IT Security Blog

The Nmap Scanner

By

The nmap port scanner can be used by attackers to determine which ports are open on a remote system, and which services are running on those. Recent versions are even capable of fingerprinting the exact application and version number running, allowing an attacker to fine-tune their attack to such a system.

But nmap was not designed for this purpose, it was designed to help the network administrator prevent attacks by doing the same thing; checking their network for points of weakness.

When setting up servers, firewalls or other network-connected systems, I always run an nmap scan on the “finished” system, and then lock down anything which appears that doesn’t need to be accessed from the outside world. On a Linux system, for instance, X11 and services such as MySQL may listen on TCP ports, but there is often no need for a remote system to connect into these services. In such a situation, firewall rules allowing only localhost (127.0.0.1) to access these ports prevents them showing in any subsequent nmap scans (provided the scans are from a remote machine!).

Nmap supports many scan types, designed to obtain information about the network (ping sweep scanning, for instance), the open ports (TCP connect, UDP and half-open, or stealth, (SYN) scanning), and the operating system and services running (OS and service fingerprinting).

Each scan type provided by nmap can give the system administrator useful information, and by thinking along the same lines as an attacker, the administrator can often close off parts of the network, lock down services on accessible systems, and generally reduce the avenues of attack. Nmap is an essential tool in highlighting which of these avenues are open in the first place, allowing an administrator to block potential attackers before they become a problem.

New Secure IM Software

By

NTT Communications (Japan) have created a new secure Instant Messaging system. This system communicates over TLS (Transport Layer Security), the successor to the SSL standard.

Communications on most IM systems are secured between client and server – where password exchange typically takes place, but once the initial connection has been established, messages themselves are usually passed directly between clients. In the new messaging system, all communication goes through the sever, and is performed over an encrypted TLS connection.

This allows, apparently, restrictions on the server to govern which users can talk to each other, which types of files may be sent, and so on.

This sounds like a great idea, but there is a reason for current systems to communicate directly between clients – a single relay server is a single point of failure, and also serves as a bottleneck in the network. Using TLS only serves to further slow down the server, and I am not sure how well this solution would scale (though a network of servers, IRC style, might work…)

Meanwhile, for small to medium corporations, this could be the secure solution that has been needed for a long time. It will be a while before it becomes scalable to the entire Internet, though, I expect.

[tags]IM software,bottleneck,encryption,data centers, instant messaging, online security[/tags]

2006 Security Book Roundup

By

This year has seen a steady increase in the number of new books being published on security-related topics. Since the year is about to end, I thought I’d round up a few of the best I’ve read, seen, or heard about, and comment briefly on each one!

Apache Security
O’Reilly
Published March 2006
http://www.amazon.co.uk/exec/obidos/ASIN/0596007248/

This book covers installing a secure Apache web server, discusses a variety of attack techniques, and looks at securing a multi-user hosting environment. All round, an excellent book for webhosts or anyone running Apache on an Internet-accessible system! You can also rent textbooks to save money.

SSH, The Secure Shell: The Definitive Guide, Second Edition
O’Reilly
Published May 2006
http://www.amazon.co.uk/exec/obidos/ASIN/0596008953/

This book takes a look at the SSH program, a replacement for telnet or rsh, providing an encrypted link over which programs can be run. SSH also contains programs for file copy, replacing rcp and perhaps even FTP! The book looks at the latest developments in OpenSSH and other SSH implementations, and includes some powerful examples including setting up SSH tunnels and forwarding systems.

Security And Usability
O’Reilly
Published February 2006
http://www.amazon.co.uk/exec/obidos/ASIN/0596008279/

This book reaches a compromise between the two design goals of security and usability. I haven’t actually read this one, but everyone I speak to that has thinks its worthwhile!

Extrusion Detection
Addison-Wesley
Published June 2006
http://www.amazon.co.uk/exec/obidos/ASIN/0321349962/

One of the few books in publication which covers the important topic of internal attacks! Again, I haven’t read this, but it is an important topic, and its nice to see books finally starting to appear to bridge the gap between the generic security books and the knowledge that network administrators need!

Cryptography In The Database
Addison-Wesley
Published May 2006
http://www.amazon.co.uk/exec/obidos/ASIN/0321320735/

This book approaches security from the opposite end to many; from the innermost structure in many applications. Databases are often left open to attack because it is assumed that the outer layers of a program protect any database access against exploitation. Using cryptography in the database helps to prevent attacks which take advantage of most peoples false sense of local security! Once again, this book is a much-needed addition to the stores!

If I’ve left out your favourite security book of the year, or, if you’re one of the lucky few, the book you wrote this year, don’t be offended! I just chose a few of the ones that stood out most to me. There were, as I said, a large number of books dealing specifically with security this year, from VPNs to SSH, rootkits to software vulnerabilities, Apache to IIS, and PHP to SQL. In each case, the books have contributed new and fresh ideas, shown the latest attack patterns, and offered advice for prevention, or, failing that, cure.

As the threat from malware, malicious hackers and even corporate software with unintentional (or intentional) security issues grows, books like these serve not only to educate the developer and system administrator in prevention, but also to alert the user to the threat. Most technical users cannot fail to notice the distinct rise in security related books this year, and should easily be able to correlate this to the ever-increasing threat as our world becomes ever more connected!

MD5 Revisited

By

Recently, a programmer named Patrick Stach released unto the world his working source code for generating an MD5 collision within a very reasonable amount of time for most desktop PC’s. Leave it to the media to sensationalize it and proclaim that MD5 is now BROKEN! Run! Go out and buy duct tape! While it is true that no true security product should be relying on MD5 for anything serious, it’s not quite the end of the world that many of these news geniuses are painting it as.

The fact of the matter is that most Linux and other UNIX distributions use the MD5 hashing algorithm to handle their password database for the users. It takes your password, hashes it using MD5, and then stores that. When a user attempts to login via SSH for example, the system takes the password they typed and then hashes it using whatever algorithm it was configured to do (which is MD5 in most cases) and then compares it to the hash that’s in its database. If it matches, then the user entered the correct password and is granted access to the system. If they don�t match, they obviously didn’t type in the right password. The security in these hashing algorithms lies in the fact that each and every series of letters will have a unique hash. In English, I can rest easy at night knowing that the hash of “cat” will NEVER be the same hash of “dog“.

So the security community is up in arms about the fact that they now have an actual implementation of generating MD5 collisions, instead of it being a hypothetical paper that the general public would never understand. So what exactly is the impact of this little release you might be wondering? Well, you can put away that duct tape because your NIX servers will remain running tomorrow just fine. The truth is you can’t use this utility to be able to break a hashed password any faster. Instead what this does it allows you to find a pair of “plaintexts” (term for normal words/letters) that will come out to the exact same hash value. This is not supposed to be possible, but because of the discovered weakness in MD5, it is. Either way, the release utility does not help anyone find the “plaintext” from an MD5 hash. That is still impossible and does require you to brute force crack any hashes. It also means that MD5 is STILL safe to use as a file verification tool. While I’m not advocating the continued use of MD5, it’s still not the end of its life.