Paws Audits Antivirus & Spyware Audit Policy Files & Directories Windows Firewalls Password Policies Password Warnings Permissions
INTELLIGENT COMPLIANCE AUDITING Paws Studio is intelligent compliance software that enables organizations to produce thorough and easy to action compliance audit reports on their windows based workstation and servers. Assuring that your company complies with industry standards is imperative. Being compliant not only heightens your reputation and allows you to trade in some industries, it also gives your clients confidence in your ability to secure their data. Paws Studio includes pre-defined policies for top computer usage security standards as well as enabling you to customize the security policy to comply with your own security strategy. Being fully scriptable means that Paws Studio can be written into your existing processes making the compliance process quicker and easier. You can choose whether to manually retrieve the data from your machines or use the remote network auditing function (beta) to automate the data collection process.
Registry Settings Software Updates
Define your own Security Policy
User Policies
Paws Studio has a definition editor with a built in easy to use ‘Simple View.’ This enables you to quickly edit your own definition files. The Editor gives you full access to all the Paws Studio checks so that you can create thorough and customized definition files to base your audits against. There is also an ‘Advanced View’ if you wish to directly modify the generated XML.
User Rights
Pre-Defined Policies
Installed Software Illegal Software Software Versions
Multi-Platform Support for
Compliance requirements may vary by industry. Paws Studio has several industry standard polices integrated into the software so that you can easily access all the requirements to become compliant.
KEY FEATURES Perform compliance audits through either remote network auditing (beta phase) or manual data collection Produce clear and easy to action reports, with comprehensive summaries to appeal to all levels of your organisation Audit against predefined policies
Manual Data Collection
Evaluate Paws Studio For Free at www.titania.com or contact us for more information
Paws Studio also provides the option of manually collecting data using the Paws Data Collector. This offers the benefit of creating no network traffic and is ideal for use in secure environments where machines are isolated or locked down.
Remote Network Auditing (beta) With Paws Studio you can remotely collect the data that you want to audit over the network. The choice of manual or remote data collection means that Paws Studio always offers a failsafe, allowing you to complete your audits.
Define your own customised policy to audit against Fully scriptable so audits can be written into your existing processes Export into PDF, CSV, XML and HTML Run multiple reports simultaneously
Titania Limited • County House • St Mary’s Street • Worcester WR1 1HB • UK Telephone: +44 (0)1905 888 785 • Email: enquiries@titania.com • www.titania.com Titania Limited is a company registered in England and Wales. Registered Number: 6870498. VAT Registration Number: 984 3990 61
CONTENTS
Dear Readers, From the positive comments on article "The Honeypots" by Vatsal Parekh in previous edition and great curiosity to this topic of our
Basic
06 Some notes on honeypots
audience we have decided to continue the topic of honeypots and
by Mudit Gera
to devote to it almost the whole issue. It means that honeypot still
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. It has no production value; anything going to, or from a honeypot, is likely a probe, attack, or compromise.
is a up-to-date topic. At the beginning we will try to refresh basic points about honeypots to discover what it is in more detailed way. In this edition you will find more technical articles about honeypots. One more article by Vatsal Parekh about Commercial and Open Source honeypots. Through the experts you will learn why "A honeypot is an information system resource whose value lies unauthorized or illicit use of that resource – Lance Spitzner", what types of honeypots are. Also, please, read the article by Daniel Wood with his easy ex-
NETWORK SECURITY
08 Commercial Honeypots V/S Open Source Honeypots – A Critical Comparison
planations and personal opinion, you will enjoy it for sure. I must rec-
by Vatsal Parekh
ommend you some interesting tutorials by Pierre-Henry Soria and
A critical comparison on how to choose between commercial honeypots and open source honeypots.
Dan Ross about how to create a honeypot. One of the member of The Honeynet Project Jamie Riden will give you some recommendations on why you should spending time hardening your network and then implementing some sort of IDS
12 Trapping Bears While Floating Like a Butterfly and Stinging Like a Bee
before you start to look at honeypots as a means of defending your
by Daniel Wood
network.
Trapping Bears While Floating Like a Butterfly and Stinging Like a Bee we understand what honeypots are, how they can be used to create a honeynet, and how to implement them; we need to keep in mind that if not deployed properly they can create a high risk to your production environment and due dili-gence should be exercised when planning and de-ploying honeypots.
You can learn what answered in the interview two experts of honeypots and members of Affined Honeypot project (NoAH) Jason Polakis and Spiros Antonatos on "Does honeypot have the intelligence module to detect unknown malware/latest exploit?" or what is the best platform to build honeypot on there opinion. In addition this time you have an opportunity to read about the data conversions by Colin Renouf. I hope the experience and opinion of our specialists will help you in your activity give new useful information.
16 Honeypot's – useful within active threat defence
With any comment complains, please, feel free to contact
by Dan Ross
viyaleta.piatrouskaya@software.com.pl.
In today's world of Information Cyber Security honeypots have steadily over time become a strategical first line of defence so thus have gained a strong place for their use as an active threat detection tool. They have been adopted into an organisations public and private network for over 10+ years so is no longer a clear-cut definition of what a honeypot is.
Thank you all for your great support and invaluable help. And most of all – thanks for staying with us. Enjoy reading! Viyaleta Piatrouskaya & PenTest Team.
22 Protect you site with the Honeypots by Pierre-Henry Soria
In all interactive websites, there is a part called "sensitive" such as administrative part which allows for control of almost the entire site. In this article, we'll learn how to create a honeypot, more precisely a fake administration panel that allows you to learn how the hacker is doing to exploit vulnerabilities in your site, but also discourage/stop the continuation of the act of piracy, like the principle of honey pot.
EXTRA 06/2012(10)
Page 4
http://pentestmag.com
CONTENTS
32 Using Honeypots to Augment Existing Network Security Measures Practical deployment of honeypots for early detection of breaches by Jamie Riden
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. – Lance Spitzner.
Standards & Practices
42 Data Conversions and System Attacks by Colin Renouf
Now in the new environment each of the sets of bytes was being treated as a character with a set of rules describing how it was to be translated, and when treated as characters in UTF8 a character can be represented by 1, 2, 3 or 4 bytes. This is the world of Unicode, where almost every conceivable character from almost any language can be repre-sented.
Interview
46 Interview with with the members of Affined Honeypot project (NoAH) Jason Polakis and Spiros Antonatos by Stefanus Natahusada
What is the best platform to build honeypot? In terms of security, performance and flexibility? Is there a general framework to design,develop and build honeypot system?
TEAM Supportive Editor: Małgorzata Skóra malgorzata.skora@pentestmag.com Product Manager: Viyaleta Piatrouskaya viyaleta.piatrouskaya@software.com.pl Betatesters / Proofreaders: Stefanus Natahusada, Steven Swierckx, Daniel Wood, Eric Shultz, Emiliano Piscitelli, Prateek Gianchandani Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
EXTRA 06/2012(10)
Page 5
http://pentestmag.com
Basic
Did you know? Honeypot
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. It has no production value; anything going to, or from a honeypot, is likely a probe, attack, or compromise.
A
honeypot can be used to log access attempts to those ports including the attacker's keystrokes. This could send early warnings of a more concerted attack.
Where to place a honeypot
A honeypot should be placed in front of the firewall on the DMZ.
Types of honeypots • low-interaction honeypot.(·ex: Specter, Honeyd, and KFSensor), • medium-interaction honeypot, • high-interaction honeypot.(ex:Honeynets).
Advantages and Disadvantages of a honeypot Advantages
Honeypot collects small data sets of high values: • it catches new attacks and reduces false negatives, • it works in encrypted or Ipv6 environments, • it is a simple concept requiring minimal resources.
Disadvantages • it has a limited field of view (microscope), • it involves risk (mainly high-interaction honeypots). EXTRA 06/2012(10)
Figure 1. DMZ network
Page 6
http://pentestmag.com
NETWORK SECURITY
Commercial Honeypots V/S Open Source Honeypots – A Critical Comparison The Opensource honeypots are proved to be better only when the technical team building and designing them are aware of its capabilities and limitations. Not all opensource in the market are up to the mark, but choosing them according to your needs and then configuring them is a must-to-do job by the technical personnel of the company.
H
ello Everyone! First of all I would like to thank all of you for taking interest on this topic HONEYPOTS. We all know and are aware as to how important honeypots and honeynets are in our Network. Today I am going to tell you about Commercial Honeypots and Open Source Honeypots.
Commercial HONEYPOTS
Commercial Honeypots are pre-built products. They are built to cater to different types of networks by using just one solution or a set of many solutions. They come with a price tag. Highly qualified security professionals are the minds behind designing and implementing a successful commercial honeypot. Commercial honeypots use fixed platforms to provide solutions.
Top-3 Commercial Honeypots • PatriotBox (Recommended) – A commercial, easy to use, low-interaction honeypot which is specifically designed for Windows based solutions. This honeypot solution is extremely powerful for windows based networks only. • KF Sensor – Another powerful, low-interaction, windows-based honeypot whose primary designing purpose is for detection of threats, EXTRA 06/2012(10)
Figure 1. Honeypot
Page 8
http://pentestmag.com
NETWORK SECURITY
Trapping Bears While Floating Like a Butterfly and Stinging Like a Bee
After an organization has set up perimeter security controls such as firewalls and intrusion detection, and decides to take a more proactive rather than reactive and defensive stance; an organization may start looking at mechanisms to conduct packet captures or implement solutions such as honeypots.
H
oneypots are computers, systems, or even a network of computers and systems (called honeynets) that exist in order to detect intruders and conduct research on the methods used to attack the network assets of an organization, thus increasing the situational awareness throughout the organization. Advantages of implementing honeypots or a honeynet is that an organization can provide decoy systems for attackers to focus on, rather than going straight to the organization's critical as-
Figure 1. Kippo an SSH Honeypot listening for brute-force attacks EXTRA 06/2012(10)
sets. If an attacker is presented with a vulnerable machine, or one that appears to be vulnerable, then they will spend time and effort on trying to compromise that vulnerable asset. This gives the organization time to identify that an attack is underway and take appropriate measures in monitoring the attacker, capturing network traffic from the exchange (pcap dumps) and adjusting security measures to protect against future attacks similar in nature and even from the attackers IP address (Figure 2). It is extremely important to note that if vulnerable assets are being put on a network for the purpose of diverting attackers away from production network assets, that they honeypots be segmented off from anything that is truly critical or sensitive in nature. If an attacker is able to own a machine, there's a real risk that they may be able to pivot to other internal network resources. Obviously this is something we don't want happening and should avoid at all costs. This occurs by essentially standing up a vulnerable host to pivot from and allowing an attacker to bypass your firewalls, your IDS/IPS, and other protections you may have in place; defeating the entire purpose. If operating within a virtualized environment, it's strongly recommended that special attention and care be taken. Having your honeypot/net is a separate VLAN while still logically connected to a production network is asking for trouble if not
Page 12
http://pentestmag.com
NETWORK SECURITY
Honeypot's – useful within active threat defence
In today's world of Information Cyber Security honeypots have steadily over time become a strategical first line of defence so thus have gained a strong place for their use as an active threat detection tool. They have been adopted into an organisations public and private network for over 10+ years so is no longer a clear-cut definition of what a honeypot is.
T
his article will intend to describe the different uses as well as the need to deploy a honeypot or honeynet within your organisations infrastructure. Overall honeypot's are designed to complimentarily coexist within a network environment in order to deliberately observe possible intrusions and would be drive bye attackers. They are purposely setup to attract the want to be hacker and appear as an open target on an organisation's network whereby a hacker probing through would move in for intrusion purposes. Honeypot environment's are in fact totally passive systems holding no real content or capacity by which a hacker can access information or possibly use it as a pivot to compromise other systems. Instead the hacker becomes the observed as all incoming packets within a honeypot are always likely to come from a malicious source. This is considered a form of counterintelligence and the means by which defence practitioners gain a good situation awareness on any attack. There are number of different uses of honeypots, some are designed to reduce spam activity, some are designed to deceive the hacker while also prolonging their possible intrusion into more sensitive areas while also analysing their steps and others are just setup to simply collect information on new forms of malware and EXTRA 06/2012(10)
also the whereabouts of the command and control of botnets. As part of defence in depth within the security community the implantation and deployment of honeypots and their inclusion within networks called "honey-nets" yield much richer logs and intrusion detection data than could ever be possible through monitoring ordinary computer systems and networks. As a security measure it can be considered that honeypots are like playing with fire so thus should never be implemented on organisations critical control systems. These systems should always be protected and concealed by the use of honeypots. It should be said at this point in time that honeypots are utilised not only as a defence mechanism in the protection arsenal from the external world but are also part of internal defence – from attacks from within the organisation itself, so that real access to protected information becomes difficult and obfuscated to those unauthorised persons who may intrude beyond their boundaries. A example of this is it's implementation at Google within Google Money or the internal accounting systems that are known to use large virtual honeypot environments. Honeypots are designed to look like many different kinds of operating system with any number of services running on them in order to distract an
Page 16
http://pentestmag.com
NETWORK SECURITY
Protect you site with the Honeypots In all interactive websites, there is a part called "sensitive" such as administrative part which allows for control of almost the entire site. In this article, we'll learn how to create a honeypot, more precisely a fake administration panel that allows you to learn how the hacker is doing to exploit vulnerabilities in your site, but also discourage/stop the continuation of the act of piracy, like the principle of honey pot.
I
n general, when a hacker trying to break into a website, he will try to bypass the security of the administration functionality by exploiting a security breach (SQL injection, ...), or using a bot that will try all possible combinations to login and access and do whatever he wants. One technique of protection is to change the name and location of the folder for administration, this complicates the break in by making it more difficult for the hacker to find the page. Instead of having a folder named “admin”, “administration” or “admin.php”, you can give it a name difficult to find, but that does not stop the hackers to adapt a strategy to discover the name of the folder. Then, while keeping the true administration folder hidden, we will simulate a fake of administration page that will attract hackers by the easy prey so that will not only be wasting valuable time trying to connect instead of seeking the real administration page, but also allow us to analyze the ways they use to exploit potential vulnerabilities in the website. You guessed it; in this tutorial I will show you how to create a fake administrative part which will serve as a honeypot. To do this, rename the real administration folder of your site by a name hard to guess but easy to EXTRA 06/2012(10)
remember (e.g. /my-real-secret-admin-folder/). Then create the fake administrative part in a folder under the name “admin” with an index.php file which will require the identifier of the administrator. Here we will record the steps hackers try to get in the administration of your site (Listing 1). Remember that the design of this fake administration interface should look similar to your site so that the attacker does not doubt that this is a real login page. We now retrieve the information sent by the login form and store them in a log file or send them by email, thus you will be immediately notified when someone try to connect. You can also add a tracking code to get more analytical information (from the country, city, time left on the page, etc.) on people who are trying to connect to the fake admin CP. Finally, I set the sleep function which allows the script to sleep for a few seconds in order to secure against brute force attacks caused by possible bots, but also to annoy the hacker. And now the “Sniffer” PHP class (Listing 2) which will allow to recover most of the actions of the attacker, and add the possibility of automatically banning the hackers and bots who try to log into the administrative part (because these visitors often bring nothing positive to your site).
Page 22
http://pentestmag.com
NETWORK SECURITY
Using Honeypots
to Augment Existing Network Security Measures Practical deployment of honeypots for early detection of breaches A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. – Lance Spitzner
F
irstly, a great deal of this information, including build scripts has been derived from the http://dionaea.carnivore.it/ website, and credit belongs to the authors rather than myself. Secondly, many thanks are due to internal reviewers with the Honeynet Project for comments on the initial draft of this article. The basic premise of a honeypot is that the attacker believes it’s a genuine server, and only the defender knows the truth. From that start, we can either choose to use it as an early warning system
to jump start our incident response processes, or we can study the behaviour of attackers in their element in order to better understand them. This knowledge can help us better defend our systems and networks. There is always some potential for attackers to cause damage, so you will need to exercise due care. If you are looking after a production network, you will probably be most interested in early warning system (EWS) honeypots. Suppose we have taken the basic steps to lock down our network already,
Figure 1. basic placement of honeypots, either in the DMZ or the internal network, or both EXTRA 06/2012(10)
Page 32
http://pentestmag.com
standards & Practices
Data Conversions and System Attacks Whilst investigating a major system failure on a payment system it became evident that very few people in IT really understand the amount of data conversions that go on or the differences in data types representations with different technologies.
T
he problem manifested itself as a data length error on resaving data that hadn't changed. Understanding the conversions and types used for the components of a particular system can open up an avenue for attack. This article explains some of the representations and some of the risks involved. The environment in which we were operating was a typical one for many enterprises; with a layered architecture delivering data from a central database to a mix of legacy and more current technologies offering application and user interface functionality. It is in the legacy database that the original problem arises; although isn’t manifested as a problem there initially, with issues only being seen when the database was upgraded and then only in production. A field declared as a VARCHAR2 text field, which was fine on a US 7-bit ASCII representation where treated as a string of bytes, was actually used to hold a bit string, i.e. some of the 'characters weren't really valid characters. As the data itself hadn't been changed when the problem manifested the issue had to be due to some difference in the data representation in the new infrastructure, in this case due to the use of 32-bit UTF8 in the database. In the original representation in the database the binary string would just be split into bytes, as EXTRA 06/2012(10)
a character has a byte representation; well almost, seven bits are used. Now in the new environment each of the sets of bytes was being treated as a character with a set of rules describing how it was to be translated, and when treated as characters in UTF8 a character can be represented by 1, 2, 3 or 4 bytes. This is the world of Unicode, where almost every conceivable character from almost any language can be represented. The data was unchanged, only the infrastructure had changed. Issues hadn't been seen in testing as a shared infrastructure database using the original Windows compatible character set had been used. Also, between the original legacy environment and the new environment the database had been moved from a Hewlett-Packard PA-RISC HP-UX environment to a Linux on Intel x64 environment. The database representation itself is, of course, only part of the environment with web browsers, web servers, proxy servers, routers, and networks between the user and the database – each with possibly different representations and different CPUs with their own representations. This should serve as a reminder of the importance of data types representing information in the real world, and having representative test systems.
Page 42
http://pentestmag.com
interview Interview with the members of
Affined Honeypot project (NoAH) Jason Polakis and Spiros Antonatos Jason Polak
Spiros Antonatos
Jason Polak is is currently a PhD candidate at the University of Crete and a research assistant at the Institute of Computer Science, Foundation of Research and Technology Hellas (FORTH). His interests include various areas of computer and network security in general, with a recent focus on security and privacy aspects of online social networks. He was part of the development team of the Network of Affined Honeypots (NoAH) project which was funded by the EU, and has co-authored the paper: "A systematic characterization of IM threats using honeypots" (NDSS 2010).
Spiros Antonatos is currently a senior R&D engineer at Niometrics and has received his PhD from Computer Science Department, University of Crete. During his 8-year experience as a research assistant at the Institute of Computer Science, Foundation of Research and Technology Hellas (FORTH), he was technical manager of Network of Affined Honeypots (NoAH) project, developer of Honey@home tool and coauthor of several honeypot-related papers. His interests include network security in general with a focus on network monitoring and high-performance computing.
What is the Honeypot development roadmap for the next 5 years?
If one takes a brief look at the honeypot development history over the last few years, only a few projects are still alive and maintained on a regular basis. One of the main reasons is that the security landscape has changed and attacks are now client-side and based on social engineering vectors. This landscape shift has made most of the serverside honeypots unattractive and outdated. However, client-side honeypots and applicationspecific honeypots are promising and can prove to be a useful tool in the defender's arsenal over the next years. Client-side honeypots can actively search for attacks and infected hosts while application-specific honeypots can be used as decoys for critical services. EXTRA 06/2012(10)
We have explored the use of honeypot decoys in instant messaging services [1], and found them to be a valuable source of information on phishing attacks that employ social engineering approaches.
What is the best practice honeypot deployment in the enterprise environment?
High-interaction honeypots have been proven to be efficient and accurate. High-interaction honeypots are instrumented virtual-machines that capture every action by an attacker. Unlike low-end honeypots, they are not based on emulation scripts but rather run real operating systems and services. Their high-level of realism comes with a configuration and maintenance cost but the attack insight they provide is far more powerful than emulation scripts.
Page 46
http://pentestmag.com
In the next issue of
IT security in Healthcare Available to download on October 15th More topics in PenTest Magazine: eBanking, eDiscovery, Sandbox, Phishing, Spoofing, SSH Tunelling, Guide to BackTrack, IAST, Cloud Application Pentesting, PCI Security Standards, Android as a Pentesting Platform, Intrusion Detection Systems ... and more
If you would like to contact PenTest team, just send an email to krzysztof.sikora@software.com.pl or ewa.dudzic@software.com.pl. We will reply a.s.a.p. PenTest Magazine has a rights to change the content of the next Magazine Edition.
NEXT GENERATION
THREAT PROTECTION ONLINE SUMMIT LIVE 5th SEPTEMBER Join this free summit to hear industry experts and experienced practitioners discuss the current threat landscape, best prevention techniques and proven implementation methods.
FIND 17 thought leadership webinars LEARN about the latest industry trends SHARE the knowledge
To register for free and view the full lineup go to http://www.brighttalk.com/r/T2j
9
Practical solutions to headline threats. Three days of information security insight. Only RSA® Conference Europe 2012 delivers the steps and strategies needed to protect your organisation’s assets. From managing smartphones and tablets, to the workplace risks from social media tools, get the techniques you want and the answers you need. Hear from highly regarded keynotes including Wikipedia founder Jimmy Wales, internationally renowned security technologist Bruce Schneier, and investigative journalist, author and broadcaster Misha Glenny – one of the world’s leading experts on cybercrime and global mafia networks.
• Leave with actionable solutions • Build your skills • Network with like-minded professionals • Stay informed, stay ahead
Date: 9 - 11 October Venue: Hilton London Metropole Hotel, U.K.
Hear how the world’s security experts manage challenges like:
• Mobile security • Data breaches • Hacktivism
• Cybercrime • Malware threats • Cloud computing
Get the practical insight your organisation needs. Attend and play your part in Europe’s most informative information security event.
Find out more at
www.rsaconference.com/pen ©2012 EMC Corporation. All rights reserved. RSA, the RSA logo and RSA Conferences are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other products and services mentioned are trademarks of their respective companies. RSA Security U.K. Limited. Incorporated on June 6, 1996. Company Number: 3208788. Registered Office: 1 Carnegie Road, Newbury, Berkshire, RG14 5DJ, England
THE GREAT CIPHER MIGHTIER THAN THE SWORD