknown vulnerability.
I'm quite neutral about this. On one hand, I
think that it should be every customer's right Thus, I think it's much more important that the
to point out flaws in the products they buy and OS itself provided various anti-exploitation
I really don't see why those who find bugs technologies and also be designed to limit the
should be *obliged* to first report it to the damage of the potential successful exploita-
vendor - i.e. why should they be forced to do tion (least privilege design, strict privilege
a free Q&A with the vendor? separations, etc). And it's clear that Microsoft
is going this way, although there's still room
On the other hand, when we look at the qual- for improvement in this area.
ity of the advisories published these days,
where most of the bugs reported are just What is the most interesting fact you've
some denial of services, I have the feeling become aware of while researching for
that people are looking for cheap publicity. It's your recent papers?
quite understandable that companies which
are victims of those "audits" might feel a bit It's hard to point to just one fact. Usually the
pissed off. most amazing thing is that something you
though of before (e.g. some attack) actually 58
does work after you implemented the proof-of- despite the new protection mechanism and
concept code. That's always very amazing for also demonstrated that recent hardware virtu-
me. alization technology can be used to create a
new class of stealth malware - something I
What's your take on the open source vs. call type III malware (e.g. "Blue Pill"). And just
closed source security debate? recently I found that hardware based memory
acquisition as used for forensics, believed to
I don't like when people say that something is be absolutely reliable, because it uses so
secure just because it's open source and in- called "Direct Memory Access" to read mem-
herently insecure, just because it's a commer- ory, can be cheated in some cases.
cial, closed source product.
Unfortunately I haven't seen any serious effort
Although it should be admitted that a lot of in the security world to address most of those
security technologies have been introduced in threats. We still don't have any effective way
the open source systems for the first time, like to combat type II malware. Network intrusion
e.g. ASLR which has been invented by PaX detection systems and firewalls are years be-
about 6 years ago. hind when it comes to detecting or preventing
any more advanced covert channels. We still
What are your future plans? Any exciting don't have any good solution to prevent or de-
new projects? tect hardware virtualization based malware...

I think that I would like to focus more on the I would like to work more on the defense side
defense side now. In the past two years I now - I believe that we should convince OS
have worked on several offensive techniques, vendors (and also CPU vendors) to make sys-
starting from passive, very hard to detect cov- tems verifiable - so that we could come up
ert channels ("Nushu"), then I presented with *systematic* ways to check whether the
"Stealth by Design", type II malware, then I system is infected by any of type I, II or III
showed that Vista kernel can be subverted malware. 59
“So you want to be a rock & roll star?
Then listen now to what I say.
Just get an electric guitar
Then take some time
And learn how to play.”
The Byrds - So You Want to Be A Rock & Roll Star.

So, you want to be a security star, huh? Well, reading this magazine is a good
start. But the reason that they have asked me to write this article is to tell you
about all of the things that you need to do past that. Reading a few articles on
SSH and security in Web 2.0 isn’t enough to make you into a security super-
star than listening to a few records will make you a rock & roll star. As the
song lyric says, you have to learn how to play. That’s what this article is go-
ing to be about. But first, a question: Why do you want to be in security?

That’s a tough one to answer, sometimes. take for the money or the coolness. I have met
Maybe you saw a movie like Hackers, War many people who started in security for one of
Games or Firewall (though I really hope it’s those two reasons, and very few of them have
not the last one). Or you went to Defcon or actually managed to make a career out of the
HOPE and think it’s cool to be one of those security field.
people. Or perhaps you read the recent salary
surveys that put CISSPs at the top end of the The most important question that you need to
salary scale. answer: why do I want to be a security engi-
neer? Because, as the old self-help slogan
If it’s any of those, you’re in trouble. Because goes, “if your ‘why’ is strong enough, you’ll
security isn’t a career path that you should find the ‘how’”. 60
While the rest of this article is going to be fascinating. I have met hundreds of informa-
about the “how” of becoming a super-star se- tion security professionals over the years, and
curity engineer, I can’t emphasize this enough: almost all of them have a story like that, me
spend some time figuring out what it is about included.
security that calls to you over all of the other
cool things you could be doing with your life. The good news is that, by the sheer fact that
you’re reading this article, you probably have
The Prerequisites that interest. That’s the first step up the infor-
mation security career mountain. So, let’s
One of the things that makes being a security look at the path up the side of that big hill.
engineer so interesting is that security applies
to all of the different technology areas. Thus, The Security Career Mountain
in developing a real career in security, there
are very few areas of technology that you The career path of a security professional is
won’t be required to know and understand at a quite varied. One of the great things about in-
significant level. If you meet some of the best formation security is that your career can be
security professionals, you’ll quickly realize incredibly tailored to your own experience and
that they unix like a unix admin, Cisco routers your own desires. But there is also a general
like a CCNP, Oracle like a DBA and C++ like a progression that most careers take - I’ll de-
software engineer. And they can keep up in a scribe that general path and some of the im-
conversation with any of those people. portant steps along the way.

Because of the well-rounded skill-set required, The diagram on the following page is a gen-
becoming a great security professional is in- eral representation of the mountain that is a
credibly challenging, but also incredibly re- security career. You’ll start at the bottom, usu-
warding. You will spend the rest of your life ally in another field (as I mentioned above).
learning, because any time a new technology
comes out, you’ll be required to learn about it. Entering the security career track, you’re gen-
As an example, one of the best engineers I erally going to start out as a one-dimensional
know has spent the past couple of months security engineer, who brings your skills from
learning the ins and outs of MySpace on a another discipline and your love of security
deep technical level. together to be a security expert in your chosen
field. This is where you’ll find job titles like
Because of the incredibly varied skill-set re- “web application security engineer” or “unix
quired, most of the best security professionals security administrator”.
don’t start out their career “in security”. They
usually come to security from another spe- From there, you’ll spend a year or two gaining
cialization - system administration, software the all-around experience required to really be
development, data networking or telco. Using a security professional. And that’s where you
myself as an example, I started as a system have to make the hard choice: do you want to
and network administrator, helping companies be a technical security expert or a manager?
keep their servers, desktops and routers up (As I’ll talk more about, this is somewhat a
and running. But I was always interested in false choice, but it’s useful for the purpose of
security: it was the thing that I studied in my simplicity here). Your decision there will de-
spare time. And I was always most interested termine your career path for much of your ca-
in figuring out how to protect (and break in to) reer: you’ll be focused on honing either the
the systems that I was building and maintain- skills of an incredibly technical security expert,
ing. or of an information security manager. And
you’ll get the jobs that go along with that.
It’s that interest in security that is common to
every long-term security professional that I And finally, you’ll get to the snow-capped peak
have met. Talk to anyone who has had secu- of the security career mountain... and you’ll
rity as a large part of their career, and they’ll have to read on to find out what’s at such a
likely tell you about their time as a young lofty summit. But, first, let’s talk in more detail
technologist where they found either the about each of the camps along the mountain.
“breaking” or “protecting” aspects of security 61
Base Camp - The One Dimensional Secu- able to smell risks, threats and vulnerabilities
rity Engineer in the air around you.

You just decided to climb the security career This is the point in your career where you
mountain, and you arrived at the first camp. need to start focusing on that. Look at all of
The air down here is still very much as it was the skills that you have, and start tying in the
while you were working your other career path core concepts of security thinking into your
as an admin, a coder, or engineer. In fact, daily tasks.
your title is probably very much the same:
you’ve probably just put the word “Security” in The other thing you need to do is simple: Be a
the title somewhere. sponge. This is the time in your security ca-
reer where you need to learn about being a
Success at this step involves taking the inter- security professional absorbing what security
est that we talked about before and combining professionals know, and what they’re all
it with the skills that you already have: your about. So, what you want to do during this
job at this level of your career is to learn to time in your life is to spend as much time as
think like a security professional, even if you you can reading books and blogs, attending
aren’t one. This generally means that you’re conferences and local meetings, listening to
going to start learning (on an intuitive level) podcasts (like mine at being ac-
about the three main concepts in security: tive on mailing lists and online forums. In
vulnerability, threat, and risk. I’m not going to short, get to know everyone in security, learn
go into those definitions here, but, suffice it to what they know, and learn how to start doing
say that, as a security pro, you’ll get to know what they do.
those definitions on an experiential level. If
you’re already a security pro, you know what I In other words, learn what a well-rounded se-
mean: as you move up the mountain, you’ll be curity professional knows. 62
Camp 2 - All-around Security Engineer No, you don’t have to become a writer or pre-
sent at next year’s BlackHat Briefings. The
This is the point at which you’ve finally estab- key here is to start to differentiate yourself as
lished your skills. You can now expound at a security pro. Answer these questions, and
length the difference between a cross-site you’ll start to understand: How am I different
scripting vulnerability and a buffer overflow, as a security professional than the guy in the
the different types of authentication factors cube next to me? Or than the guy who sat be-
and their strengths and weaknesses, and how hind me during my CISSP exam? What
to assess risk in an organization. And you can makes me unique as a security professional?
do it while you’re thinking about something
else. You probably have (or have thought As an example, for me it has been my interest
about or decided consciously not to get) a and focus on personal development. While I’m
CISSP. And you didn’t have to take one of a security professional at heart, my ability to
those “boot camps” to get one - you got it on work with people to help them be better at
the knowledge that you already had. what they do is something that not every se-
curity professional has. This is what lead Mike
While your learning shouldn’t stop, it probably Rothman to dub me “Mr. Security Career” -
will become more subtle. You’ll stop finding this is what makes me different. As you reach
the real key stuff in books and focus more on this stage in your career, what you need to do
conference papers, blogs and magazines (like is to figure out what it is that makes you differ-
this one) because that’s where the real “new” ent. Because, while you’re continuing to round
stuff is. This is where some people can get out your technical and security skills, it’s the
bored and stagnant, but that feeling is just the answer to the “what makes you different”
beginning. Because it’s now time to start questions that will ultimately lead you to the
generating content of your own. career that you want. Which leads you to the
moment where you need to choose a path up
the mountain...

As you reach this stage in your career, what you need to do is to figure out what it is that
makes you different.

Camp 3 - The Fork in the Road professional) is incredibly intense. I once

asked a security super-star that I worked with
At this point in your career, it’s time to make a why he accepted the management job that he
choice: will you head towards becoming a was in when he clearly wanted to spend his
technical guru, or a high-powered security ex- time working on the technology. His answer
ecutive? Because it’s nearly impossible to do was telling: “It’s just what you do, I guess.” He
both at once. (We’ll come back to that later). spent most of his days miserable dealing with
Your choice at this point depends on who you staff issues, until he finally quit and went back
really want to be in your life - what I would call to working as a senior-level security consult-
your “calling”. Who are you? Are you a person ant doing high-level penetration tests and se-
who comes up with neat technical solutions? curity engineering. And he has never been
Or someone who builds, leads and inspires happier.
teams of people who come up with neat tech-
nical solutions? When you dream of the per- The key here is to know which path is most
fect day at work, which do you see yourself right for you. While you can change your mind
doing? later, it’s probably pretty evident if you look at
your temperament and skill-set. Not every-
This isn’t the easiest point for most people, body wants to spend their life with technology,
because it’s often hard to make a choice. Es- just as not everyone wants to manage. You
pecially if you’re going to choose to become a probably have a good idea which one you
great technical resource, because the pres- want. (And if you don’t, email me and I’ll help
sure to go into management (especially if you figure it out).
you’re a high-performing all-around security 63
Load up on Oxygen Bottles the year after? What’s the scalability of the
system - what happens if we grow from 1000
The air from here on up gets a little rarified, users to 10,000 users?
and it’s going to get harder and harder to
breathe unless you load up on the equipment Camp 5 - The Management Path
that will allow you to survive higher and higher
up the career mountain. Those skills can be The management path is a path that has been
summed up in two words: business acumen. covered by a huge number of books and
magazines out there. I’m not going to spend a
And it doesn’t matter which path you choose lot of time on this path, except to give a quick
to take: both require an understanding of overview. If you’re trying to move forward in
business at the same level. This doesn’t mean the management path, your skills are going to
that as a technical expert that you need to go need to be about business and people. This is
off and get an MBA. But it does mean that the point in your career where you may want
you’re going to need to understand how busi- to start thinking about an MBA (or at least
nesses make decisions about spending time, learning the skills of an MBA), learning to play
money and other resources to solve problems. golf, and focusing on how to manage and lead
And how things actually get done. security professionals.

As an example: it’s a relatively naive security If you’re thinking about taking this path, you
professional who makes the assertion: we should check out Mike Rothman’s “Pragmatic
should work to eliminate every security hole in CSO” book - it will give you incredible insight
the organization. While that may be true from into the skills and thoughts that are required to
a technical perspective, and even from a risk- succeed on this path up the security career
focused perspective, it’s not at all true from a mountain.
business perspective. It’s your understanding
of business decision-making, processes and The View from the Summit
culture that will let you operate higher and
higher up the security career mountain. I told you that we’d talk about the “snow-
capped peak” of the mountain - this is it.
Camp 4 - Navigating The Technical Path Summating the mountain is the point at which
you transcend the path of “manager” or “tech-
So, you took the technical path up the moun- nologist” - this is the point in your career at
tain. You’re going to be called on more and which you’re generally called “visionary”.
more to do one thing: solve hard problems.
There’s only one thing that you can do to im- The people who get to this level are the ones
prove your skills at solving hard problems, and who become household names: Steve Jobs
that’s to practice solving hard problems. This and Bill Gates are popular examples. But
means that you’re going to have to continue to there are examples in the security industry as
learn more and more nuanced detail around well: Marcus Ranum, Mary Ann Davidson,
the things that you’re going to become an ex- Ron Gula, Tim Keanini and Bruce Schneier
pert in. are great examples of those who have
reached this pinnacle of the security career.
The biggest challenge in this path is going to
be expanding your vision to see “the big pic- This is that rare person who can “cross the
ture”. This relates to my previous advice on streams” - who can manage a business and
business acumen; this is where you need to stay involved in technology at the same time.
learn to keep all of the details in your mind at Neither strictly managers nor strictly technolo-
a given time. When you’re developing an gists, these are the people who are known as
authentication strategy, it’s not just about experts on both.
which crypto algorithms you use and what the
password strength is, but, as you get to be a But How do I do it?
more senior resource, the questions you need
Getting to the top of the security mountain
to ask are around strategy. For example: how
isn’t an easy task - it takes a lot of work. And,
does this authentication system play with the
more than anything, it’ll take a lot of good luck.
technology we’re going to deploy next year or 64
Talk to anyone who has been successful in Then, do those things. But that sounds like a
security (and, in fact, any industry) and you’ll LOT of work!!! Yeah, I know. Here’s where I
hear the story of someone who has been in share the dirtiest little secret of all great secu-
the right place at the right time. rity pros: Becoming great at security IS a LOT
of work.
In fact, that is, as I mentioned earlier, the
place where you need to start: you need to That’s the bad news. The good news is that
start meeting people who have done what you becoming great at anything is a lot of work.
want to do. Get to conferences and on email Which is where that first question comes in
lists and read their blogs. Learn how they got again: you have to have a really great reason
to where they are, and take whatever advice for wanting to do this one. Because, other-
they have that is useful to you. Then, start to wise, those days when you’re reading an RFC
apply it to your own life and career. because somebody like me told you that it’s
worth getting to know the protocols at a really
Most importantly, figure out what they know deep level (which it is), you’re going to decide
that you don’t know. Figure out what books that you’d rather be playing Xbox360. (Heck,
they’ve read that you haven’t. What papers even if security is your calling, you’re going to
they read that you don’t. What blogs they decide that sometimes... but the point is that
read. What podcasts they listen to. And do you’ll do it eventually if you really want to be
those things. great at this).

A 10-year veteran of the security industry, Mike Murray focuses his expertise on building successful and fulfill-
ing careers. Dubbed "Mr. Security Career", his blog at and his "Technology Career Excellence"
podcast have become known as resources for those in technology who want more than just a job. His new
book "Forget the Parachute, Let Me Fly the Plane" is targeted at careers in fast-moving industries like informa-
tion security. Learn more at and at Mike's blog at 65
We attended the enormous RSA Conference Companies from all over the world exhibited
last week in San Francisco. With around their products and services and a large
15,000 attendees, a myriad of in-depth lec- amount of announcements were made at the
tures delivered by some of the industry’s most show. The amount of new releases shows just
important figures, as well as keynotes from how important the RSA Conference is to the
leaders such as Bill Gates and Colin Powell, security industry as a whole. What follows is a
we can truly say the event was a giant suc- roundup of product releases announced at the
cess. show as well as a gallery of photos.

Announcements Arxceo Corporation - Arxceo Ally ReconAlert,

a free software package for Windows that en-
Absolute Software - Announced that Dell is ables network administrators to continuously
bundling Computrace LoJack for Laptops with monitor Syslog output from their Ally ip100
their computer accidental damage services security appliance.
sold to consumers. Bradford Networks - New NAC Director prod-
Aladdin Knowledge Systems - Aladdin eSafe uct line gives organizations running Microsoft
HellGate appliance, the company's first Network Access Protection the power to man-
gateway-based anti-virus, spyware control, age and control guest access to the Internet
Web browsing security and application filter- while validating that guest laptops comply with
ing solution specifically designed for the SMB established network security policies.
market. Centrify Corporation - Centrify DirectControl
Altiris - SecurityExpressions 4.0 helps keep for Mac OS X, SmartCard Login Option, which
security postures consistent with security poli- enables Mac OS X users to join Microsoft Ac-
cies and regulatory mandates and enforces tive Directory environments that require two-
compliance through audits, remediation and factor authentication via smart cards.
reporting. Check Point - UTM-1 security appliance offers
Application Security - DbProtect - an inte- medium-sized businesses and enterprise re-
grated suite that is built on their AppDetective gional sites complete, multi-layered protection
and AppRadar product against Internet threats such as spyware, vi-
Applied Identity - New Identisphere product ruses, network attacks and more.
suite offers unified policy access management ConSentry Networks - The integration of
functionality that provides organizations with a ConSentry’s network-based enforcement plat-
seamless solution for both managing multiple form with Microsoft’s admission control and
and disparate directories, and for developing endpoint posture check.
and managing fine-grained user policy. Ecora Software - New features in its flagship
Arcot Systems - First-to-market integration solution Ecora Auditor Professional designed
with Microsoft Windows CardSpace identity to reduce the high cost of compliance man-
management framework. dates, lower the cost of downtime, increase
Array Networks - Beta availability of Site2Site, security, and improve operational efficiency of
the first site-to-site SSL VPN solution. IT professionals. 66
FireEye - FireEye Central Management Sys- SanDisk - TrustWatch is built around a secure
tem and the FireEye 4200 2.0 appliance that network appliance and a management con-
addresses the exploding threat of remotely sole, through which IT administrators can eas-
controlled malicious software or crimeware. ily configure and deploy secured USB flash
Greencastle Technology - Innervue prevents drives, while preventing information from be-
malware and attacks by monitoring the key ing copied to unapproved devices.
interfaces between hardware and the soft- Secure Elements - The C5 Compliance Plat-
ware that are needed for software execution. form is the industry's first enterprise solution
HID Global - Crescendo series smart cards built on open XML standards that enables a
designed to provide out-of-the box, standards- range of compliance solutions such as IS con-
compliant support for thousands of logical ac- trol auditing and benchmarking, vulnerability
cess control applications. management, and more.
Intellitactics - Plans to enhance their compre- Shavlik Technologies - Broad vulnerability
hensive enterprise security management solu- management and patch management support
tion, Intellitactics Security Manager. for Microsoft Vista clients.
Ixia - New SSL security testing capabilities in SignaCert - Interoperability of its Enterprise
its IxLoad- Triple Play test solution result in Trust Service with Microsoft Network Access
performance gains of more than 300% and Protection, allowing enterprises to measure
add significant new features to the product. and verify the integrity of software on devices
Kaspersky Lab - Kaspersky Anti-Virus Mobile, across IT systems, ensuring greater reliability,
a product that protects mobile phones using manageability, security, and regulatory com-
Symbian and Windows Mobile operating sys- pliance.
tems against mobile malware StarNet Communications - StarNetSSH, a
Lockdown Networks - Lockdown Enforcer, is fully featured suite of connection security tools
now shipping with full support for Microsoft for Windows-based computers, including
Network Access Protection (NAP). Windows Vista.
Netronome Systems - The Netronome SSL StillSecure - Safe Access now delivers on the
Inspector is designed for security and network promise of ‘Complete NAC’ which refers to a
appliance manufacturers, enterprise IT or- comprehensive network access control solu-
ganizations and system integrators. tion that encompasses pre-connect health
Ping Identity Corporation - Version 2 of its checks, post-connect monitoring and identity
consumer authentication framework, Pin- based policies.
gLogin, is now available for download from its SurfControl - New Global Alliance Partner
Web site, Program - alliance partners will be able to de-
Privaris - Participation in the RSA SecurID liver high-performance solutions that are
Ready for Authenticators Partner Program - complimentary or tightly integrated with Surf-
an extension of the trusted RSA Secured Control’s secure Internet protection technol-
Partner Program. ogy.
Red Hat - A complete PKI solution, Red Hat Third Brigade - Deep Security 5, an ad-
Certificate System 7.2 provides a security vanced, host intrusion prevention system that
framework that guarantees the identity of us- detects and prevents known and zero-day at-
ers and ensures the privacy of communica- tacks targeting mission critical servers.
tions in heterogeneous environments. Utimaco - Support for Windows Vista Bit-
Relational Security Corporation - RSAM v5.0 Locker Drive Encryption.
provides many great enhancements to the ex- Vernier Networks - Support for Microsoft Net-
isting RSAM v4.5 feature set, while also inte- work Access Protection (NAP) in Vernier’s
grating with Relational Security’s powerful EdgeWall 7000 and 8000 series appliances.
new assessment & reporting modules. Voltage Security - Voltage Security Network, a
Route1 - MobiNET Aggregation Gateway, a compelling new software-as-a-service solution
sophisticated appliance-based solution that Webroot Software - Spy Sweeper Enterprise
provides enterprises subscribing to Route1 3.0 was named “Best Anti-Malware Solution”
MobiNET-enabled services, such as remote in the Reader’s Trust category of SC Maga-
access, with greater manageability of data zine.
traffic that flows across the network. 69
Knowledge & Technology

Come together at Black Hat Europe.

Once again the world’s ICT Security Elite gather to share their knowledge
and experience with you. This is your chance to meet and network
with peers and professionals at this world renown event.
Two days. Ten Classes. Thirty presentations.

Black Hat
Briefings & Training Europe 2007

27-30 March 2007 • Mövenpick Hotel Amsterdam City Centre

gold supporting associations

When Microsoft released Windows XP in late 2001, it introduced a new Start
menu with quick access to frequently used programs. The left side of the
menu contains two sections, the "pinned list" (at the top) and the Most
Frequently Used Programs (MFUP) list (at the bottom). When you monitor the
MFUP list in the Start menu, you will notice that it is not only displaying the
most frequently used programs, but also new programs that were used
recently. This means that there is also a kind of time-stamp involved. 72
To a programmer, it is clear that the MFUP list try. Reverse-engineering techniques were re-
can only be maintained by monitoring user quired to understand the format of the data
activity. This activity has to be logged and (details about this process can be found in my
persisted somewhere. blog).

I developed a program to display the data of Microsoft has not published documentation
the MFUP list. This data is stored in the regis- about these registry keys.

Use in forensic analysis When started, the UserAssist utility retrieves

the data for the current user and displays it.
Now imagine that you are conducting a foren-
sic investigation: you have to compile a report The display is not refreshed automatically
about the activity of user U on workstation W. when Windows Explorer updates the registry
One important element of this report is the list
of programs executed by user U. To refresh the display, execute the 'Load from
local registry' command. But this is not the
There are several techniques to compile a list way you want to use it for a forensic investiga-
of executed programs. One can look at the tion. When you are executing your forensic
last access timestamps of the program files investigation by the rules of the book, you will
on workstation W, or examine the files in the image the storage devices of the involved
%WINDIR%\Prefetch directory. The problem machine(s) and work on a copy of the image.
with these techniques is that they are system
wide: one has to deduct from the timing win- To extract the HKEY_CURRENT_USER reg-
dow which user accessed the files. This is istry keys for a particular user from this image,
relatively simple if there is only one user work- you will have to locate the NTUSER.DAT file.
ing on the workstation, but it becomes very It is located in the C:\Documents and Set-
difficult on a Terminal Server. tings\user_name directory. There are excep-
tions to this. If the workstation is a member of
The UserAssist utility helps one to compile a a Active Directory domain and roaming pro-
list of executed programs. It reads the MFUP files are enabled, you can also find the
data from the registry found under this key: NTUSER.DAT file of domain users (not of lo-
cal users) on the domain controller or on a
HKEY_CURRENT_USER\Software\Microsoft\ dedicated file server.
Be aware that this file will only be up-to-date
Notice HKEY_CURRENT_USER, it means with a proper logoff, pulling the plug on the
that this data is user related. It ties activity workstation will not allow for synchronisation
such as running executables to a specific of the roaming profile.
user. 73
If you find a NTUSER.MAN and no ing a registry hive will modify the
NTUSER.DAT file, you are out of luck: this is NTUSER.DAT file and create a
the mandatory profile setup by the system NTUSER.DAT.LOG file.
administrator. It does not persist changes
made by the user. After locating the Load Hive is only enabled for keys
NTUSER.DAT registry hive, you will have to HKEY_USERS and HKEY_LOCAL_MA-
export the registry entries as a .REG file. The CHINE
UserAssist utility cannot read registry hive
files directly (I will add this feature once I find If you need to limit the size of the .REG file,
a suitable open source library), they have to navigate to
be converted to .REG files. Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist and export this key in
Follow this procedure to create the .REG file: stead of the complete registry hive.
1) Make a copy of the NTUSER.DAT file of
the involved user Now that you have the exported registry hive
2) Start Regedit as a .REG file, start the UserAssist utility. It
3) Select HKEY_USERS will display a table with the commands you
4) Launch command File/Load Hive... have executed, just ignore this for the mo-
5) Select the copy of the NTUSER.DAT ment.
6) Type a Key Name, for example
Investigation Execute these steps to view the UserAssist
7) Select HKEY_USERS\Investigation data:
8) Right-click and launch Export 1) Launch Commands / Load from REG file
9) Type a file name, for example Investigation 2) Select the .REG file, for example
10) Launch command File/Unload Hive... Investigation.reg

Recommendations All the commands executed by the user are

displayed in a table, the meaning of the data
I recommend working on a copy of in the columns is explained below.
NTUSER.DAT, because loading and unload- 74
Key notepad, then the session ID for the notepad
entry will be 123.
This value is {5E6AB780-7743-11CF-A12B-
00AA004AE837} or {75048700-EF1F-11D0- Counter
These are the keys found under the UserAs- This is the number of times the program was
sist registry key, and they are included in the executed (a 4 byte integer).
table to distinguish the entries.
This is the last time the program was exe-
This is a running counter, indicating the se- cuted (an 8 byte datetime). Watch out for time
quence of values in the registry. At first, the zone differences when importing a REG file
entries are listed in the sequence they appear from a system with different regional settings.
in the registry. You can sort columns by click- It is important to understand that there is only
ing on the header. To revert to the original se- one entry per executed program: e.g., if note-
quence, sort the column Index and then the pad is executed twice, there will only be one
column Key entry in the table with Counter equal to 2 and
Last equal to date and time notepad was last
Name executed.

The name of the value registry entry. This ref- The result of executing these commands:
erences the program that was run. This key is Notepad.exe
ROT13 encrypted, the displayed name is de- Calc.exe
crypted. Notepad.exe

There is a registry setting to prevent encryp- is this table:

tion of the log, but the UserAssist utility does "UEME_RUNPATH:C:\Windows\system32\cal
not support this setting. c.exe","","146","1","3/01/2007 21:02:33"
ROT13, also know as the Caesar cipher, is a epad.exe","","146","2","3/01/2007 21:02:40"
very simple encryption scheme where each
letter is replaced with the letter thirteen places You can save the table as a CSV file. This file
down the alphabet. A becomes N, B becomes can be imported in a spreadsheet program
O, and so on… For example, UEME_RUN- like Excel for further analysis or for inclusion
PATH becomes HRZR_EHACNGU. I do not in the forensic analysis report. To save the re-
know why Microsoft decided to encrypt the port, launch Commands / Save and type the
UserAssist registry entries with such a simple name of the CSV file.
Name entries
The key Names always start with UEME_.
A 4 byte integer, meaning unknown. It ap- Examples are:
pears to be present only for session entries UEME_CTLSESSION: session key. This ap-
(UEME_CTLSESSION). pears to increase with 1 each day you use the
computer. I think the 4 first bytes of the binary
Session data (column Unknown) are also a timestamp,
but of another format which I've still to under-
This is the ID of the session (a 4 byte integer). stand (it appears to count in units of 53.69
When an entry is created in the UserAssist seconds).
registry keys, the session is set equal to the UEME_RUNCPL: an entry created when the
session of the UEME_CTLSESSION entry. control panel is opened. It can be followed by
For example, assume the session ID of UE- a string to indicate which applet of the control
ME_CTLSESSION is 123, and you launch panel was opened, like this entry for the
Power Options applet: 75
UEME_RUNCPL:"C:\Windows\system32\pow iar with Windows Explorer as the utility you
ercfg.cpl",Power Options use to explore drives, but it does a lot more.
UEME_RUNPIDL indicates the execution of a Windows Explorer is also the standard shell in
PIDL. A PIDL is a Pointer to an ID List, every Windows: it is the program that displays the
item in Explorer's namespace is uniquely Start Menu, the Task Bar and all those other
identified by its PIDL. For example, executing GUI elements that make up your desktop.
shortcuts (.lnk) are logged with this entry.
UEME_UIQCUT is logged for applications Here is a fun little experiment to demonstrate
launched from the quick launchbar. There is this (save all important work first):
no separate entry with the name or path of the
launched application. I think the logic behind 1) Start the Windows Task Manager
this is the following: the UserAssist registry (CTRL+SHIFT+ESCAPE)
keys are maintained by Windows Explorer to 2) Select the Processes tab and search
display the MFUP. Applications launched from explorer.exe
the quick launchbar have already their "spe- 3) Select explorer.exe and click on the End
cial" place on the Windows GUI, so there is Process button
no need to keep additional data about their 4) Confirm
usage. 5) Result: the start menu and taskbar are
More details about the different types of name 6) Launch File/New Task(Run...)
entries can be found at 7) Type explorer and execute, this will get
your Windows Shell back.
Windows Explorer
The fact that the UserAssist registry keys are
The UserAssist registry keys are maintained maintained by Windows Explorer has two im-
by Windows Explorer. You are probably famil- portant implications.

First implication: only programs that are executed from this Windows Console will not
launched via Windows Explorer are counted appear in the UserAssist registry data.
in the UserAssist keys. Programs launched by
the Windows Console (CMD.EXE), a service Second implication: Windows Explorer runs
or by any other means are not logged. If the under the user account and since Windows
user starts a Windows Console, you will see Explorer needs full access to the UserAssist
this in the UserAssist keys, but all programs registry keys, the user has also full access. 76
The user can manipulate the data. He can Ultimate Boot CD for Windows is based on
change data and delete entries without you BartPE.
being able to detect this. The way that the
data is encoded in the registry does not make Bart’s PE has an open architecture, you can
it easy for the user to manipulate individual integrate your own tools by making a dedi-
entries, but the UserAssist utility also provides cated plugin. My UserAssist utility uses the
functions to do this. Microsoft .NET Framework 2.0, which is not
supported by BartPE. You need to add Colin
In other words, the integrity of the UserAssist Finck’s Microsoft .NET Framework 2.0 plugin
data is not guaranteed. One can only rely on to the Ultimate Boot CD for Windows plugins
the ignorance of the user about the UserAs- to use my plugin.
sist registry entries to maintain the integrity of
the data. Details on how to make your own UBCD4Win
CD with my UserAssist Utility plugin can be
There are also settings to disable the logging found at It has also a video
of commands under the UserAssist registry showing you the UserAssist utility in action.
key: create registry key Settings\NoLog (un-
der the UserAssist registry key) and set it Closing remarks
equal to 1. You will have to restart Windows
Explorer before this setting becomes effective. The UserAssist utility has also been tested
The UserAssist utility provides the Logging with success on Windows Vista. Apparently,
Disabled command to toggle this key. Re- Microsoft did not make changes to the format
enabling logging requires the deletion of the of the UserAssist registry entries, they still ex-
Settings\NoLog registry key and the restart of ists and they contain the same data as in
Windows Explorer. Windows XP.

Windows Live CDs My UserAssist utility is not the only program

that displays and manipulates the UserAssist
I have also packaged the UserAssist utility in registry keys, but it's the only one that dis-
a Bart's PE plugin that I have tested with the plays the counters, timestamps and session
Ultimate Boot CD For Windows (UBCD4Win). IDs in a Windows GUI program.
From their website: UBCD4Win is a bootable
CD which contains software that allows you to Jeremy Bryan Smith has developed a Win-
repair, restore, or diagnose almost any com- dows GUI program that will decode and dis-
puter problem. Their goal is to be the ultimate play the UserAssist registry entries, but it
free hardware and software diagnostic tool. All does not decode the binary data containing
software included in UBCD4Win are freeware the counters, timestamps and session IDs
utilities for Windows. UBCD4Win is based on (
Bart's PE. Bart's PE builds a Windows "pre-
install" environment CD, basically Windows Harlan Carvey has developed ProScripts to
booted from CD. dump the UserAssist registry keys with the
decoded name and timestamp
Windows Live CDs are a popular trouble- (
shooting and forensic investigation tool, they
allow you to boot a (Windows) PC from a CD. The UserAssist utility was developed with Mi-
crosoft Visual C# 2005 Express, a free down-
Bart Lagerweij developed BartPE, a tool to load from Microsoft. The source code is in-
create a Windows Live CD (a Windows “pre- cluded when you download the UserAssist
install” environment CD), and several people utility, you are free to adapt this code.
build their own tools based on his work. The

Didier Stevens (CISSP, MCSD .NET, MCSE/Security) is an IT Security Consultant currently working at a large
Belgian financial corporation. He is employed by Contraste Europe NV, an IT Consulting Services company
( You can find the UserAssist utility and other open source security tools on his IT security
related blog at 77
For many years external security threats received more attention than inter-
nal ones, but the focus has changed. Worms, viruses and the external hacker
were once perceived as the biggest threats to computer systems. What is of-
ten overlooked is the potential for a trusted individual with special privileges
or access to steal or modify data. While viruses and worms are serious, at-
tacks perpetrated by people with trusted insider status—employees, ex-
employees, contractors and business partners—pose a far greater threat to
organizations in terms of potential cost per occurrence and total potential
cost than attacks mounted from outside.

Well documented breaches have heightened sources on the local area network of the com-
the public’s – and regulatory agencies’ - con- pany are deemed trusted. Practically, we do
cerns about how well companies are securing not firmly restrict their activities because an
consumer-specific information captured at the attempt to control these trusted users too
point-of-acquisition. Extended partnerships closely will impede the free flow of business.
lead to that more and more tasks will be per- And, obviously, once an attacker has physical
formed outside the physical boundaries of control of an asset, that asset can no longer
company facilities which will add another level be protected from the attacker. While data-
of due diligence we must take into account. bases often are protected by perimeter secu-
rity measures and built in RDBMS (Relational
Insider attacks hurt disproportionately Database Management Systems) security
functionality, they are exposed to legitimate
The reason why insider attacks hurt dispropor- internal users at some degree. Due to the
tionately is that insiders can and will take ad- fragmented distribution of database environ-
vantage of trust and physical access. In gen- ments, real time patch management, granular
eral, users and computers accessing re- auditing, vulnerability assessment, and 79
intrusion detection become hard to achieve. are indispensable protection for the network
With the growing percentage of internal intru- for keeping people out, today’s focus on e-
sion incidents in the industry and tougher business applications is more about letting the
regulatory and compliance requirements, right people into your network. Consequently,
companies are facing tough challenges to as databases become networked in more
both protect their sensitive data against inter- complex e-business applications, their vulner-
nal threats and meet regulatory and compli- ability to attack grows. Without extra precau-
ance requirements. tions taken to secure the confidential data in
databases, your company’s privacy is at risk.
Threats from people working inside the en- Taking the right security approach enables
terprise firewall your e-business and protects your critical
data. Threats that the system would be likely
Threats to your databases can come from to face, for reasons that we will describe be-
hackers, attackers external to your network, or low, are 1) malicious insiders and 2) techni-
from the numerous groups of people working cally knowledgeable outsiders motivated by
inside the enterprise firewall. While firewalls profit.

Threats to your databases can come from hackers, attackers

external to your network, or from the numerous groups of
people working inside the enterprise firewall.

Outside threats Security System, it would be wise to treat it as

soon as possible, however unlikely.
A second category of threat that must not be
neglected is outsiders. Although their motiva- Other threats
tion is far more likely to be profit rather than to
harm The Company’s brand reputation, it is Although we consider the above threats to be
important to consider them in the analysis. At the most likely, they are in no way the only
least two feasible scenarios exist that could ones that exist. Similarly, other motivations
provide an outsider with a vector for launching for attacking the Store Security System may
an attack on the Store Security System; both well also exist. The largest risk of successful
scenarios involve poorly configured store loca- attacks by these miscreants is denial of serv-
tion networks. In the first scenario, a Company ice and other forms of general havoc. Cer-
store location network is miss-configured such tainly, not something to be ignored, but the
that it is directly accessible to the external business impact to The Company is not likely
Internet at large. In this scenario, an oppor- to as significant as in either of the previous
tunistic attacker might accidentally (or other- scenarios.
wise) find the The Company network and be-
gin an attack. Organizations are reacting slowly

The second scenario would be involving a For companies to avoid the nightmare of a
miss-configured store location network that public breach of customer privacy, organiza-
inadvertently allows hotel guest data traffic to tional accountability must be established and
traverse the same network that the business supported by policies and processes that en-
systems, including the Local Security Server force compliance to standards and regula-
itself, resides on. In both cases, a successful tions. Many states in the U.S. have adopted
attack on the Store Security System itself rigid regulations about disclosure of consumer
would need to include a significant additional data security breaches, and financial networks
effort to explore, analyze, and learn the opera- such as VISA and MasterCard will impose
tion of the Store Security System. Such an harsh financial consequences if a breach
attack might well take months or more, but occurs.
considering the five-year life-span of the Store 80
The Payment Card Industry (PCI) Data Se- viduals or as members of communities. In
curity Standard many ways, this is a return to a pre-mass
business concept, before consumers began to
The PCI Data Security Standard is a set of be treated as an amalgam of many different
collaborative security requirements for the demographics, lifestyles, and buying prefer-
protection of credit card transactions and ences. The difference today is that organiza-
cardholder data for all brands. The PCI stan- tions can achieve a level of intimacy and still
dard incorporates sound and necessary secu- perform as a large scale enterprise. Informa-
rity practices, such as continuous data access tion technology makes this possible, and win-
monitoring and control; assessments; and ners are using information and technology to
auditing. PCI Compliance is mandatory for better understand customer preferences and
any business that stores, processes, or to plan their business strategies accordingly.
transmits data. The PCI Security Standards However, such strategies do not come without
Council ( is an risk. Today, enterprises must demonstrate
open global forum for the ongoing develop- compliance with industry and government
ment, enhancement, storage, dissemination regulations charging businesses with ensuring
and implementation of security standards for the security of this sensitive information. At the
account data protection. The PCI Security same time, databases are at increased risk
Standards Council’s mission is to enhance from both internal and external attackers who
payment account data security by fostering no longer simply seek notoriety but, instead,
broad adoption of the PCI Security Standards. want financial rewards.
The organization was founded by American
Express, Discover Financial Services, JCB, Primary categories of threats
MasterCard Worldwide, and Visa Interna-
tional. Database attacks are rising

PCI and beyond Database attacks can have direct and severe
economic consequences. Database attacks
Industry standards, such as PCI, have been are rising and they can result in the loss or
developed to prescribe best practices for en- compromise of information critical to running
suring the privacy and integrity of consumer- your business day-to-day, from inventory and
specific information. Now is the time to ad- billing data to customer data and human-
dress the organizational and technical issues resources information. In addition databases
surrounding the effective use and security of are holding increasing amounts of sensitive
consumer-specific information. Those compa- information on behalf of your customers —
nies that effectively use this information to financial records, healthcare histories, order
drive customer value while at the same time histories, credit card and Social Security num-
ensuring its privacy and integrity, will be re- bers. Any loss will be an operational and cus-
warded with increased customer loyalty and tomer relationship disaster as well as a finan-
improved earnings. Failure to secure cial nightmare. Do you know how many em-
consumer-specific data will result in brand ployees have access to your databases? If
erosion and crippling scrutiny from regulatory you are using passwords for administrators,
agencies and financial networks. how are passwords being stored? Do you
have security policies in place that include
Examples from the retail industry auditing your database security and monitor-
ing for suspicious activity?
This article will review examples and use
cases from the retail industry to illustrate se- Two primary categories of insider threats
curity principles applied in a highly distributed
and exposed environment such as retail There are two primary categories of insider
‘Store Systems’ and distributed ‘Store Security threats to a typical Store System scenario:
Systems’ that are described below. Organiza- The Company employees and franchisee em-
tions today have the ability to use the informa- ployees. Either or both may be enlisted by an
tion captured from points-of-sale to deliver outsider(s) or may enlist the help of an out-
compelling value to consumers, either as indi- sider in order to attack the Store Security 81
System. Their motivations are likely to be ei- customers’ needs. However, consumers, gov-
ther profit or to cause harm to The Company ernment regulatory agencies, and financial
by way of either a direct denial of revenue networks are growing increasingly concerned
and/or by tarnishing The Company brand with that consumer privacy is jeopardized by the
the bad publicity that would almost inevitably potential of security breaches within organiza-
be the result of a successful compromise. In tions’ technology environments.
any of the above scenarios, it should be ex-
pected that the insider will be able to learn Dealing with new and innovative intrusions
how the Store Security System functions to a
level at least significant enough to attempt an There are no guarantees that any one ap-
attack. proach will be able to deal with new and inno-
vative intrusions in increasingly complex tech-
Security breaches within organizations' nical and business environments. However,
technology environments implementation of an integrated security pro-
gram which is continuously audited and moni-
New technologies make it increasingly feasi- tored provides the multiple layers of protection
ble for organizations to relate item movement needed to maximize protection as well as his-
to specific customer information, and to ana- torical information to support management
lyze that relationship to develop business decision-making and future policy decisions.
strategies that are more relevant to individual

The primary problem with many compliance initiatives is a

focus on existing security infrastructure that addresses
only the network and server software threats.

More sophisticated data attacks furthermore, these solutions tend to be tar-

geted at the perimeter and thus do not inspect
Insight into data-level attacks and audit internal traffic, partner/VPN traffic,
or encrypted traffic. Finally, these solutions do
The primary problem with many compliance not understand the complex protocols used by
initiatives is a focus on existing security infra- databases and database applications—a se-
structure that addresses only the network and vere handicap when trying to detect threats to
server software threats. However the data se- the database.
curity capabilities required to be compliant
goes far beyond these technologies. Network Limitations in defending data attacks
and server software protections (network fire-
walls, Intrusion Prevention Systems), while Traditional database security mechanisms are
important, provide no insight into data-level very limited in defending successful data at-
attacks targeted directly against a database or tacks. Authorized but malicious transactions
indirectly via a web application. Regulatory can make a database useless by impairing its
compliance requires an understanding of who integrity and availability. The proposed solu-
is allowed to access sensitive information. tion offers the ability to detect misuse and
Regulatory compliance requires an under- subversion through the direct monitoring of
standing of who is allowed to access sensitive database operations inside the database host,
information? From where did they access in- providing an important compliment to host-
formation? When was data accessed? How based and network-based surveillance. Suites
was data used? The bottom line is that data of the proposed solution may be deployed
security requires a new approach that extends throughout a network, and their alarms man-
the breadth and depth of IT’s ability to secure aged, correlated, and acted on by remote or
information. Most existing monitoring solutions local subscribing security services, thus help-
focus on network-level issues or web traffic; ing to address issues of decentralized man-
agement. 82
Traditional approaches to data security The technology enablers

Traditional approaches to security have relied Although organizations are moving aggres-
on the application to enforce access control sively to use the Customer dimension to fine
for application users, the database administra- tune their business strategies, they are mov-
tor to maintain both database and application ing much less aggressively to utilize the tech-
availability and network routers and firewalls nologies available to them to mitigate risks
to restrict access to the database and applica- associated with the use of that data. This is
tion. While problems such as the insider threat not for want of technology answers, however.
are certainly not new, the potential for abuse Technologies such as data encryption, access
has never been greater due to the amount of logging and proactive forensic analysis, pene-
sensitive information being collected and the tration testing tools and services, and other
willingness of criminal organizations and indi- techniques are available now. One of the most
viduals to pay for such information. The nature effective ways to can avoid a serious security
of the information threat today requires more breach is to protect the data in your data-
sophisticated security mechanisms within the bases. There are many aspects to information
database. security, but the heart of securing credit card-
based transactions focuses on databases.

A defense-in-depth strategy "Checks and balances" to reduce success-

ful attacks
Part of the problem lies in the fact that most
companies solely implement perimeter-based Traditionally, insider threats are the most diffi-
security solutions, even though the greatest cult to both prevent as well as detect. Further,
threats are from internal sources. Additionally, it is likely that no technology solution will be
companies implement network-based security adequate to safeguard against every possible
solutions that are designed to protect network attack scenario. However, other industries
resources, despite the fact that the information (notably the financial services industry) have
is more often the target of the attack. handled insider threats for centuries. In situa-
tions where known technology weaknesses
Recent development in information-based se- are recognized, the financial services industry
curity solutions addresses a defense-in-depth typically compensates by instituting proce-
strategy and is independent of the platform or dural “checks and balances” to greatly reduce
the database that it protects. As organizations the likelihood of successful attacks. In most
continue to move towards digital commerce cases, these checks and balances are in the
and electronic supply chain management, the form of separation of duties and multiple
value of their electronic information has in- points of (possible) failure, the result being
creased correspondingly and the potential that no single employee can easily compro-
threats that could compromise it have multi- mise an entire system. Instead, a conspiracy
plied. would need to exist, which is deemed to be
much less likely. That same methodology of
With the advent of networking, enterprise- separation of duties is leveraged significantly
critical applications, multi-tiered architectures in the recommendations made in this docu-
and web access, approaches to security have ment in circumstances where weak points ex-
become far more sophisticated. ist in the Store Security System Architecture
out of necessity. 83
Controlling DBA access to data stays late, dumps the entire customer table
into a text file, and copies it to a USB drive.
Database administrators play a critical role in This type of activity is called privilege abuse,
maintaining the database. Performance, 24x7 and no database vendor has built-in protection
availability and backup/recovery are all part of against it. In fact, although network adminis-
the DBA job description. These responsibilities trators have enjoyed firewalls for years, data-
place the job of DBA among the most trusted base administrators have been left out in the
in the enterprise. However, the DBA shouldn't cold.
need to access application data residing
within the database. The same rule should Vulnerability assessment scanners
apply to highly privileged users, such as appli-
cation owners. These highly privileged users Vulnerability assessment scanners discover
shouldn't be allowed to use their privileges to database applications within your infrastruc-
access application data outside their applica- ture and assess their security strength two
tion. primary application tiers - application / mid-
dleware, and back-end databases. It locates,
Multiple layers of protection to maximize examines, reports, and fixes security holes
protection and miss-configurations. As a result, enter-
prises can proactively harden their database
There are no guarantees that any one ap- applications while at the same time improving
proach will be able to deal with new and inno- and simplifying routine audits.
vative intrusions in increasingly complex tech-
nical and business environments. However, Database scanners
implementation of an integrated security pro-
gram which is continuously audited and moni- Database scanners are a specialized tool
tored provides the multiple layers of protection used specifically to identify vulnerabilities in
needed to maximize protection as well as his- database applications. In addition to perform-
torical information to support management ing some external functions like password
decision-making and future policy decisions. cracking, the tools also examine the internal
configuration of the database for possible ex-
The "principle of least privilege" is ineffec- ploitable vulnerabilities. Database scanning
tive tools discover vulnerabilities through the fol-
lowing functions. Here are some examples:
A small group of individuals perpetrate the
maximum damage. Unfortunately, the problem • Passwords
with managing this threat effectively is that • Default account vulnerabilities
traditional and foundational security con- • Logon hours violations
cepts—particularly that of the "principle of • Account permissions
least privilege"—are ineffective. In computing, • Role permissions
the principle of least privilege holds that a user • Unauthorized object owners
is given the minimum possible privileges nec- • Remote login and servers
essary to permit an action, thereby reducing • System table permissions
the risk that excessive actions will negatively • Extended stored procedures
affect the system. In the real world this princi- • Cross database ownership chining
ple would mean that you are reducing the abil- • Authentication
ity for IT administrators to do their jobs quickly • Login attacks
and effectively. • Stale login IDs
• Security of admin accounts
Shield your data from malicious acts and • Excessive admin actions
mistakes • Passwords
• Password aging
The scenario is simple: a user has rights to • Auditing trail
query the database’s customer table. He usu- • Auditing configuration
ally queries one customer at a time through • Buffer overflows in user name
the application interface, but one night, he • Buffer overflows in database link 84
Protect data at rest and in transit can easily be passed between applications
and databases without changing the data.
Good security practice
Enable a strong security framework
Good security practice protects sensitive data
as it is transferred over the network (including Application-layer encryption allows enterprises
internal networks) and at rest. Once the se- to selectively encrypt granular data within
cure communication points are terminated, application logic. This solution can also pro-
typically at the network perimeter, secure vide a strong security framework if designed
transports are seldom used within the enter- correctly to leverage standard application
prise. Consequently, information that has cryptographic APIs such as JCE (Java-based
been transmitted is in the clear and critical applications), MS-CAPI (Microsoft-based ap-
data is left unprotected. One option to solve plications), and other interfaces. Because this
this problem and deliver a secure data privacy solution interfaces with the application, it pro-
solution is to selectively parse data after the vides a flexible framework that allows an en-
secure communication is terminated and en- terprise to decide where in the business logic
crypt sensitive data elements at the SSL/Web the encryption/decryption should occur. This
layer. Doing so allows enterprises to choose type of solution is well suited for data ele-
at a very granular level (usernames, pass- ments that are processed, authorized, and
words, etc.) sensitive data and secure it manipulated at the application tier. If deployed
throughout the enterprise. Application-LAYER correctly, application-layer encryption protects
encryption and mature Database-Layer en- data against storage attacks, theft of storage
cryption solutions allow enterprises to selec- media, application-layer compromises, file
tively encrypt granular data into a format that level attacks and database attacks.

Good security practice protects sensitive data as it is

transferred over the network (including internal
networks) and at rest.

Allowing flexible and fine-grained control and between different applications and data
stores. How about while being processed in
The application usually understands which the application itself particularly if the applica-
user is trying to access a given piece of data tion may cache the data for some period.
and can be programmed to understand a se- Sending sensitive information over the Inter-
curity policy and enforce it in the context of the net or within your corporate network as clear
application data. This can allow for flexible text, defeats the point of encrypting the text in
and fine-grained control of data access while the database to provide data privacy. An En-
ensuring that the critical data is encrypted be- terprise level Data Security Management solu-
fore it reaches the database. tion can provide the needed key management
for this solution. Encryption of data fields can
The sooner the encryption occurs, the be performed when entering data at the appli-
more secure cation layer and decrypted down stream at the
DBMS layer.
Due to distributed business logic in application
and database environments, it is required to Continuous data protection
be able to encrypt and decrypt data at differ-
ent points in the network and at different sys- A mature solution will protect data at rest, and
tem layers, including the database layer. En- also while it’s moving between the applica-
cryption performed by the DBMS can protect tions and the database and between different
data at rest, but you must decide if you also applications and data stores. This solution will
require protection for data while it’s moving protect data fields or files while being trans-
between the applications and the database ported in the data flow between applications 85
and particularly for applications that cache the tion of the control. Organizations should be
data for some period in temporary files, tables aware that a particular compensating control
and FTP transfers. A solution should be based will not be effective in all environments. Each
on industry accepted encryption standard compensating control must be thoroughly
such as AES 256 bit and allow ways to mini- evaluated after implementation to ensure ef-
mize the changes to the data format and/or fectiveness. For organizations unable to ren-
length. Organizations typically have many der sensitive data unreadable (for example, by
third party and legacy applications in which encryption) due to technical constraints or
they can not alter the DB schema so a high business limitations, compensating controls
level of transparency can be extremely impor- may be considered. The basic conclusion
tant. If the solution is not based on industry from this analysis is that a combination of ap-
accepted encryption standard it can be plication firewalls, plus the use of data access
strengthened by an additional layer of strong monitoring and logging may, if effectively ap-
file level encryption to protect the data at rest. plied not provide reasonable equivalency for
the use of data encryption across the enter-
Example of complementing traditional data- prise since such a combination of controls
base solutions: does have multiple weak spots, when it comes
to preventing damage from careless behavior
• Continuous encryption at the distributed end of employees or weak procedures in devel-
points including store systems all the way to opment and separation of duties.
the central systems
• Continuous encryption centrally across a Perform a risk analysis before using com-
few selected applications pensating controls
• Transparent encryption centrally across ma-
jor applications Only organizations that have undertaken a
risk analysis and have legitimate technological
Decrease the encryption overhead or documented business constraints should
consider the use of compensating controls to
There is a multitude of architectures and tech- achieve protection.
niques to improve performance: the alterna-
tives fall into two broad categories – alterna- Organizations that consider compensating
tive topologies to decrease encryption over- controls for rendering sensitive data unread-
head and techniques to limit the number of able must understand the risk to the data
encryption operations. posed by maintaining readable data. Gener-
ally, the controls must provide additional pro-
In addition, performance and security, in real- tection to mitigate any additional risk posed by
world scenarios, are complex issues and ex- maintaining readable data. Compensating
perts should be used who understand all controls should consist of a comprehensive
available options and the impact for each par- set of controls covering additional
ticular customer environment. segmentation/abstraction (for example, at the
network-layer), with an ability to restrict ac-
Data encryption vs. compensating cess to data or databases based on IP
address/Mac address, application/service,
user accounts/groups, Data type (packet filter-
ing), restrict logical access to the database,
The effectiveness of compensating con-
control logical access to the database (provid-
ing separation of duties) and prevent/detect
common application or database attacks (for
Compensating controls may be considered
example, SQL injection).
when an organization cannot meet a technical
specification of a requirement, but has suffi-
Example of compensating controls
ciently mitigated the associated risk. The ef-
fectiveness of a compensating control is de-
Currently there are multiple different database
pendent on the specifics of the environment in
segments based in different geographic loca-
which the control is implemented, the sur-
tions that require administration.
rounding security controls, and the configura- 86
This environment is difficult to administer due reducing access to environments. Adequate
to "over segregation", sometimes people have network segmentation, which isolates systems
to break “other” rules to administer effectively. that store, process, or transmit sensitive data
Many security/auditing tasks have to be dupli- from those that do not, may reduce the vul-
cated for every environment where database nerability of the data environment. Network
resides. We need to explore the viability of components include firewalls, switches, rout-
this approach. The database only network ers, wireless access points, network appli-
segment(s) have advantages including cen- ances, and other security appliances. Server
tralized entry point to manage and monitor all types include but web, database, authentica-
activity, administrative tools can effectively tion, mail, proxy, and DNS. Applications in-
manage security/auditing tasks, database en- clude all purchased and custom applications,
vironments are brought together, in a reduced including internal and external (Internet) appli-
number of environments, in "back office", and cations.
separate databases from application further

Data intrusion prevention only be accessed, by a limited number of indi-

viduals using a handful of controlled access
The inability to detect novel intrusive methods.
Host-based intrusion detection systems
Intrusion detection systems include three ba- (HIDS)
sically different approaches, host based, net-
work based, and procedural based detection. HIDS have their own limitations with regards
The first two have been extremely popular in to database protection. Most HIDS systems
the commercial market for a number of years operate by either audit trail inspection or ob-
now because they are relatively simple to use, servation of system modifications; as such,
understand and maintain. However, they fall they are only able to inspect those behaviors
prey to a number of shortcomings such as that are logged by applications or those activi-
scaling with increased traffic requirements, ties that exhibit behavior on the host for which
use of complex and false positive prone signa- detection signatures can be created (e.g.
ture databases, and their inability to detect modifications to key system files or settings,
novel intrusive attempts. The complexity of etc.).
this task was dramatically increased by the
introduction of multi-platform integrated soft- Unfortunately, malicious queries to a database
ware solutions, the proliferation of remote ac- (e.g. to obtain all password/credit card data)
cess methods and the development of appli- will generate no such log entries or detectable
cations to support an increasing number of behaviors for a HIDS to observe. As far as the
business processes. In the "good old days", database is concerned, a malicious query is
files and databases contained fewer types of just as valid as any legitimate query – it just
information (e.g., payroll or accounting data) references different data.
stored in centralized locations, which could 87
Network intrusion protection systems Database attack detection complements
traditional security measures
Traditional network-level security solutions like
Network Intrusion Protection Systems (NIPS) Database attack detection augments and
and firewalls are designed to detect hacking complements traditional security measures
attacks and exploits. Security vendors author such as access controls, encryption, scan-
and distribute signatures to detect common ners, and network and host security. Database
attacks such as malformed packets, buffer attack detection works by examining each
overflows, attempts to download UNIX pass- SQL command or query that is sent to a data-
word files, and zombie control communica- base (typically across a network) and then
tions. These signatures are produced based verifying whether that query is malicious or
on analysis of known exploit tools and known not. It works in real-time or near real-time, and
operating system and application vulnerabili- it detects malicious attacks from both internal
ties, ensuring they can detect a wide variety of and external sources. For example, consider
attacks across a diverse set of customer net- what would happen if an attacker were to
works. Unfortunately, many valid database at- compromise a web server and then issue a
tack scenarios involve a legitimate user issu- perfectly valid query and it will be executed by
ing legitimate looking commands to the data- the database without a second thought; how-
base; typical database attacks do not require ever, this query has the ability to compromise
exploit tools or the transmission of malformed thousands of credit card numbers from the da-
packets. All the attacker has to do is log in tabase. Such a query would not likely be is-
with a sufficiently privileged account and issue sued by a legitimate client application; as de-
syntactically correct queries to the database. scribed below, with proper training a database
There may be nothing overtly wrong with such attack detection system could easily identify
a malicious query other than it may attempt to this query as an attack, block the request, and
access more than the usual amount of infor- alert the administrator.
mation. Consequently, such a query would not
be caught by a network-based intrusion detec- Limit authorized usage of data is neces-
tion or prevention solution. sary to avoid breaches

Transaction level methods cannot handle Putting limits on authorized usage of data is
OS level attacks necessary to avoid breeches from the inside.
Much like an ATM machine will limit the
As more types of information were migrated to amount of money a person can take out of
electronic formats (and ever more databases their own account, it is important to be able to
proliferated, often with little planning), there set the limits on authorized use as part of data
was a simultaneous increase in the number of security policy. The data intrusion prevention
users, access methods, data flows among system respond to threats by notifying the ac-
components and the complexity of the under- cess control system to alter the security policy,
lying technology infrastructure. Add to this the for example by altering authorization and de-
demand from users for ever more sophisti- nying the access request before any informa-
cated uses of information (data mining, CRM, tion is transmitted to the user. Access rates
etc.) which are still evolving and the manage- may be defined as the number of records a
ment's enhanced awareness of the value of its user may access at one time, or the number
information, and It is safe to say that the price of records accessed over a certain period of
of poker has gone up. Database intrusion tol- time. Results may address a single query ex-
erance can mainly be enforced at two possible ceeding the allowed limit, or a number of
levels: operating system (OS) level and trans- smaller queries, individually allowed, but when
action level. Although transaction level meth- aggregated, blocked. This method allows for a
ods cannot handle OS level attacks, it is real time prevention of intrusion by letting the
shown that in many applications where at- intrusion detection process interact directly
tacks are enforced mainly through malicious with the access control system, and change
transactions transaction level methods can the user authority dynamically as a result of
tolerate intrusions in a much more effective the detected intrusion.
and efficient way. 88
A variation of conventional intrusion detection the access control system, and change the
is detection of specific patterns of information user authority dynamically as a result of the
access, deemed to signify that an intrusion is detected intrusion. The item access rates can
taking place, even though the user is author- be defined based the number of rows a user
ized to access the information. may access from an item, e.g. a column in a
database table, at one time, or over a certain
The intrusion detection profile period of time. In a preferred implementation,
the method further comprises accumulating
By defining an intrusion detection profile, with results from performed queries in a record,
an item access rate, associating each user and determining whether the accumulated re-
with one of the profiles, receiving a query from sults exceed any one of the item access rates.
a user, comparing a result of the query with The effect is that on one hand, a single query
the item access rates defined in the profile as- exceeding the allowed limit can be prevented,
sociated with the user, determining whether but so can a number of smaller queries, each
the query result exceeds the item access one on its on being allowed, but when accu-
rates, and in that case notifying the access mulated not being allowed. It should be noted
control system to alter the user authorization, that the accepted item access rates not nec-
thereby making the received request an unau- essarily are restricted to only one user. On the
thorized request, before the result is transmit- contrary, it is possible to associate an item ac-
ted to the user. The result of a query is evalu- cess rate to a group of users, such as users
ated before it is transmitted to the user. This belonging to the same access role (which de-
allows for a real time prevention of intrusion, fines the user’s level of security), or connected
where the attack is stopped even before it is to the same server. The result will be restrict-
completed. This is possible by letting the in- ing the queries accepted from a group of us-
trusion detection process interact directly with ers at one time or over a period of time.

A mature Intelligent Escalation recognizes evolving application

threats and automatically triggers application protection.

Inference detection and selective analysis before the result is transmitted to the user.
This implementation provides a second type
The user, role and server entities are not ex- of intrusion detection, based on inference pat-
clusive of other entities which might benefit terns, again resulting in a real time prevention
from a security policy. Items subject to item of intrusion.
access rate checking are marked in the policy,
so that any query concerning the items auto- Intelligent protection escalation
matically can trigger the intrusion detection
process. This is especially advantageous if A mature Intelligent Escalation recognizes
only a few items are intrusion sensitive, in evolving application threats and automatically
which case most queries are not directed to triggers heightened levels of application pro-
such items. The selective activation of the in- tection across the enterprise. A treat man-
trusion detection will then save time and proc- agement system recognizes evolving applica-
essor power. The intrusion detection policy tion threats and automatically triggers height-
further includes at least one inference pattern, ened levels of application protection across
and results from performed queries are accu- the enterprise. This unprecedented intelli-
mulated in a record, which is compared to the gence provides organizations with maximum
inference pattern, in order to determine flexibility in weighing business needs and op-
whether a combination of accesses in the re- erational performance with information risk. It
cord match the inference policy, and in that also ensures that an attack against a single
case the access control system is notified to location triggers rapid, appropriate, response
alter the user authorization, thereby making throughout the distributed enterprise. In By-
the received request an unauthorized request, pass mode the treat management system 89
allow traffic to pass through with zero per- moving at a snail's pace. Some organizations
formance impact. In Passive mode it examine have a large number of Web applications, and
inbound and outbound traffic to detect security those applications are changing daily. They
violations. In Active mode the treat manage- may have checked for vulnerabilities in a few
ment system provide full intrusion prevention of those apps, but any of them could lead to a
to immediately detect threats, generate alerts, breach Security estimates that seven or eight
and block attacks. out of every ten Websites are hosting at least
one serious vulnerability that could put its data
Intrusion prevention analysis across sys- at risk. Gartner has estimated that figure at
tem layers closer to 90 percent.

It is difficult to detect advanced attacks on The favorite vectors for Web attacks
data and data misuse by monitoring only one
system layer. A method and system for over- Common vulnerabilities and exposures across
coming the foregoing difficulties provides for the Web, include application-level attacks
the introduction of a privacy policy with en- such as cross-site scripting, SQL injection and
forcement points that span multiple system buffer overflow as the favorite vectors for Web
layers. The privacy policy is coupled with in- attacks. SQL injection is a technique used to
trusion prevention analysis between multiple exploit Web-based applications by using
system layers. The scope, both in data and in client-supplied data in SQL queries.
time, for enforcing data privacy and encryption
is then dynamically optimized between multi- SQL injection attacks are caused primarily by
ple system layers. that includes application applications that lack input validation checks.
database sessions, table data access, table Yet most enterprises still do not own a Web
space access, and database file level access. application firewall, and many don't yet do any
application scanning, experts say. Web appli-
Detect advanced attacks and data leakage cation firewalls provide essential protection
against application attacks. An application
In a system for overcoming the foregoing diffi- firewall is an enhanced firewall that limits ac-
culties, selected rules control the amount of cess by applications to the OS of a computer.
data that is exposed, and the time window for
exposure of unencrypted data. A policy under- Conventional firewalls merely control the flow
lying the selected rules defines the extent to of data to and from the CPU, examining each
which data privacy is to be enforced for par- packet and determining whether or not to for-
ticular data. At the intrusion detection point, a ward it toward a particular destination. An ap-
scorecard is provided to accumulate violation plication firewall offers additional protection by
attempts. On the basis of the number of viola- controlling the execution of files or the han-
tion attempts, session statistics, and data ac- dling of data by specific applications. Many
cess statistics spanning multiple system lay- enterprises have never had a third party audit
ers, one can determine whether a threshold their apps for vulnerabilities - in fact, many
indicative of an attack has been reached. A large enterprises don't even know how many
system as described above enhances the abil- Websites they operate, they say. The main
ity to detect advanced attacks on data as well problem is there is no single tool that can find
as instances of data misuse and data leakage. and fix all of the vulnerabilities.

Protecting applications and servers Web application firewalls protect against some
threats, but they also let others through. App
The Web application security problem scanning tools can find much vulnerability, but
they are far from 100 percent effective. Ulti-
All over the industry, application security ex- mately, you want to build the vulnerability
perts are warning IT and security departments scanning and testing phase into your devel-
that the gap is growing between today's opment process. Realistically, however, enter-
rapidly-evolving app-oriented exploits and the prises should be more concerned about the
still-nascent defenses that most enterprises applications they've already deployed than
have in place. Yet, so far, most enterprises are about revamping their QA process. 90
It makes more sense to start backwards and ment 6.5 requires that Web-facing applica-
check the apps that are exposed. Enterprises tions be developed in accordance with secure
should attack the problem first by identifying coding guidelines to guard against such at-
all their sites and the applications running on tacks. A successful SQL injection attack can
them, experts say. An audit by a third-party have serious consequences. SQL injection
expert and a scan by a vulnerability scanning attacks can result in the crippling of the pay-
tool can give the enterprise a starting point for ment application or an entire e-commerce site.
remediation. Through this avenue of attack, an attacker can
break out of the Web server and database
PCI requirement on Web facing realms, gaining complete control over the un-
applications derlying system. Another serious conse-
quence can be the compromise and theft of
Recently, commercial shopping cart products data that resides within the payment applica-
have been the focus of attack by hackers who tion infrastructure.
seek account information. PCI DSS Require-

Recently, commercial shopping cart products have been the

focus of attack by hackers who seek account information.

The SQL injection problem Unfortunately, the practice of SQL injection is

easy to learn. Fortunately, with a little fore-
Most databases are set up in a way that thought, you can prevent it.
makes breaking in relatively easy. But secur-
ing the database has become simpler. A few Protection from SQL injection
straightforward steps can vastly improve secu-
rity, usually by locking out all users except ap- There are two primary methods to protect your
plications and DBAs. But even that restriction database from SQL injection. First, make sure
doesn't completely protect your data. that applications validate user input by block-
ing invalid characters and use protected que-
One of the primary security breaches organi- ries that bind variables rather than combining
zations experience today takes place via ap- SQL statements together as strings such as
plications that connect to databases. Applica- stored procedures. Second, install Application
tions don't use native database security. In- Level Firewalls to protect your database from
stead, they access the database as a "super SQL injection and other threats targeting web
user" and, therefore, could represent a risk to applications. If you want to know exactly
data security. what's going on with your Web servers, a Web
application firewall, or WAF, is worth every
One of the most common examples of exploit- penny.
ing this risk is known as SQL injection. SQL
injection isn't a direct attack on the database. Available in software or appliance form, WAFs
Instead, it takes advantage of the way many work at the application layer, using deep-
Web applications that access databases are packet inspection to reveal the inner workings
developed. SQL Injection attempts to modify of Web applications while thwarting attacks
the parameters passed to a Web application made possible by insecure programming.
via a Web form to change the resulting SQL
statements that are passed to the database Computers outside the control of its in-
and compromise its security. If successful, an tended users
attacker can hijack the database server and
be granted the same permissions to add, A computer may sometimes be outside the
drop, and change users that the application physical control of its intended users; for ex-
has. From that point, the database is fully ex- ample, a server, USB-drive or disk may be
posed. stolen rather easily. 91
Therefore, it is prudent to restrict access to tion solution that can be application transpar-
the computer's functions, for instance by re- ent and resistant to 'multiple attack vectors'
quiring the entry of a password. It is also pru- protecting the access to API, to databases
dent to protect the files on the computer by and to SSL communication sessions. An en-
encrypting them, for instance under an en- cryption server box should be hardened and
cryption key derived from the password. The the session should be authenticated (with a
password itself should not be kept in the clear password or multi-factor authentication) and
on the computer. In this way, only parties that encrypted (SSL or similar). Lock down the ap-
know the password can use the computer and plication storage of the passwords to the log-
read the files, even if they have direct ins for the database, communication and the
access to the computer's storage devices. The encryption server. A mature transparent file
password should be strong enough that an system encryption product on the application
attacker cannot guess it and then decrypt the server platform can lock down the storage of
files. We assume that user and computer the password and may also delegate a trans-
have some secure means for communicating, parent authorization to the application.
perhaps because the user has direct, physical
access to the computer, or can establish a se- The exhaustive search attack
cure network connection with the computer.
The user may type a password into the server A slow one-way algorithm will not noticeably
at log-in time and in addition to we add a increase the cost of one operation (e.g. for the
password supplement that may be 40 bits legitimate user when logging in), but it should
chosen randomly. substantially increase the task of mounting an
exhaustive search attack. A common ap-
Protecting credentials in applications proach is to iterate the original one-way func-
tion many times. Some systems one-way
Passwords are the most common form of user function encrypts a known string 25 times with
authentication in computer systems. The DES using a key derived from the user's
password is always a weak link in any protec- password (another feature is that the salt
tion system. An administrative or master value actually modifies the DES algorithm it-
password should be particularly complex. self, making it harder for an attacker to use
According to a recent survey, 66% of enter- dedicated DES hardware to mount an attack.
prises have more than 100 applications, 92% Given the current computer resources avail-
of which connect to other applications using able, we recommend a minimum of 5000 it-
hard-coded (embedded) passwords erations for constructing the hash algorithm.
(SOURCE: Cyber-Ark Password Survey
2006.) Password strengthening

When two software applications connect, a Password strengthening is a compatible ex-

script is created which has the powerful user tension of traditional password mechanisms. It
name and password in clear text, a serious increases the security of passwords, without
security risk. Studies of production computer requiring users to memorize or to write down
systems have for decades consistently shown long strings.
that about 40% of all user-chosen passwords
are readily guessed. Passwords easily Password strengthening does not assume any
guessed are known as weak or vulnerable; extra hardware, and does not introduce any of
passwords very difficult or impossible to guess the vulnerabilities that come with extra hard-
are considered strong. Only passwords are ware. These characteristics should make
discussed in this section, but other (stronger) password strengthening easy to adopt, and
authentication types should be considered appealing in practical applications. The
based on a risk assessment. method does not require users to memorize or
to write down long passwords, and does not
Lock down the passwords rely on smart-cards or other auxiliary hard-
ware. The main cost of our method is that it
Below is one easy way to solve the general lengthens the process of checking a pass-
password protection issue by using an encryp- word. 92
Use salted passwords with the pre-computed list. Systems should
therefore enforce password complexity rules,
Each password hash is associated to a small, such as minimum length, requiring letters to
usually random value called salt. The salt be chosen from different sets of characters
does not need to be kept secret, and it is used (e.g. lower-case, upper-case, digits, special
together with the password to generate the characters), etc. An appropriate password
password hash. While the use of salted pass- length depends on the amount of resources
words does not increase the task for recover- available to the attacker that an organization
ing a particular password, a salt of sufficient wishes to defend against. Assuming an at-
length should preclude pre-computed, offline tacker has access to optimized DES-cracking
dictionary attacks, as it becomes impractical hardware, an organization may need to en-
to compute a large table of hashes corre- force 12-character passwords and password
sponding to possible passwords and salt val- expiration duration of 60 days to mitigate a
ues in advance. brute-force attack against the password hash.

Enforce complex passwords Generate random passwords

One of the weakest aspects of password A password generator is able to a strong

based authentication is the low entropy of password policy of a random sequence of
commonly chosen passwords. The main numbers, lower-case letters, and upper-case
attacks for recovering clear text passwords letters. These passwords are random and
from hash values consist of computation of all therefore very difficult for a hacker to guess. A
possible passwords up to a certain number of password generator thwarts any key-logging
characters (exhaustive search attack), or per- attempts by automatically copying the gener-
haps a list of typically chosen passwords (dic- ated password into the password field. Since
tionary attack). The computation is usually your password is never typed and never cop-
performed offline and the attacker simply ied to the clipboard, a keylogger has no
compares the values on the password table chance to capture your information.

Use non-privileged users for web applications.

Challenge response to avoid replay attacks ensure the account has only the minimum
privileges granted to run the application. In no
Both the central and local copy will be re- cases should a user that is a member of the
placed every time the user picks a new pass- DBA group be allowed to run web applications
word. Both passwords will be replaced every that are exposed to public or less-privileged
time the computer is re-started and can no es- users.
tablish a secure network connection with the
central key management computer. A Summary of protecting passwords
challenge-response process may be added to
avoid replay attacks if a cloned end-point Specifically, organizations can implement the
server is attacked by using the manually en- following steps to protect the confidentiality of
tered password part. password hashes: use non-privileged users
for web applications. Restrict access to pass-
Use non-privileged users for applications word hashes, Audit SELECT statements on
selected views (DBA views). Encrypt IP traffic.
One technique for capturing password hashes Enforce a minimum password length. One so-
is to exploit excessive permissions for data- lution to the application-to-application pass-
base users configured to execute web-based word dilemma is to deploy software that
application code that is susceptible to SQL moves script-based passwords into a central-
injection attacks. When selecting a user ac- ized and secured point.
count to provide access to a web application, 93
Example - a retail industry scenario use the data and processes on the Local Se-
curity Server to decrypt cached/archived en-
Each store location is storing sensitive cus- crypted credit card data. The impact of a suc-
tomer information and need to operated also cessful breach of this process could be ex-
in situations where the WAN connectivity to treme. Customer data could be compromised,
the central system is unavailable. The Local resulting in customer identity theft. It is vital
Security Server provides authorization, log- that a robust business process, complete with
ging and encryption services and are man- adequate checks and balances, be instituted
aged by a support person and a system ad- at every store location that will run a Local
ministrator at the respective store location. In Security Server. Additional technologies could
this scenario a tight integration of PKI and the be deployed to further protect this vital aspect
Store Security System is deployed. Each Lo- of the Local Security Server’s operation, such
cal Security Server (as well as Central Secu- as smart cards. A smartcard based identifica-
rity Server) retain a cached copy of the en- tion, authentication, and authorization mecha-
crypted encryption key while in an operational nism would be a significant improvement in
state. The SSL private keys are stored on or in protecting the startup and unlock process for
connection to the Application the servers. each Local Security Server. It is understood,
however, that such measures would not be
Protecting local security servers feasible to deploy at each The Company and
franchisee property. As such, a robust busi-
Each Local Security Server should be locked ness process as mentioned above is even
upon start-up. While locked, all sensitive data more important to address carefully. In nu-
is encrypted and presumably safely stored. merous other industries, mission critical appli-
During the Local Security Server start-up pro- cations commonly leverage technologies such
cedure the application gets unlocked so that it as smart cards, one time passwords, and oth-
can get on with its business processing func- ers for protecting such vital operating states
tions. Unlocking may occur through an auto- as unlocking the Local Security Server.
mated or manual process – the latter is in-
voked in situations where the WAN connec- Local administration staff access to keys
tivity is unavailable for some reason or an-
other. The security of this process depends on At various times during normal Store Security
the secrecy of the startup login contexts, System operations, store location system ad-
which are unique to each store location and ministration staff are likely to have access to
only used once in theory. Under the automatic startup login contexts and encryption keys.
unlocking process, the startup login context Despite the fact that key management has
must be discarded after use (and wiped from been carefully thought through to minimize
memory) and then a new startup login context these exposures, opportunities do exist for
is automatically rotated in via the Security Level 1 support staff to compromise customer
Administration Server, thereby greatly reduc- data. Further, detecting this sort of insider at-
ing the exposure of the startup login context. tack can be extremely difficult. The impact of a
successful insider attack on the Store Security
An attacker with a cloned local security System could be quite severe. Best practices
server in similar data environments generally include
most or all of the following measures: Back-
The manual unlock process, on the other ground checks of all personnel involved in
hand, exposes a valid startup login context to sensitive operations such as key manage-
at least two people – a support person and a ment. Separation of data. Ideally, support staff
system administrator at the respective store who have access to encryption keys should
location. Although the key is rotated after use, not have access to any sensitive, encrypted
a maliciously cloned Local Security Server data and vice versa. This, however, can be a
environment could still be unlocked using that difficult measure to implement. Separation of
startup login context if the cloned system re- duties. To the extent feasible, functional duties
mains off-line. This could enable an attacker should be separate within the data center. For
to invoke and unlock a cloned Local Security example, first level support personnel who
Server in a safe environment and potentially handle Local Security Server unlocking should 94
not also be involved with encryption key man- would without a doubt have a devastating af-
agement. The above recommendations are fect on the Store Security System. A scenario
entirely consistent with practices found in nu- such as the CA certificate appearing on a CRL
merous other industries where similar access could halt the entire PKI system. Since the
to sensitive customer data is required. The PKI is literally infrastructure to the Store Secu-
financial services industry, in particular, makes rity System, a PKI failure could have a com-
regular use of operational practices like these. mensurate affect on the Store Security Sys-
tem, resulting in considerable business im-
Failure of PKI or authentication server pact, and great care must be taken to ensure
that the PKI is operated in compliance with all
If a tight integration of PKI and the Store Se- relevant PKI industry best practices and pro-
curity System is deployed, a failure of the PKI cedures.

Protection of keys in memory the host itself. The above list of recommenda-
tions for encryption key handling is commonly
It is essential that each Local Security Server practiced throughout various industries where
(as well as Central Security Server) retain a sensitive data is encrypted.
copy of the encrypted encryption key while in
an operational state. This is (obviously) a ne- Protecting SSL keys on application servers
cessity of its business mission. An attacker
with access to a Local Security Server could SSL private keys are commonly left in plain-
potentially peruse the system’s processes and text on Application servers. Although not di-
memory to acquire the key and decrypt en- rectly part of the Store Security System Archi-
crypted data. The likelihood of this sort of at- tecture itself, this could indirectly help an at-
tack succeeding is quite low, but was it to be tacker get one step closer to successfully at-
successful; the impact could be very high. tacking the Store Security System. In particu-
Take every reasonable precaution to protect lar, the plain-text SSL key could enable an at-
the key while the Local Security Server is op- tacker to masquerade as an Application server
erational. Protection measures to consider in an Application-Local Security Server con-
should include: Memory compartmentalization versation. The likelihood of such an attack
- Generate a separate ID that does the actual working is quite low, but could enable an at-
encryption/decryption, and ensure that no tacker to do anything that an Application
other process or system ID can access its server is able to do. Consider password pro-
memory. Swapping - Ensure that the tecting the SSL key for the Application server.
encryption/decryption process and its memory Although this can be unfeasible in some op-
do not get swapped out to a virtual memory erational scenarios, if it doesn’t present an
swap/page file, which could leave behind per- undue burden, it would be a good idea. Pass-
sistent residue that could include the encryp- word protecting SSL keys is commonly done
tion key. Memory wiping - Whenever the key on production servers throughout various in-
is no longer needed, ensure that the memory dustries. On the other hand, doing so is often
location/variable where it was held is thor- not feasible. Thus, it is not uncommon to find
oughly wiped, so that no memory residue is plain-text SSL keys in production data cen-
left behind for an attacker to search through. ters. It is less common to find plain-text keys
Consider a centrally monitored host-based in- on field-deployed servers, such as the Local
trusion detection system on every Local Secu- Security Server servers.
rity Server to vigilantly watch for attacks on 95
Summary of best practices in data auditing that not only tracks all authorized ac-
tivity, it also tracks unauthorized attempts as
security management
well as any changes to security policies – it
even tracks activities of the database adminis-
trator (DBA), and provides a complete audit
report of all these activities.
Best practices begin with the centralization of
Data Security Management, enabling a con-
Separation of Roles - Regulations stipulate
sistent, enforceable security policy across the
that a data security system must provide "rea-
organization. From a centralized console, the
sonable protection from threats." Having the
Security Administrator defines, disseminates,
ability to log and review the activities of both
enforces, reports and audits security policy,
the Security Administrator and the Database
realizing gains in operational efficiencies while
Administrator provides a checks-and-balances
reducing management costs.
approach that protects from all reasonable
Protecting data
Selective Auditing Capabilities - Protegrity’s
Experts agree the best protection of sensitive
reporting system is highly selective, allowing
information is encryption. Database level en-
your security administrators to examine the
cryption provides the most comprehensive
information most critical to their job.
protection: Protection against storage-media
thefts, storage level attacks, database layer
Protected Audit Logs - Simply put, the audit
attacks and attacks from ‘super-user’ access.
logs themselves must be secure. Protegrity
Best practices dictate that a solution delivers:
encrypts all audit logs to protect against tam-
pering. This prevents an administrator from
Focused Protection - Choose only the sensi-
doing something bad and changing the logs to
tive data your organization needs to protect
cover his tracks.
(Credit Card, Social Security #, Salary, etc).
Provide individual protection for each column
Controlling access
through individual keys to gain an extra layer
of protection in case of security breach.
It is estimated that 70-80% of all security
breeches come from within the firewall. Con-
Strong Key Management - A secure system
trolling access to the data is a critical element
is only as good as the protection and man-
to any security policy
agement of its keys with integrated key man-
agement systems that control where keys are
Control Down to the User Level - Defining a
stored, who has access to them, and ensures
security policy that allows centralized defini-
they are encrypted and protected.
tion of data access, down to the data field
level, on an individual-by-individual basis
Protecting Policy Changes - Changes to se-
across the entire enterprise is best practice.
curity policy are critical events that need to be
protected. It is a best practice to require more
Setting the Boundaries - Putting limits on
than one person to approve such changes.
authorized usage of data is necessary to
Protegrity delivers this through assigning the
avoid breeches from the inside. Much like an
Master Key to more than one individual.
ATM machine will limit the amount of money a
person can take out of their own account, it is
Reporting policy
important to be able to set the limits on
authorized use as part of data security policy.
Reporting and monitoring your security policy
If the use of sensitive data should be limited to
and generating protected audit logs are fun-
9-5, Monday-Friday, then any attempt to ac-
damental best practices, and required by
cess that data outside of those boundaries
regulations. A comprehensive and efficient re-
should be denied.
porting should include:
Separation of Duties - An affective security
Evidence-quality Audit - A regulatory re-
policy should protect sensitive data from all
quirement, Protegrity delivers evidence-quality 96
‘reasonable’ threats. Administrators who have
access to all data are a reasonable threat, no Earlier articles also reviewed alternative im-
matter how much we trust them - trust is not a plementations of database-layer encryption.
policy. Implementing a separation of duties of There are several critical goals and objectives
security definition and database operations of Database-layer security that need to be
provides a checks-and-balances approach met, and enterprises are faced with choices
that mitigates this threat. about how to accomplish these goals. The
three broad approaches to database-layer en-
Requirements for data encryption solu- cryption are:
1. Native Database-Layer encryption
My earlier articles reviewed the requirements 2. Programming Toolkits
for data encryption solutions and summarized 3. Packaged Security Solutions:
how implementations at three different system • Software-only packages
layers approach critical and practical require- • Network Attached Encryption Devices
ments. • Combination of the two topologies.

The database-layer approach proves to be the Each of these solutions has its advantages
most comprehensive and versatile in meeting and disadvantages. All these alternatives pro-
the need for database protection. The vide a high level of security and physically
database-layer approach can be combined separating the keys from the data, but Net-
with Application-Layer encryption and work Attached Encryption Devices lack the
Storage-Layer encryption in meeting broader architecture to scale and perform in larger dis-
protection needs in heterogeneous environ- tributed enterprise environments with high
ments found in today’s large complex organi- transaction volumes.

Earlier articles also reviewed best practices in while providing the flexibility to allow security
enterprise data protection and how to protect professionals to deploy encryption at the ap-
data at rest, and also while it’s moving be- propriate place in their infrastructure. It pro-
tween the applications, databases and be- vides advanced security and usability and also
tween data stores. smooth and efficient implementation into to-
day s complex data storage infrastructures.
A mature solution should bring together data The integration with Hardware Security Mod-
protection at the application, database and file ules strengthens the key management facili-
levels. The encryption solution has a com- ties through the use of tamper resistant, FIPS
bined hardware and software key manage- 140-2 Level 3 cryptographic hardware.
ment architecture. A mature solution ad-
dresses the central security requirements 97
Conclusion Stronger database security policies and pro-
cedures must be in place to accommodate the
The basic conclusion is that a combination of new environment. Centralized database man-
application firewalls, plus the use of data ac- agement security must be considered to re-
cess monitoring and logging may, if effectively duce cost. Implementing "point" or manual so-
applied, can not provide reasonable equiva- lutions are hard to manage as the environ-
lency for the use of data encryption across the ment continues to grow and become more
enterprise since such a combination of con- complex. Centralized data security manage-
trols does have multiple weak spots, when it ment environment must be considered as a
comes to preventing damage from careless solution to increase efficiency, reduce imple-
behavior of employees or weak procedures in mentation complexity, and in turn to reduce
development and separation of duties. cost. By implementing solutions documented
above, we should be in a better position to
PCI requires that Web-facing applications face growing database security challenges, to
should be guarded against attacks that can proactively meet regulatory and compliance
have serious consequences. There are two requirements and to better control our sensi-
primary methods to protect your database tive data. Database security is an ongoing
from SQL injection. First, make sure that ap- process, we must revisit and refine our strat-
plications validate user input. Second, install egy regularly to adopt new technologies and
Application Level Firewalls to protect your da- address new challenges as environment con-
tabase from threats targeting web applica- tinue to evolve.
Field-level data encryption is clearly the most
There are no guarantees that any one ap- versatile solution that is capable of protecting
proach will be able to deal with new and inno- against external and internal threats. A protec-
vative intrusions in increasingly complex tech- tive layer of encryption is provided around
nical and business environments. However, specific sensitive data items or objects, in-
implementation of an integrated security pro- stead of building walls around servers or hard
gram which is continuously audited and moni- drives. This prevents outside attacks as well
tored provides the multiple layers of protection as infiltration from within the server itself. This
needed to maximize protection as well as his- also allows the security administrator to define
torical information to support management which data are sensitive and thereby focus
decision-making and future policy decisions. protection on the sensitive data, which in turn
minimizes the delays or burdens on the sys-
Sending sensitive information over the Inter- tem that may occur from bulk encryption
net or within your corporate network as clear methods.
text, defeats the point of encrypting the text in
the database to provide data privacy. The Database attack prevention represents a
sooner the encryption of data occurs, the valuable supplement to corporate information
more secure the environment. An Enterprise security by defending databases against inap-
level Data Security Management solution can propriate and malicious requests for sensitive
provide the needed key management for a so- information. By deploying database intrusion
lution to this problem. This solution will protect detection in the enterprise, businesses have a
data at rest, and also while it’s moving be- powerful tool for safeguarding information as-
tween the applications and the database and sets, protecting their reputation, and maintain-
between different applications and data ing customer trust.

Ulf T. Mattsson is the CTO of Protegrity. Ulf created the initial architecture of Protegrity’s database security
technology, for which the company owns several key patents. His extensive IT and security industry experi-
ence includes 20 years with IBM as a manager of software development and a consulting resource to IBM's
Research and Development organization, in the areas of IT Architecture and IT Security. Ulf holds a degree in
electrical engineering from Polhem University, a degree in Finance from University of Stockholm and a mas-
ter's degree in physics from Chalmers University of Technology.

For more of his work download earlier issues of (IN)SECURE Magazine. 98