You’ll need the latest version of Nmap v7.40 which you’ll be able to find on Linux (Ubuntu, CentOS, etc) or on Windows thanks to the available binaries for both platforms. I didn’t have any success using Nmap v6.40 which was available via YuM on CentOS 7. So I had to remove Nmap 6.40 (sudo yum erase nmap) and then install the latest RPM version of Nmap which can be found on the downloads page.

I was using CentOS 7 x64 so I issued the following commands;

[mcnamaram1@centos ~]# sudo yum erase nmap
[mcnamaram1@centos ~]# wget https://nmap.org/dist/nmap-7.40-1.x86_64.rpm
[mcnamaram1@centos ~]# sudo rpm -ivh nmap-7.40-1.x86_64.rpm

Paulino Calderon released a NSE (Nmap Scripting Engine) script on Github that can be easily used with Nmap to detect vulnerable machines. You’ll need to download that script as well.

[mcnamaram1@centos ~]# wget https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse

I used the following command line arguments to run the actual scan and found an old Windows XP machine in my home that was vulnerable.

[mcnamaram1@centos ~]# sudo nmap -p445 --script smb-vuln-ms17-010.nse 192.168.1.0/24
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 21:29 EDT
Nmap scan report for 192.168.1.0

Nmap scan report for PLUTO.home (192.168.1.79)
Host is up (0.058s latency).
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:21:91:81:A7:1D (D-Link)

Host script results:
| smb-vuln-ms17-010:
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_      https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

If you’re not a Linux guy or gal you can also use the Windows version of Nmap. The installation was pretty straight forward, I had to download the script to the Windows desktop, create a profile, add the script and select a target. In this case I decided to scan my entire home network IP subnet of 192.168.1.0/24 and the Windows version found the same vulnerable Windows XP desktop;

You’d be surprised what you might find connected to the network.

Good Luck!

Guidance for PCI DSS Scoping and Network Segmentation

The following excerpt neatly sums up the reasoning for the additional guidance;

PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.

It’s not just enough that you firewall your PCI VLAN, assuming that you have a PCI VLAN. Interestingly enough the this document doesn’t really touch on tokenization and it’s impact on the in-scope systems. In fact the the only guidance regarding tokenization from the PCI Security Standards Council is dated August 2011, PCI DSS Tokenization Guidelines.

It would have been very helpful for the PCI Security Standards Council to also highlight how tokenization can reduce the footprint of in-scope systems.

Cheers!

Let’s start with the definition from the Skyport Systems website:

The SkySecure System is designed to host critical and exposed application workloads that are the highest priority for the business to protect. The solution is an implementation of hyper-secured infrastructure that integrates compute, security, virtualization and policy in a pre-configured, managed infrastructure platform. The components listed below operate as a single turn-key system inclusive of all necessary software and hardware. This allows the system to maintain a secure configuration throughout its existence by providing embedded, layered, and compartmentalized security starting at the point of manufacture and verified continually throughout its existence.

Let me boil that down, if just for me. In short SkySecure is a near turn-key ultra secure virtualization platform (based on Xen) relying on  hardware based security IO co-processors and Trusted Hardware Platform (TPM) chips to validate the integrity of the system. It provides network microsegmentation along with per-VM firewall and DMZ capabilities among it’s many features.

One of the most alluring features to me with experience in Healthcare and Retail industries is the clientless footprint of the solution on the actual guest VM. There’s literally nothing to install onto the Windows or Linux guest VM, no management agent, no firewall or proxy agent, nothing. With fairly stringent regulations around HIPAA and PCI compliance the ability to secure a system from the rest of the network without touching the system itself is very useful indeed. This is especially useful when looking at ShieldWeb

The presentation included a memorable quote from a comment made to a Brian Krebs story titled, Target Hackers Broke in Via HVAC Company. The quote, “If you think technology can fix security, you don’t understand technology and you don’t understand security.”, really defines the challenges facing IT with respect to security. In my opinion security is always a delicate balance between completely open and completely locked down. The users would like it completely open while the security professionals and auditors would like it completely locked down. It’s important to strike an even balance and I would argue that Skyport Systems has a solution that can help provide that balance.

In the age of whitebox servers, SkySecure is a highly specialized solution that includes hardware, software and management components that can be leveraged to secure extremely critical applications and highly sensitive systems.

As a disclaimer I received no compensation for my attendance of Networking Field Day 11 from Gestalt IT or any of the sponsors. Gestalt IT did provide for my travel arrangements, hotel accommodations and meals while in Santa Clara, CA.

Cheers!

The argument put forth was essentially that it is cheaper for companies to take the data breach hit than feed the ever growing IT security budgets because there are no penalties or little downsides for the many business that are involved in what has become a daily occurrence of customer and/or credit card data theft from a resulting data breach. Greg suggests that companies might be better suited investing in a good public relations firm to help manage any public crisis that might arise. I wouldn’t agree that there aren’t any downsides although I would reluctantly agree that large businesses appear to be emerging relatively unscathed from these incidents. The emergence of data breach insurance, also known as cyber liability insurance, gives additional credence that large business look at security and data breaches as a simple math problems.

The formula might look like this;

( (Revenue Loss + Breach Related Costs) – Breach Insurance) < IT Security Spend

In short the financial penalty for losing your customer data doesn’t justify the IT security spend needed to actually sure the the data. So it’s cheaper for large businesses to essentially take the financial hit for a data breach rather than spend the considerable resources need to secure the data, application or solution.

There’s certainly validity to the overall point that there’s little motivation for large businesses to spend significant resources on overall IT security. In an article entitled, “Why companies have little incentive to invest in cybersecurity” by Benjamin Dean, Benjamin provides numerous facts and supporting evidence to suggest that there’s little motivation for large businesses to heavily invest in protecting customer information. Benjamin provides data from both the Target and Home Depot breaches that supports the argument and ultimately ponders if additional governmental oversight will be needed to close the loop.

I would counter with this point, when has any large business spent any more than it absolutely needed on anything.  I can’t tell you how often I’ve stood in front of a budget committee and been told that I’ll just need to make do with the capital or operating funds that I have available no matter the strategic importance to the business operation or ROI.

What do you think?

Is additional government oversight needed to get large business to take more responsibility?

Cheers!

Image Credit: Aap Deluxe

In addition, Google has been using HTTP/HTTPS signals in their ranking for quite a few months now. Not sure if that will have any impact on my little blog but I’m happy to try and push that percentage of sites using HTTPS/SSL just a little higher.

I purchased a wildcard SSL certificate from RapidSSL that covers *.michaelfmcnamara.com. I have multiple servers and virtual hosts so it only made sense to purchase a wildcard certificate instead of purchasing multiple individual certificates.

The installation was pretty simple, I did need to bundle all the certificates including the root GeoTrust Global CA, the intermediate RapidSSL SHA265 CA – G3 and then my certificate into the certificate file so the browser was presented the proper SSL chaining. I changed the WordPress Address and Site Address URLs from within WordPress and then I setup a redirect from Nginx;

server {
    listen              [::]:80;
    server_name         blog.michaelfmcnamara.com mirror.michaelfmcnamara.com;

    return 301 https://$server_name$request_uri;
}

I also had to make a few small changes to the Google Adsense scripts.

Any Issues?

Yes, there will be a few issues… Internet Explorer 8 for Windows XP doesn’t support SNI (Server Name Indicator) so that browser won’t be able to connect now that I’ve enabled two SSL enabled sites on the same IP address using two different certificates in Nginx. If you are still using Internet Explorer 8 on Windows XP you should really consider migrating off Windows XP.

Are you going to enable HTTPS/SSL on your blog or website?

Cheers!

Update: December 30, 2015 –  I had issues uploading images via WordPress after turning on the HTTP redirect. I was getting the error “An error occurred in the upload. Please try again later.” when I tried to upload an image via HTTPS/SSL. I had to go into wp-config.php and add the following, “define(‘FORCE_SSL_ADMIN’, true);” which appears to have resolved the problem.

Avaya Takes an Elegant Approach with SPB by Paul Stewart – Paul gives his feedback around Avaya’s Shortest Path Bridging (SPB) and their presentation at Networking Field Day 7.

The New Linode Cloud: SSDs, Double RAM & much more – There have been some very exciting improvements made over at Linode quoting their blog, “Linode = SSDs + Insane network + Faster processors + Double the RAM + Hourly Billing”

Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model  by FireEye and Mandiant. “Nearly all (97 percent) organizations had been breached, meaning at least one attacker had bypassed all layers of their defense-in depth architecture.” If you are involved in security the report is worth reading.

Configuration Management the Tail-f NCS Way by John Herbert – I enjoyed reading about Tail-f  and getting John’s opinion on the product. I’ve only used RANCID but I was interested enough that I’ll need to-do more research and reading regarding Tail-f.

Who’s against Net neutrality? Follow the money by Eric Knorr. With the proposed rules by the FCC I’m guessing the Internet will be going on strike again soon. You can read more on the subject at the Save The Internet website.

Cheers!

This is the machine I generally use to remotely connect to customer networks when I’m consulting – I don’t use my personal desktop for a number of reasons. The virtual desktop runs on a HP Proliant DL360 G5 running CentOS v6.3 with KVM along with a number of other test and development guest machines.

Anyway I had to spend the better part of 60 minutes patching the machine.

• Microsoft Security Updates (6)
• Mozilla Firefox (v15.0)
• Mozilla Thunderbird (v12.01)
• Adobe Flash Update (v11.4.402.265)
• Adobe Reader Update (v10.1.4.38)
• Oracle Java Update (SE 6 Update 35)
• LibreOffice (v3.5.6)

Obviously it’s critical that my desktop be clean of any unscrupulous software especially since I usually have complete access to the entire network and occasionally I’ll connect to an Active Directory resource as a Domain Administrator. I personally rely on a defense in depth approach making sure that all my software is up-to-date and employing a reputable Internet Security/Antivirus program. I’ve been using Kaspersky Internet Security for the past 3 years and it’s actually saved me on a number of occasions, usually from unscrupulous ad networks that were trying to exploit known vulnerabilities in Microsoft’s Internet Explorer or Mozilla’s Firefox.

The most recent security headline grabber was the zero-day vulnerability in Oracle’s Java software – along with the fix and patch. Many security experts are advising people to disable or uninstall Java if they don’t need it – the problem – users typically won’t really know if they need or use Java.

In February 2010 and January 2011 I wrote about a number of security threats and the alarming number of machines I was finding from neighbors and friends that were operating on the edge with either out-dated or missing Internet Security/Antivirus software. I’m sorry to say the trend hasn’t diminished at all. I’m seeing the same or worse in business and corporate networks where IT staffs are struggling to keep up with the “do more with less” mantra while security takes a back seat.

You only need to read the article entitled Inside a ‘Reveton’ Ransomware Operation by Brian Krebs and ponder the criminal possibilities.

There are a great many of us using our personal computers for electronic banking. I personally love the convenience and can’t remember the last time I was actually in a bank branch. However, with that convenience comes a lot of danger and added responsibility. If you have young kids using your personal computer I would strongly urge you to setup accounts for them without administrative access, many operating systems also have parental controls to help monitor your child’s activity.

Here’s my yearly reminder to everyone, spend a few minutes and make sure that the software on your laptop/desktop is up-to-date and that your Internet Security/Antivirus software is running properly. The few minutes (or few $$$$ renewing your Internet Security/Antivirus subscription) you spend now will likely save you from hours and days of frustration and heartache down the road.

Cheers!

References:

Secunia Personal Inspector
Secunia Online Software Inspector (requires Java)

Let me focus the attention on the three recent vulnerabilities in Internet Explorer, Adobe Reader, Adobe Flash and Adobe AIR;

Microsoft Internet Explorer Vulnerability MS10-002 (Cyber Security Alert SA10-021A)

Adobe Reader and Acrobat Vulnerability APSB10-02 (Cyber Security Alert SA10-013A)

Adobe Flash Player and Adobe AIR APSB09-19 (Cyber Security Alert SA09-343A)

Any of these vulnerabilities can be remotely exploited when the user visits a poisoned web site/page or by opening a poisoned Adobe PDF document. Once the vulnerability is exploited additional software is usually installed on the personal computer which can disable antivirus solutions and begin harvesting user names and passwords including banking information.

What should I do?

You need to make sure that you have the latest and greatest software and security patches applied to your personal computer. You should make sure that you have turned on Microsoft Windows Update; this will update Internet Explorer automatically. You can also confirm that Internet Explorer is up-to-date by manually visiting the Microsoft Windows Update website. You should also update/install the latest and greatest versions of Adobe AIR 1.5.3, Adobe Reader 9.3 and Adobe Flash 10.0.42.34.

If you haven’t already updated your home (or work) computers recently you might want to invest some time in the task. It might save you from a lot of problems and headaches later down the road.

Cheers!

References;

SANS Top Cyber Security Risks
Symantec Internet Security Threat Report 2008
What To Expect In Security In 2010

On Tuesday July 10, 2008 a number of vendors including Microsoft, Cisco, Juniper and RedHat released patches and/or acknowledged the flaw existed. The Internet Software Consortium, the group responsible for development of the popular Berkeley Internet Domain Named (BIND) server from which nearly all DNS offshoots are based, also acknowledged the flaw and released a patch.

I personally spent about 90 minutes on last Wednesday updating several internal and external systems including numerous CentOS v5.2 servers and Windows 2003 Service Pack 2 servers. I was unable to find any mention of the DNS flaw on the Alcatel-Lucent website so I’ll probably need to place a call concerning Alcaltel-Lucent’s VitalQIP product.

I used yum to patch the CentOS Linux servers [“yum update”] and then just restarted the named process [“service named restart”]. On the Windows 2003 Service Pack 2 servers I used Windows Update to download and install KB941672 after which I rebooted the servers.

Here are some references:

http://www.theregister.co.uk/2008/07/09/dns_fix_alliance/
http://www.networkworld.com/news/2008/071008-patch-domain-name-servers-now.html
http://www.networkworld.com/news/2008/070808-dns-flaw-disrupts-internet.html

http://www.networkworld.com/podcasts/newsmaker/2008/071108nmw-dns.html

http://www.us-cert.gov/cas/techalerts/TA08-190B.html
http://www.microsoft.com/technet/security/bulletin/MS07-062.mspx

I would strongly suggest that all network administrators start looking into patching their DNS servers as soon as possible.

Cheers!

UPDATE: July 14, 2008

Here’s an update from RedHat concerning the configuration (named.conf) of BIND;

We have updated the Enterprise Linux 5 packages in this advisory. The default and sample caching-nameserver configuration files have been updated so that they do not specify a fixed query-source port. Administrators wishing to take advantage of randomized UDP source ports should check their configuration file to ensure they have not specified fixed query-source ports.

It seems that a check of the configuration file would be in order. Let me throw in a quick warning though if your DNS server is sitting behind a firewall you may need to check with the firewall administrator to understand how the firewall will behave if you randomize your source ports. I believe there are quite a few firewalls out there that only expect to see DNS traffic sourced from a DNS server on UDP/53.

Good Luck!