Professional Information Security Association
MAR-2008
PISA Journal
Privacy Protection Privacy and Security Issues of Social Networking Services ISO Addressing Privacy Protection OpenVPN Enterprise Solution Experiences with Email Relay Honeypot Digital Imaging Forensic – Uncover the Truth International Standards for Information Security
www.pisa.org.hk
Issue 7
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Editor: editor@pisa.org.hk
3
Privacy and Security Issues of Social Networking Services
7
ISO Addressing Privacy Protection
9
Standards
12
Honeypot
15
Security Infrastructure
25
Forensics
30
Program Snapshot
33
Active in External Affairs
34
Membership Benefits
International Standards for Information Security Experiences with Email Relay Honeypot OpenVPN 企業方案
Digital Imaging Forensic – Uncover the Truth
Copyright 2008 Professional Information Security Association. All rights reserved. Page 2 of 34
7
Anavailable Organization for Information Security Professionals Softcopy at http://www.pisa.org.hk/publication/journal/
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Privacy Protection
Privacy and Security Issues of Social Networking Sites Wallace Wong CISSP, CISA Program Committee
R
ecently, the incident of suspected leakage of indecent photos has heightened the public awareness on privacy and security issues on classified data. However, concerns should also be placed on the most popular form of websites called “Social Networking Sites (SNS)” or “Social Networking Websites”. Facebook is one of the most popular SNSs in Hong Kong at the end of last year. There are several types of SNS worldwide. From specific one for building business networking such as LinkedIn, to general one for making friends including Friendster, there are around 26 SNS (Table 1) with different target groups each with over 10,000,000 registered users. As a result, this type of databases contains vast, updated and “real” user-driven data (still called Web 2.0) and could therefore provided many opportunities not limited to advertisers, businesses and legal entities. To simplify the discussion, most of the examples are referring to Facebook.
What kind of information is being STORED in SNS? From the latest version of Facebook privacy policy (effective as of December 6, 2007), the known information stored in Facebook under section “The Information We Collect” includes “name, email address, telephone number, address, gender, schools attended and any other personal or preference information” during registration, “browser type and IP address” during entering, “personal profile, form relationships, send messages, perform searches and queries, form groups, set up events, add applications, and transmit information” during usage, “backup copy of the prior version (of information)” during update and “information from other sources, such as newspapers, blogs, instant messaging services, and other users of the Facebook service through the operation (e.g., photo tags)”. Thus, the above information consolidated by Facebook is transferred to and processed in the United States are under consent of “all” users.
Although above section in the privacy policy has “disclaimer” such as, “We cannot control the actions of other Users with whom you may choose to share your pages and information. Therefore, we cannot and do not guarantee that User Content you post on the Site will not be viewed by unauthorized persons. We are not responsible for circumvention of any privacy settings or security measures contained on the Site”, you may still doubt about why so many people provide so much personal information, including English with full Chinese name, systemic picture (figure 1), birthday with year to reveal the age, relationship status with partner’s profile (figure 2), “resume” with information of employer and position (figure 3), primary and secondary schools studied with years, associated organization or even with mobile numbers and home address). If only your trusted friends can access these data, it may be convenient for them to know your status. But if everyone can access these data, you may only be living in danger until you know it is too late.
figure 2: marriage status
figure 1: profile picture
Page 3 of 34
7
figure 3:
An Organization for Information Security Professionals
work info
P I S A J o u r n a l
Professional Information Security Association
Page 4 of 34
MAR-2008
Issue
Privacy Protection
Privacy and Security Issues of Social Networking Sites
Table 1: “List of social networking websites” over 10,000,000 registered users (Developed from source of Wikipedia dated 16/02/2008) 1
Name MySpace
Focus General
Focus Description -
Popularity Worldwide
2
hi5
General
Teens
Latin American 98,000,000 & Asian
3
Habbo
General
4
orkut
General
Worldwide (~33) Brazil and India
5
General
Chat Room & user profiles Owned by Google now; initial target in US -
6 7
Friendster Classmates.com
General School
8
Bebo
9 10
Windows Live Spaces Xanga
Blogging
11 12
Flixster Netlog
Multimedia School
13 14
Tagged.com Reunion.com
General Family
15
Broadcaster.com
Multimedia
16 17
Cyworld MyHeritage
School Family
18
Friends Reunited
School
19 20
LinkedIn BlackPlanet
Business General
21
imeem
Multimedia
22 23
Plaxo LiveJournal
Business Blogging
Registered Registration 300,000,000 Open, age limit Open
86,000,000
Open, age limit
67,000,000
Open, age limit
Canada, UK, USA & NZ School, college, work and the military
62,000,000
Open, age limit
50,000,000 40,000,000
Open Open
General
-
40,000,000
Open, age limit
Blogging
Blogging (formerly MSN Spaces) Blogs and "metro" areas Movies Belgian European youth, formerly called Facebox. Family & friends locating to keep in touch Video sharing and webcam chat Teens South Koreans Family-oriented social network service
40,000,000
Open
40,000,000
Open
36,000,000 32,402,580
Open Open
30,000,000 28,000,000
Open Open
26,000,000
Open
21,200,000 20,000,000
Open Open
UK
19,000,000
Open
AfricanAmericans -
17,000,000 16,000,000
Open Open
16,000,000
Open
-
15,000,000 12,900,000
Open Open, OpenID
College, work, sport & streets African American community Music, Video, Photos, Blogs -
UK, Ireland, NZ & Pacific -
An Organization for Information Security Professionals
7
P I S A J o u r n a l
Professional Information Security Association
Issue
Privacy Protection
7
Privacy and Security Issues of Social Networking Sites
How will the information be USED? Comparing the details in section “Use of Information Obtained by Facebook”, Facebook “may use information in your profile without identifying you as an individual to third parties”. For other people (including third-parties) “who see your name in searches, however, will not be able to access your profile information unless they have a relationship to you that allows such access”. This indirectly implies privacy issue for default view and search by everyone of new user without adequate warnings during account setup process.
Who are SHARING your information? Explicitly specified in the section of “Sharing Your Information with Third Parties” of the Privacy Policy, “we share your information with third parties only in limited circumstances where we believe such sharing is 1) reasonably necessary to offer the service, 2) legally required or, 3) permitted by you.” “Beacon” is one of the business solutions that track your actions taken at external websites (figure 4) and would be shared with your internal Facebook friends (figure 5) in the “News Feed and Mini-Feed” (also called “Aggregator” or “Stalker” with another similar controversy before).
figure 4: external website
Page 5 of 34
MAR-2008
According to the “Help Topics: What external sites are affiliated with Facebook?” dated 17 February 2008, Beacon would capture actions taken at around 20 external websites, these include putting up something for auction on eBay, adding an awesome classic movie to your queue on Blockbuster.com, etc. In fact, this technology relies on the use of web bug (similar to 1x1 pixel) in GIF or PNG image format (or an image of same colour as background) which has embedded in the HTML homepages of these third-party websites. When Facebook first launched the Beacon, all users have no choice but to use it compulsorily. In view of the public pressure, Facebook finally allows users to opt-out using Beacon since 5 December 2007. Users could select the options of “Don't allow any websites to send stories to my profile” or individual controls under their “Privacy Settings for External Websites”. One of Facebook “disclaimers” regarding third party developed applications which reads as “Platform Developers may require you to sign up to their own terms of service, privacy policies or other policies, which may give them additional rights or impose additional obligations on you”. These applications make use of the social engineering, i.e. to invite your friends to install the applications. Once you have accepted your friend’s invitations, you would expose your privacy and security loopholes to the platform developers very easily.
figure 5: internal Facebook friends
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Privacy Protection
7
Privacy and Security Issues of Social Networking Sites
Obviously, privacy cannot override everything. According to the privacy policy, Facebook would share account or other information in order to comply with law, to protect Facebook’s interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This issue should really be understood by net citizens to make a balance.
References 1. Facebook Privacy Policy http://www.facebook.com/policy.php
2. A report about SNS from the the European Network and Information Security Agency (ENISA) http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_ pp_social_networks.pdf
Conclusion 3. Facebook privacy issue from Electronic Privacy Information Center (EPIC) Knowing there are two core principles in the privacy policy which are “You should have control over your personal information” and “You should have access to the information others want to share”, only few users will adopt the best practices to control their privacy settings as follows: •Beware of password security even SSL has been deployed during login •Beware of photo and video in the form of uploading and tagging by yourself or others •Provide only minimum required information in “Profile” menu. •Tune your “Profile” section again under “Privacy” menu (different from “Profile” menu) •Change the “Search” section, such as coverage from “Everyone” (default) to “Only my friends” •Adjust personal activities published in “News Feed and Mini-Feed” as well as “Poke, Message, and Friend Request” sections. •Customize any unauthorized accesses in “Applications and Ads” and “External Websites”. Copyright & Disclaimer
http://epic.org/privacy/facebook/
4. Best practices of recommended privacy settings in Facebook by Sophos http://www.sophos.com/security/best-practice/ facebook.html
© copyright Wallace Wong, 2008
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA.
Page 6 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Issue
Privacy Protection
7
ISO Addressing Privacy Protection Antony Ma CISA, CISSP Program Director
H
arvard Professor Lawrence Lessig in his book Code 2.0 discussed various privacy issues in cyberspace and said “… in principle, the data are there. In practice, they are costly to extract. Digital technologies change this balance radically. They not only make more behaviour monitorable, but also more searchable.” Personal data leakage as occurred in the Independent Police Complaints Council (PICC) incident was a vivid example of his statement. Controversies over on privacy related issues definitely increases with the advance of technology, particular personal electronic devices. This article introduces the works done by International Standard Organisation (ISO) SC27 (Sub-Committee 27 IT Security) on privacy protections and related IT controls. ISO established Working Group 5 (WG5) "Identity Management and Privacy Technologies“ to deals with the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and privacy protection.
ISO groups on Privacy, Authentication & Identity Management WG5's goal is to harmonise aspects for identity management, biometrics and privacy in the context of information technology with a set of international standards. Currently, WG5 is working on three major international standards. There are: (1) "Working Document on Privacy Framework" (2) "Working Document on Authentication Assurance" (3) "Working Document on Identity Management" Although some of the standards are still in drafting and commenting stages, it is still a good reference to know the current international developments. The first standard drafted by WG5 is “ISO 29100 A Privacy Framework” which discusses aspects relevant to the right of an individual to control the collection, transfer, use, storage, archiving, and disposal of his/her personally identifiable information (PII). The tries to set out core principles on how to consistently build systems and categorise PII in order to ensure the information privacy of an individual by preventing inappropriate use of an individual’s PII.
Page 7 of 34
MAR-2008
Challenges of Privacy Protections Protecting personally identifiable information poses difficult challenges to IT system and system administrations. These challenges are the result of government regulation and dynamic nature of electronic personal data. Regulations from EU and US increased management awareness on privacy protection. However, these regulations are still evolving and sometimes unable to keep up with technology advancements. For example, behavioural information like Internet search history and driving records are being kept and could reveal the lifestyle of an individual. How the current regulations should address these new developments is still unclear. The workgroup on data privacy recognise these challenges and developed a set of principles to guide the development of IT security controls. These core principles and key factors will be useful for company and professional in designing system processing PII.
Core Principles Privacy standardisation will enable system operators to design, implement and maintain information and communication systems that will properly handle and protect PII. The framework set out the key principles and can serve as a basis for desirable additional privacy
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Privacy Protection
ISO Addressing Privacy Protection
standardisation initiatives, for example for a technical reference architecture and specific technologies implementation. This draft document sets out 11 core principles: 1. Consent and Choice 2. Accountability 3. Purpose Specification 4. Collection Limitation 5. Use, Retention and Disclosure Limitation 6. Data Minimisation 7. Accuracy and Quality 8. Openness, Transparency and Notice 9. Individual Participation and Access 10. Security Safeguards 11. Compliance
ISO/IEC 27002:2007 (Code of Practice for Information Security Management).
Closing The awareness for privacy protection is increasing due to the growing adaptation of data capture facilities like mobile phone and RFID. The deliverables of ISO working group on "Identity Management and Privacy Technologies” will be helpful for security professionals in designing secure system. The draft ISO 29100 “A Privacy Framework” when finalised will be a good reference for IT security industry.
© copyright Antony Ma, 2008
Along with these principles, the standard also discussed privacy-protection security measures with reference to
Contribution to PISA Journal • To join the Editorial Committee of this professional publication
Copyright & Disclaimer
• To contribute to the next issue and make your publication public
Next Issue: Sep-2008
Copyright owned by the author. This article is the views of the author and
Please contact the Editor (editor@pisa.org.hk)
does not necessarily reflect the opinion of PISA.
Page 8 of 34
7
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
Issue
Standard
7
International Standard for Information Security Lydia Chan Hong Kong Representative for ISO/IEC JTC1 SC27
I
Dale Johnstone Australia Representative for ISO/IEC JTC1 SC27
SO, SO the International Organization for Standardization, was founded in 1946. It is a vast network of national bodies representing countries from all around the world. At the end of 2006, there are 158 national ISO members. ISO’s declared mission is to be the leading value-adding platform and partner for the production of globally and marketrelevant international standards.
The ISO, IEC (International Electrotechnical Commission) and the ITU (International Telecommunication Union) coordinate the established World Standards Cooperation (WSC). The Joint ISO/IEC Technical Committee, JTC 1, was established in 1987 to develop information technology standards in accordance with ISO/IEC JTC 1 Directives. One sub-committee (SC) of JTC 1 is SC 27. SC 27 is responsible for “Information technology – Security techniques” and provides standardization of generic methods, techniques and guidelines for information, IT and communication security. SC 27 has 5 Working Groups (WG): WG 1 - Information security management systems WG 2 - Cryptography and security mechanisms WG 3 - Security evaluation criteria WG 4 - Security controls and services WG 5 - Identity management and privacy technologies JTC 1 SC 27 WG 1 is responsible for the development of several well-known standards including: ISO/IEC 27001 and ISO/IEC 17799 (now known as ISO/IEC 27002). All national bodies have the right to subscribe to participate in the work of technical committees and subcommittees. National bodies can be recognized as being either a Participating member (P-member) or an Observing member (O-member). P-members would participate actively in the work, with an obligation to vote, and to participate in meetings. O-members have no power of vote, but have options to attend meetings, make contributions and receive committee documents.
Page 9 of 34
MAR-2008
Development Standard
of
an
International
International Standards (IS) are developed by ISO technical committees (TC) and sub-committees (SC) within their respective fields of expertise. Regular meetings are conducted and various correspondences are exchanged to process work in the development of International Standards. An International Standard is the result of a collective agreement among the national member bodies of ISO. The need for a standard is usually expressed by an industry sector, which communicates their need to a national member body. The national member body proposes the new work item to ISO. Once the need for an International Standard has been recognized and agreed, a project (or work item) will then be established, which typically enters into a six stage project development lifecycle for the International Standard to be finalised and published. The project lifecycle stages are described in Table 1. The initial development of an International Standard can take several years. A factual life cycle example of an International Standard currently undergoing development within JTC 1 SC 27 WG 1 is ISO/IEC 27000 “Information Security Management System – Overview and vocabulary” (See Note 1). Work within ISO commenced on ISO/IEC 27000 in early 2006 and is expected to be finalised in 2009. Table 2 outlines the history of the development and the anticipated timetable/approach through to the eventual publication of ISO/IEC 27000.
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Standards
International Standard for Information Security
STAGE NAME
Table 1:
ISO Project Development Lifecycle Stages
DESCRIPTION PRODUCT NAME Confirms that a particular standard is needed. A new work item proposal (NP) is submitted for vote by the New work item STAGE 1 members of the relevant TC or SC to determine the Proposal PROPOSAL inclusion of the work item in the programme of (NP) work. Comprises the preparation and consideration of one or more working drafts until consensus has been Working Draft(s) reached in a working group of experts. A working STAGE 2 (WD) PREPARATORY draft that is considered as the best technical solution to the problem will be sent to committee members for review. Committee draft is distributed for comment and voting by P-members of the TC/SC. Successive committee drafts are continuously Committee Draft STAGE 3 considered until consensus is reached on the (CD) COMMITTEE technical content. Once consensus has been attained, the text is finalized for submission as a draft International Standard (DIS). Draft International Standard (DIS) is circulated to all ISO member bodies for voting and comment within defined period. A submission is approved as a Final Draft International STAGE 4 Standard Draft International Standard (FDIS) if a two-thirds ENQUIRY (DIS) majority of the P-members of the TC/SC are in favour and not more than one-quarter of the total number of votes cast are negative. Final Draft International Standard (FDIS) is circulated to all ISO member bodies for a final Final draft Yes/No vote within a defined period. The text is STAGE 5 approved as an International Standard if a two-thirds International Standard APPROVAL (FDIS) majority of the P-members of the TC/SC are in favour and not more than one-quarter of the total number of votes cast are negative. Once a Final Draft International Standard has been approved, only minor editorial changes, if and International Standard STAGE 6 where necessary, are introduced into the final text. (IS) PUBLICATION The final text is sent to the ISO Central Secretariat which publishes the International Standard.
Table 2:
STAGE
DESCRIPTION
ISO Standard Development – ISO/IEC 27000 Timetable
PROPOSAL
New Proposal Submitted
PREPARATORY Working Draft 1 Committee Draft st
COMMITTEE
DOCUMENT RELEASE SCHEDULE April 2006 May 2006 September 2006
2nd Committee Draft
April 2007
3rd Committee Draft
September 2007 April 2008 (Anticipated) September 2008 (Anticipated) April 2009 (Anticipated)
Final Committee Draft
Page 10 of 34
7
ENQUIRY
Draft International Standard
APPROVAL
Final Draft International Standard
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Standards
7
International Standard for Information Security
It is important to note that the above example timetable could be extended due to additional document drafts being required throughout the development lifecycle. Additional drafts are generally required when the level of consensus among the national bodies is yet to be obtained. For each additional draft the timetable will generally be extended for a period of 6 months.
Note 1: ISO/IEC 27000 falls into a very unique category with this International Standard being classified as a freely available standard. This means that unlike most international standards produced by ISO which must be paid for, ISO/IEC 27000 will be freely available for all to access at no charge when it is expected to be published in 2009.
ISO has also established a general rule that all ISO standards should be reviewed at intervals of not more than five years to ensure the content of the International Standard continues to be relevant and applicable to the content of the document. © copyright Lydia Chan, 2008
PISA Polo Shirt
3D embroidery logos and wordings.
www.PISA.org.hk
Copyright & Disclaimer
Copyright owned by the views of the author and
HK$50 each
does not necessarily
Purchase Order: mail to the EXCO (info@pisa.org.hk)
author. This article is the
reflect the opinion of PISA.
Available Size: S, M, L, XL
Page 11 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Honeypot
Experiences with Email Relay Honeypot Warren Kwok CISSP Program Committee n email honeypot configured as open relay decoy (fake open relay host) was set up by our office for over six months to understand how spammers abuse open relay hosts. The platform used for the Mail Transfer Agent (MTA) was Sendmail 8.14.1 running on Fedora Core 7. A firewall was deployed to limit the number of concurrent sessions to TCP port 25 of the relay decoy. The whole setup was hooked up to a 2M/2M Dedicated Internet Access line.
A
Configuring an Open Relay Decoy To set up an open relay decoy, the first thing to do is to switch on relay capability on the MTA. Prior to Sendmail version 8.9, open relay was used in the default configuration file /etc/mail/sendmail.mc which could be traced back in the line: FEATURE (‘promiscuous_relay’) dnl It will be quite easy to add this line back to sendmail.mc and then generate sendmail.cf to get a working open
relay. However, adding the above line means relay everything without any control by the administrator. A better option is to maintain control of relay function via the file /etc/mail/access which specifies which domain or IP address can use Sendmail for relaying. To enable open relay for all incoming IP addresses from the Internet, the leading prefixes of IP addresses 1 – 223 are permitted to relay in /etc/mail/access as shown in Figure 1. It is not necessary to enter IP address range with leading prefixes of 224 – 255 since the IP addresses are used for multicast (Class D, 224 - 247) or experimental purpose (Class E, 248-255).
Figure 1. Configuration for open mail relay in the file /etc/mail/access
Page 12 of 34
7
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Honeypot
Experiences with Email Relay Honeypot
Once open relay configuration is in place, the next task is to make sure Sendmail will not attempt delivery once upon receipt of email messages. To this end, the following two lines are added in /etc/mail/sendmail.mc define(`confCON_EXPENSIVE', `True') define(SMTP_MAILER_FLAGS, e) The first line tells Sendmail to hold the queued mail for later delivery if delivery method is marked expensive. The next line further confirms delivery method as expensive. This prohibits Sendmail attempting queued mail delivery unless the sendmail –q option is invoked manually. Of course, the administrator never runs sendmail –q, so the mail queue time will be set to infinity. Additionally, there is a cron task to move emails in /var/spool/mqueue to other protected directories on a per minute basis. This ensures that if sendmail –q is run inadvertently, there is no queued mail in the default mail queue directory so the chance of flushing spam emails out is reduced to minimal. It should be noted all these settings and configurations
should be tested carefully otherwise the host will become a genuine open relay. Another factor we have to consider is the storage capacity of the relay decoy. Due to limited size of 250 GB hard disk in use, the maximum number of concurrent sessions to the relay decoy is set to 20 and the maximum number of recipients in a single email is limited 10. In the early days of operating the relay decoy, the default threshold of 128 concurrent sessions in the firewall was adopted resulting in an average of 170K spam emails (occupying 800 MB storage) captured in a single day. Obviously, a low threshold on concurrent sessions is preferable in order to avoid the relay decoy running out of storage space in a rapid pace. In fact, Sendmail can limit the incoming sessions but from a security viewpoint, the task should be handled by a firewall instead of an application itself. Also, from our observation, we find that spammers try to deliver to the maximum number of recipients in a single spam email. A screen shot of spammers depositing spam emails to a maximum of 10 recipients at a time is shown in Figure 2.
Figure 2. Spammers trying to send to a maximum of 10 recipients in a single spam email
Page 13 of 34
7
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Honeypot
Experiences with Email Relay Honeypot
Difficulties of Operating an Open Relay Decoy Spammers are skeptical and careful. The relay decoy accepting emails destined for other domains might not satisfy them. Thus, before they deposit large amount of spam emails to an open relay host, they send test emails to ascertain that the test emails can be delivered. If the test emails can not be received, the relay host will be abandoned. Hopefully, their test emails are usually having patterns of senders sending to themselves (single recipient) or including the IP address of the relay host in the subject line or message body. Some scripts can be tailor-developed to scan messages for regular patterns and allow such emails to go through. In this regard, an administrator should dedicate considerable efforts to tackle the challenge of operating an open relay decoy to stop delivering spam emails while fooling spammers that their test emails can get through.
Statistics Between 1 July and 31 Dec 2007, the relay decoy captured a total of 6.3 million spam emails deposited by spammers. The top ten target domains for spam Ranking Recipient Domain Spam Messages % mail delivery are given in the table below:
1 2 3 4 5 6 7 8 9 10
yahoo.com.tw 163.com hinet.net hotmail.com sina.com yahoo.com 126.com pchome.com.tw 163.net gmail.com
2,377,529 548,003 527,795 290,536 118,889 115,855 66,998 65,200 60,411 56,986
37.74 8.70 8.38 4.61 1.89 1.84 1.06 1.04 0.95 0.91
Based on IP addresses captured, the top ten countries with spammers attempting relay are shown as follows:
Page 14 of 34
7
Ranking 1 2 3 4 5 6 7 8 9 10
Country China (cn) Taiwan (tw) USA (us) Brazil (br) Korea (kr) Romania (ro) Thailand (th) India (in) Italy (it) Philippine (ph)
Spam Messages 3,195,579 1,092,409 284,631 181,690 93,395 51,688 40,442 35,172 24,641 16,274
% 50.70 17.30 4.50 2.80 1.48 0.82 0.64 0.56 0.39 0.25
Conclusions Owing to resource constraints, the relay decoy imposes a limit on the number of incoming sessions and the maximum number of recipients in a single email. If the limits are relaxed, a very huge number of spam emails in terms of tens of millions could have been captured. Nonetheless, it is not surprising to find spammers target spam emails at the world largest email service providers such as yahoo.com, hotmail.com and gmail.com in view of the large number of users subscribing to their free email services. Throughout the monitoring period, amongst the tens of thousands IP addresses logged, none of them is from IP address space assigned to Hong Kong. A logical and sensible answer is that the majority of Internet Service Providers in Hong Kong have banned their users connecting to port 25 in the outgoing direction thereby prohibiting them from accessing open relay hosts. © copyright Warren Kwok, 2008
References Sendmail Configuration http://www.sendmail.org Article on Fighting Relay Spam the Honeypot Way http://fightrelayspam.homestead.com/files/antispam0613 2002.htm Holding mail in the queue for Sendmail http://www.wurd.com/cl_email_sendmail.php Linux Mail-Queue mini-HOWTO http://tldp.org/HOWTO/Mail-Queue.html
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
OpenVPN 企業方案
7
簡正修 (Bernard Kan) CISSP GCIA GCIH CWSP Vice Chairperson 編者按: 無論你在公共WiFi、或其他不可信賴的第三方網絡上連線,虛擬網絡 (Virtual Private Network,簡稱 VPN)均可提 供加密的訊道,保證不被竊聽通訊內容。一些網絡服務供應商有提供VPN服務,但是,有否想到自己也可以 DIY,度身自建VPN服務? 本文作者將會介紹價廉物美的OpenVPN,帶大家由一台Linux主機開始,建立一台安全、可靠及適合企業用的 VPN裝置,質素可以媲美市場上的商業產品。 既然說得是給企業使用,所以作者除了介紹怎樣安裝主機,還會 透個一個企業個案,說明企業的安全政策及要求,怎樣在安裝過程中實現出來。 在作者文章後,編者還簡介OpenVPN在低階的家用寬頻路由器硬件上的實現(見第24頁)。
OpenVPN簡介 虛擬網絡 (Virtual Private Network,簡稱 VPN) 是一種 技術,讓用戶透過使用電訊公司的公共網(例如互 聯網),與位於遠端的辦公室網絡建立聯繫,使用 戶如置身於該辦公室網絡一樣,可以使用辦公室網 絡內的各種資源。所有傳遞於用戶及辦公室網絡間 的資訊及數據,在 VPN中均經過加密處理,保證安 全。如果把虛擬網絡用於辦公室及辦公室之間的聯 線上,則可以代替傳統的租用線路 (Leased line),是 一種成本低,但又安全的辦公室連接方案。
許多人一提到VPN技術,就會想到 IPSEC (IP Security)。IPSEC一向都是VPN的標準技術,它的安 全性之高,相信沒有人會懷疑。但是IPSEC也是出名 難纏的,在一些較複雜的網絡中(例如有 Proxy 啦、 NAT 啦,等等),許多時均無法使用。 近年,新興了以SSL (Secure Sockets Layer) 為基礎的 VPN技術。大家都知道,SSL是網上交易常用的加密 協定。多年來SSL的安全性及可靠性已經被確立起 來。OpenVPN 便是以SSL作為加密基礎的開放源碼 VPN軟件。
VPN User
VPN Server
RAS: 172.16.253.x
Email Server
Internet
.128
External Firewall
Network Topology of mycompany.com
Admin Server
Application Server
.31
Internal Firewall
圖1
Page 15 of 34
DMZ: 172.16.254.x
.21
Workstations Network
An Organization for Information Security Professionals
.32 Internal: 172.16.230.x
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
OpenVPN 企業方案
以OpenVPN構建企業用的VPN主機或裝置的好處, 筆者也說不盡那麼多,總之是價廉物美就是了。以 下筆者便以一個企業的個案例子,介紹大家整個裝 設過程。呵呵,筆者事先說明,本個案純屬虛構, 如有雷同,實屬巧合。
OpenVPN 個案環境及方案需求 企業 mycompany.com 的網絡包括有互聯網對外連 線,一個內部防火牆及一個外部防火牆。這個 VPN 的方案中,有三個網段需要考慮: 位於外部防火牆的DMZ (Demilitarized Zone) 位於外部防火牆的RAS (Remote Access Segment), 及 位於內部防火牆的主機網段 (Internal Segment) 如圖1所示。 因為VPN主機是在互聯網上對外開放的,所以 mycompany.com的管理層要求它的安全性做得越高越 好,必需包括以下措施: 採用最新可靠的操作系統內核 (Kernel)及 OpenVPN 軟件包 停用不需要的系統服務 採用 Chroot 環境 使用防火牆保護 使用電子證書作用戶認證 投產前系統安全掃瞄
我們透過分配不同網段的IP位址 (e.g. 172.16.0.x, 172.16.1.x 及172.16.2.x)給用戶,再配合防火牆的規則 來控制用戶的權限。 以下是筆者完成整個方案的步驟: 1.安裝 Linux 主機及基本網絡設定(以 Fedora 7 Linux為 例) 2.停用不需要的系統服務及完成安全加固 (Security Hardening) 3.安裝 OpenVPN 軟件及設定主機VPN服務 4.產生及安裝 CA 證書及VPN主機證書 5.設定OpenVPN主機防火牆設定 6. OpenVPN 客戶端設定 7. OpenVPN 連接測試 以下我們便順著這個次序來講解。 由於步驟1及步驟2是基本功夫,筆者在這裡簡略帶過 便 算 了 。 筆 者 從 Fedora 7 的 標 準 安 裝 (Standard Installation) 開始,安裝好系統後停掉了大多數的系統 服 務 , 只 剩 下 SSHD , 再 下 載 了 Bastille[3] , 執 行 Bastille的指令稿 (Scripts) 來協助安全加固整個 Linux 系統。由於 Fedora 7是比較新的 Linux distribution,暫 時並沒有發現什麼嚴重的系統漏洞,打補丁的功夫在 這裡便略過了。漏洞管理(Vulner-ability Management) 是企業一個需要獨立處理的課題,長命功夫長命做 嘛。 VPN主機的IP位址設定為 172.16.253.128,如圖 2。
VPN用戶方面則分為三個類 別: 基本用戶(Basic User) – 經 VPN可連上電郵主機 高級用戶(Advanced User) – 經VPN可連上應用系 統主機及電郵主機 系統管理員 (Administrators) – 經VPN可 連上所有主機
圖2
Page 16 of 34
7
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
OpenVPN 企業方案
MAR-2008
Issue
7
步驟3: 安裝 OpenVPN 軟件 Fedora Linux中我們可以借助 “yum" 這個程式來安裝軟件包。以下所有的過程,都是在Linux系統下,以root的 身份來操作,並且網絡已經開通,可以連到互聯網上去。安裝 OpenVPN的過程如下: [root@vpn-host etc]# yum install openvpn Loading "installonlyn" plugin Setting up Install Process : : ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: openvpn i386 2.1-0.19.rc4.fc7 fedora 356 k Installing for dependencies: lzo i386 2.02-2.fc6 fedora 63 k : : Total download size: 419 k Is this ok [y/N]: y : : Installed: openvpn.i386 0:2.1-0.19.rc4.fc7 Dependency Installed: lzo.i386 0:2.02-2.fc6 Complete! [root@vpn-host etc]#
看!只是一個指令便完成了下載軟件包及安裝的事情。爽!
步驟4: 產生及安裝 CA 證書及VPN主機證書 由於本個案的用戶是採用電子證書認證,我們必須先產生 CA (Certificate Authority) 證書及VPN主機證書。我們先 切換到目錄 “/usr/share/openvpn/easy-rsa/2.0",修改 “var"檔案,填入一些基本資料,如圖3所示。
圖3
Page 17 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
OpenVPN 企業方案
MAR-2008
Issue
7
接著便再始執行產生主機證書的步驟: ---------------[root@vpn-host 2.0]# source ./vars NOTE: If you run ./clean-all,I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/2.0/keys [root@vpn-host 2.0]# ./clean-all [root@vpn-host 2.0]# ./build-ca Generating a 1024 bit RSA private key : : [root@vpn-host 2.0]# ./build-inter vpn-host Generating a 1024 bit RSA private key : :
The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'HK' localityName :PRINTABLE:'HongKong' organizationName :PRINTABLE:'My-Company' commonName :PRINTABLE:'vpn-host' emailAddress :IA5STRING:'secadmin@mycompany.com' : : [root@vpn-host 2.0]# ./build-dh Generating DH parameters,1024 bit long safe prime,generator 2 This is going to take a long time ................................................................................. [root@vpn-host 2.0]#
產生證書後,我們建立 “/etc/openvpn/keys" 這個目錄,並把 “/usr/share/openvpn/easy-rsa/2.0/keys" 中所有檔案 都抄進去。 在 “/etc/openvpn" 目錄中,我們建立 “server.conf" 設定檔,內容如下: port 1194 proto udp dev tun 注意: ca keys/ca.crt cert keys/vpn-host.crt key keys/vpn-host.key OpenVPN的缺省(default)設定是使用 UDP 1194 埠,有時為 dh keys/dh1024.pem tls-auth keys/ta.key 0 了兼容ISP或公司的防火牆過濾,要使用TCP 80 或TCP 443 server 172.16.0.0 255.255.255.0 等常用埠。server.conf 的 設定可能要適當修改,如: push "route 172.16.254.0 255.255.255.0" push "route 172.16.230.0 255.255.255.0" port 443 client-config-dir ccd proto tcp keepalive 10 120 comp-lzo chroot /etc/openvpn user openvpn group openvpn persist-key persist-tun verb 3 ifconfig-pool-persist /etc/openvpn/ipp.txt status /var/log/openvpn-status.log log /var/log/openvpn.log management localhost 7505 plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so "login login USERNAME password PASSWORD"
Page 18 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
OpenVPN 企業方案
這個設定檔設定主機使用於 ”/etc/openvpn/keys” 中 的密鑰作認證用途,使用Chroot環境及UDP 1194 連接 埠。用戶除了必需擁有電子證書外,還需要對系統上的用 戶帳號及密碼作認證。認證成功後,路由設定會自動加到 用戶端的電腦上。
這個設定檔的內容,便滿足了 mycompany.com 個案安全上需求的大部份。另外,為了令到主機的 安全性更加穩固,這裡還使用了一個叫做 “tlsauth HMAC” 的設定。使用了這個設定,所有往來 用戶端和主機間的封包,均會被一條共用的密鑰所 加簽。使用這個設定後,用戶端和主機都不會對沒 有有效加簽的封包作回應,系統便不怕受到黑客們 的攻擊。要使用 “tls-auth HMAC” 這個設定, 我們先在主機產生一個密鑰檔案: # openvpn –genkey --secret ta.key
7
透過安全的途徑,我們把這個檔案分發到主機及用戶 端OpenVPN的設定目錄中。 主機上,設定檔需要加入這項設定: #Server tls-auth ta.key 0
用戶端則加入這一項設定: #Clients tls-auth ta.key 1 這個在後面講述用戶端的設定時將會見到。最後,我 們把 OpenVPN設定成自動啟動,並且啟動它,如圖4 所示。再檢查 “/var/log/openvpn.log" 檔案,便知道 OpenVPN已經成功啟動了。
圖4 [root@vpn-host openvpn]# cd /var/log [root@vpn-host log]# tail -30 openvpn.log Mon Nov 12 17:51:13 2007 OpenVPN 2.1_rc4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Apr 26 2007 Mon Nov 12 17:51:13 2007 MANAGEMENT: TCP Socket listening on 127.0.0.1:7505 Mon Nov 12 17:51:13 2007 PLUGIN_INIT: POST /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so] [login] [login] [USERNAME] [password] [PASSWORD]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Mon Nov 12 17:51:13 2007 Diffie-Hellman initialized with 1024 bit key Mon Nov 12 17:51:13 2007 Control Channel Authentication: using 'keys/ta.key' as a OpenVPN static key file Mon Nov 12 17:51:13 2007 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Nov 12 17:51:13 2007 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Nov 12 17:51:13 2007 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Mon Nov 12 17:51:13 2007 TUN/TAP device tun0 opened Mon Nov 12 17:51:13 2007 TUN/TAP TX queue length set to 100 Mon Nov 12 17:51:13 2007 /sbin/ip link set dev tun0 up mtu 1500 Mon Nov 12 17:51:13 2007 /sbin/ip addr add dev tun0 local 172.16.0.1 peer 172.16.0.2 Mon Nov 12 17:51:13 2007 /sbin/ip route add 172.16.0.0/24 via 172.16.0.2 Mon Nov 12 17:51:13 2007 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Nov 12 17:51:13 2007 chroot to '/etc/openvpn' and cd to '/' succeeded Mon Nov 12 17:51:13 2007 GID set to openvpn Mon Nov 12 17:51:13 2007 UID set to openvpn Mon Nov 12 17:51:13 2007 Socket Buffers: R=[110592->131072] S=[110592->131072] Mon Nov 12 17:51:13 2007 UDPv4 link local (bound): [undef]:1194 Mon Nov 12 17:51:13 2007 UDPv4 link remote: [undef] Mon Nov 12 17:51:13 2007 MULTI: multi_init called,r=256 v=256 Mon Nov 12 17:51:13 2007 IFCONFIG POOL: base=172.16.0.4 size=62 Mon Nov 12 17:51:13 2007 IFCONFIG POOL LIST Mon Nov 12 17:51:13 2007 Initialization Sequence Completed [root@vpn-host log]#
Page 19 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
OpenVPN 企業方案
7
步驟5: OpenVPN主機防火牆設定 除了使用外部防火牆外,我們還使用Linux系統內建的防火牆軟件iptables來保護主機。這叫做「多層防護」(Defense in Depth) 嘛! 以下便是我們在主機上啟動 iptables 所使用的指令稿。特別值得注意的是,我們透過 iptables 的規則,限制了不同類別的用戶 可以連接的主機。不同類別的用戶,登入VPN後都分派有不同網段 (Network Segment)的 IP 位址,這個 IP 位址便決定了用戶可 以連接那台主機上。 ----------------------#!/bin/bash echo "1" >> /proc/sys/net/ipv4/ip_forward # Loopback address LOOP=127.0.0.1 # Delete old iptables rules iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP # Delete old iptables rules iptables -P OUTPUT DROP iptables -P INPUT DROP iptables -P FORWARD DROP # Set default policies iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP # Prevent external packets from using loopback addr iptables -A INPUT -i eth0 -s $LOOP -j DROP iptables -A FORWARD -i eth0 -s $LOOP -j DROP iptables -A INPUT -i eth0 -d $LOOP -j DROP iptables -A FORWARD -i eth0 -d $LOOP -j DROP # Allow local loopback iptables -A INPUT -s $LOOP -j ACCEPT iptables -A INPUT -d $LOOP -j ACCEPT # Allow incoming pings (for trouble shooting) iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
注意: iptables 開放的埠要與server.conf 的設定對應,此例使用OpenVPN的 缺省設定(UDP 1194)。
# Allow OpenVPN services # Assume we use UDP 1194 for OpenVPN port iptables -A INPUT -p udp -d 172.16.253.128 --dport 1194 -j ACCEPT # Allow administration server to connect ssh and management port iptables -A INPUT -p tcp -s 172.16.230.31 -d 172.16.253.128 -m multiport --dport 22,7505 -j ACCEPT # Elementary user rules iptables -A FORWARD -p tcp -i tun0 -s 172.16.2.0/24 -d 172.16.254.21 -m multiport --dport 25,110 -j ACCEPT # Advanced user rules iptables -A FORWARD -p tcp -i tun0 -s 172.16.1.0/24 -d 172.16.254.21 -m multiport --dport 25,110 -j ACCEPT iptables -A FORWARD -p tcp -i tun0 -s 172.16.1.0/24 -d 172.16.230.32 -m multiport --dport 80,443 -j ACCEPT # Administrator rules iptables -A FORWARD -i tun0 -s 172.16.0.0/24 -j ACCEPT # Keep state of connections iptables -A OUTPUT -m state --state NEW -o eth0 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -o eth0 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # Masquerade traffic from tunnel iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -s 172.16.2.0/24 -o eth0 -j MASQUERADE [root@vpn-host log]# -----------------------
Page 20 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
OpenVPN 企業方案
MAR-2008
Issue
7
步驟6: OpenVPN 客戶端設定 好了,現在是用戶端的設定。我們首先要做的,是為 mycompany.com的系統管理員產生用戶電子證書,並且在 VPN 主機上開立帳戶。 企業 mycompany.com 的資訊安全政策中,有一項帳戶相關的政策,便是所有重要系統的用戶,都必須要經管理 層每年確定一次。這個過程我們英文叫做作 “User Recertification"。在本個案中,我們可以透過設定用戶電子 證書的有效期,來協助實現這個政策。當用戶的電子證書過期了,便無法再登入 VPN 主機,他便必須要重新申 請一個新的電子證書,讓管理層重新確認他的帳號,這樣我們便可以達到定期重新確認用戶的目的。 要更改電子證書的設定,並產生用戶電子證書,我們在 VPN主機上先切換到目錄 “/usr/share/openvpn/easyrsa/2.0",並修改其中設定如下: # In how many days should certificates expire? export KEY_EXPIRE=365
本個案中,我們的系統管理員叫做 Peter,以下便是產生他的用戶證書的過程: [root@vpn-host 2.0]# source vars NOTE: If you run ./clean-all,I will be doing a rm -rf on /usr/share/openvpn/easy-rsa/2.0/keys [root@vpn-host 2.0]# ./build-key peter Generating a 1024 bit RSA private key ......................++++++ writing new private key to 'peter.key' ----You are about to be asked to enter information that will be incorporated : : The Subject's Distinguished Name is as follows countryName :PRINTABLE:'HK' stateOrProvinceName :PRINTABLE:'HK' localityName :PRINTABLE:'HongKong' organizationName :PRINTABLE:'My-Company' commonName :PRINTABLE:'peter' emailAddress :IA5STRING:'secadmin@mycompany.com' : : [root@vpn-host 2.0]#
接著,我們在主機上為Peter開立一個系統帳戶。我們還為 Peter輸入一個隨機產生的密碼,登入VPN時將要用到 它。 另外,如果我們不想用戶登入VPN主機,我們可以為帳戶請定一個叫做 “nologin" 的 Unix shell。 [root@vpn-host keys]# which nologin /sbin/nologin [root@vpn-host keys]# useradd peter -s /sbin/nologin [root@vpn-host keys]# passwd peter Changing password for user peter. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@vpn-host keys]#
我們再為 Peter設定他登入 VPN主機後所獲分配的 IP 位址。這個很重要,因為他的IP位址決定了他登入 VPN 後,能夠連接及使用什麼主機。這些在我們在前面設定防火牆時,早已經設定好了。 我們建立這個檔案: “/etc/openvpn/ccd/peter"。它的內容只有一行: “ipconfig-push 172.16.0.9 172.16.0.10"。這便是 Peter 登入VPN主機後所獲分配的 IP 位址及閘道位址。 [root@vpn-host /]# cat /etc/openvpn/ccd/peter ifconfig-push 172.16.0.9 172.16.0.10 [root@vpn-host ccd]#
Page 21 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
OpenVPN 企業方案
7
最後,我們再在 Peter的用戶電腦上安裝 OpenVPN GUI Win32版本的軟件,如圖5所示。
圖5 按幾下 Next 完成安裝後,再把 peter.crt,peter.key,ca.crt,ta.key 及 client.ovpn檔案放到 “C:\Program Files\Openvpn\config"目錄 中。 “peter.crt" 及 “peter.key" 是Peter的電子證書及密鑰檔,“ca.crt" 及 "ta.key" 是VPN主機的電子證書及共用密鑰檔, “client.ovpn" 是用戶端的設定檔,內容如下: client dev tun proto udp remote vpn-host.mycompany.com 1194 nobind persist-key persist-tun ca ca.crt cert peter.crt key peter.key comp-lzo verb 3 auth-user-pass tls-auth ta.key 1
接著我們便可以啟動VPN用戶端軟件,登入VPN主機了, 如圖6、7所示。
圖6
Page 22 of 34
An Organization for Information Security Professionals
圖7
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
OpenVPN 企業方案
7
如圖8所示,Peter 被分配的IP 位址 是 172.16.0.9。
圖8 我們可以試 PING 主機的 IP位址 172.16.0.1,如圖9所示。
圖9 BINGO!! 我們再試試連上電郵主機 172.16.254.21 的 25埠: > telnet 172.16.254.21 25
在 VPN主機上我們透過 “tcpdump" 軟件觀察到以下連線: [root@vpn-host openvpn]# tcpdump -nn -v host 172.16.254.21 tcpdump: listening on eth0,link-type EN10MB (Ethernet),capture size 96 bytes 21:42:37.026628 IP (tos 0x0,ttl 127,id 24970,offset 0,flags [DF],proto: TCP (6),length: 48) 172.16.253.128.1294 > 172.16.254.21.25: S,cksum 0x47dc (correct),2090928:2090928(0) win 64240 <mss 1368,nop,nop,sackOK> 21:42:37.033657 IP (tos 0x0,ttl 128,id 8205,offset 0,flags [none],proto: TCP (6),length: 44) 172.16.254.21.25 > 172.16.253.128.1294: S,cksum 0xe748 (correct),1781926647:1781926647(0) ack 2090929 win 64240 <mss 1460> 21:42:37.045355 IP (tos 0x0,ttl 127,id 24972,offset 0,flags [DF],proto: TCP (6),length: 40) 172.16.253.128.1294 > 172.16.254.21.25: .,cksum 0xfecd (correct),ack 1 win 64296 3 packets captured 3 packets received by filter 0 packets dropped by kernel [root@vpn-host openvpn]#
成功了!! 我們看到 IP位址 172.16.253.128 嘗試連接上 172.16.254.21 的25埠。但為什麼會由 IP 位址 172.16.0.9 變成了 172.16.253.128呢? 這其實是因為 iptables 做了 NAT (Network Address Translation) 的原 故。但又為什麼電郵主機沒有回應呢? 呵呵,筆者在這裡賣個關子,讓讀者們自已想想吧…(答案在下頁) 至於其他VPN用戶,開立帳戶及安裝用戶端的過程都是一樣,只要按用戶的類別,分派不同網段的IP位址便可 以了。
總結 各位讀者,我們來到這裡,VPN主機基本上已經設定完成,只要在投入生產前再進行漏洞掃瞄,確定安全上沒 有問題便可以了。這將是 mycompany.com 企業中一個安全可靠,價廉物美的VPN方案。 ©版權所有 簡正修, 2008
Page 23 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
OpenVPN 企業方案
7
參考 [1] James Yonan, OpenVPN HOWTO, October 2006. http://openvpn.net/howto.html [2] Markus Feilner, OpenVPN: Building and Integrating Virtual Private Networks, PACKT Publishing, May 2006. [3] Bastille Security Hardening Scripts http://www.bastille-linux.org
答案: 因為mycompany.com的外部防火牆,還沒有開通容許測 試中的VPN主機連接生產中的電郵主機。
驚喜! 寬頻路由器上安裝OpenVPN 如果可以在一部數百港元的寬頻路由器上安裝OpenVPN,每次起動路由器便起動OpenVPN,豈不 省去一部電腦的成本,更省力和更省電費?
互聯網上的一些有心人,設計出取代寬頻路由器出廠的韌體的程式,可讓用戶安裝自選的程式,加強路由器功能,其中一個 較受歡迎的項目叫做OpenWRT (http://openwrt.org/),已有現成的OpenVPN套件可供下載安裝。 要知道OpenWRT是否支援你的寬頻路由器的品牌和型號(Asus, Belkin, Buffalo, Linksys ...),可到這網頁查詢: http://wiki.openwrt.org/TableOfHardware 如果是支援的話,你就可以著手改裝你的寬頻路由器。不過,你必須有心理準備,改裝韌體會令你的保養合約無效,同時, 改裝前你必須備份原裝的韌體、熟讀還原的步驟,以備不時之需。 OpenWRT上安裝OpenVPN的步驟大同少異,以下祇點題式的補充在OpenWRT上的注意事項: 1. 改裝寬頻路由器韌體的細節,可參考以下兩個網站的資料: http://forum.openwrt.org/viewtopic.php?id=1800 http://martybugs.net/wireless/openwrt/openvpn.cgi 改裝寬頻路由器使用OpenWRT韌體後,要啟動寬頻路由器的 SSH服務,好讓我們使用shell。 2. OpenWRT己停用不需要的系統服務,可省卻加固部分。 3. 在OpenWRT上安裝軟件的命令與Fedora Linux稍有分別。在ssh shell內輸入以下命令: # ipkg install openvpn
4.要令OpenWRT每次起動路由器便起動OpenVPN,可產生或編輯起始檔案 /etc/init.d/S50openvpn,內容如下: #!/bin/sh /ust/sbin/openvpn --config /etc/openvpn
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily
5.產生及安裝 CA 證書及VPN主機證書與上文同。又可參考 http://wiki.cacert.org/wiki/OpenWRT 6. 設定OpenVPN主機防火牆 假設OpenVPN使用 UDP1194埠,在OpenWRT的iptables firewall做些設定,編輯/etc/firewall.user檔,加上: ### Allow OpenVPN connections iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 1194 -j ACCEPT iptables -A input_rule -i $WAN -p udp --dport 1194 -j ACCEPT
(其中 $WAN 是firewall.user檔內定義的WAN網絡界面的變數代稱) 7.OpenVPN 客戶端設定和連接測試與上文同。
reflect the opinion of PISA.
Page 24 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Forensics
7
Digital Imaging Forensic – Uncover the Truth Anthony Lai CISSP, CEH Program Committee
A
picture is better than a thousand words. With the convenient distribution channel, a picture can easily become the talk of town when it is accessible on the Internet. Netizens are easily impressed by photos which possess a topic of public interest, like terrorist attack, politics or jokes. Yet digital images can be tweaked or even synthesized with abundant tools. The truth behind the an image can be a serious social concern when it comes to identification of a fact. Recent incidents on Southern China Tiger (華南虎), celebrities’ “private photo collection” have heightened one forensically interesting topic – how trustworthy a piece of evidence from digital image is. In Blackhat USA 2007, Dr. Neal Krawetz had a good session on this.[1] In this article, I extract some key points from the presentation and try to illustrate with examples. Digital imaging forensics also founds its application in the detection of intellectual property violations.
Example: 911 Tourist This is a controversial argument over this over 911 Tourist photo (Figure 1). People claims it was taken by a tourist in the top roof of WTC when a hijacked plane was heading to the building. In fact, this “tourist's” gallery has other interesting photos. [2] I illustrate the forensic process to examine this photo.
Image Forensics Analysis Step by Step To analyze an image, we start from observation, basic image enhancement, image format analysis and finally carry out more advanced forensic techniques. Observation and Basic Image Enhancement Let me summarize in Table 1. Basic Photo Forensics - Image Format Analysis Exiftool [3] can be used to list out the metadata of photo: 1.Date and time of photo taking 2.Model of camera 3.Aperture and Shuttle speed 4.Resolution 5.File type 6.Last modified date and time of the photo file Exiftool showed the following metadata of the 911 Tourist photo (Figure 2), but it could neither identify the model of camera nor the original creation date and time.
Figure 1
Table 1
Page 25 of 34
Observation
Basic Image Enhancement (We could use tools to edit the image)
Highlights and Shadows – Have the same lighting and shadows? Color tones in anti-aliasing – With clear edges and their colors do not match the new image background? Reflections – the object with proper reflection? Scale – Combined with reasonable scale? Roots – Objects spliced into an image may appear to be floating? Is it rooted to the background? Items – The items like text and environment in the image could identify specific region, culture or time?
Brightness and Contrast Color Adjustment
Sharpen and Blur Scaling
Invert – Invert portions of an image to make it negative Normalization and Histograms – normalize a photo with wider color range
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Forensics
7
Digital Imaging Forensic – Uncover the Truth
Figure 2 I use Exiftool against a control photo I took for my dog Lucky below (Figure 3).
Figure 4
NOTE: with Adobe Photoshop, this information could be changed if the photo was modified. However, we could still take this as our preliminary study.
Advanced Technique: Understand its compression history Figure 3 In Figure 4, Exiftool could report that the photo of the dog was taken by Canon Powershot S50 on 6 April 2003. The last modification date was on 18 Nov 2007 saved as other file type.
Page 26 of 34
The tool JPEGsnoop [4] can be used to search and identify the compression signatures of an image. The tool can discover the history of the image being processed and resaved with various software and tools. When run against the “911 Tourist” photo, the tool reported that it had been
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Forensics
7
Digital Imaging Forensic – Uncover the Truth
processed with Photoshop, MS Paint, MS Visio and Apple Quick-Time (Figure 5). The assessment suggested that the image is an edited sample.
Figure 5 When JPEGsnoop is run against a photo I took in the Blackhat 2007 pre-conference training, it reported that the truth (Figure 6) – the photo was taken with Canon 20D and was original.
Figure 6
Page 27 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Forensics
Digital Imaging Forensic – Uncover the Truth
Advanced Technique: Error Level Analysis Error level analysis tells if an image was added or modified. It involves re-saving an image at a known error rate (90%, for example), then subtracting the re-saved image from the original image to see every pixel that changed and the degree to which it changed. The modified versions will indicate a different error level than the original image. A tool called Error Level Analyzer (ELA) by Noah[5]. If you load an image and hit 'Work', it will create a heat map showing when each pixel changes as jpeg quality decreases from 100 to 0. In this mode, a change is by default considered relevant once the sum of the changes to the r, g, and b values exceeds 10. If you would like to use a threshold other than 10, simply type it into the text box on the toolbar. If, after loading an image, you move the track bar, the difference for a particular compression level will be shown. Each tick is five levels, going from 0 on the left to 100 on the right. By default the differences will be exaggerated by a factor of 10 to highlight differences. If you wish to using a color scaling factor other than 10 simply type it into the text box on the toolbar.
Figure 7 We could see an explicit red mark in the bottom-right column from the overall heat map. It exhibits that the right-bottom data mark does not have the same error level as other pixels. You could say it was added or modified. For more advanced tricks, we could simply re-save again and again to align the error level of the “tourist” with the background’s. When using ELA to analyse the photo of Lucky the dogat the compression rate of 25%, the heat map (Figure 8) showed an evenly distributed error.
Load = Load an image - brings up standard load dialog Save = Save the image being displayed - brings up standard save dialog Work = Generate a heat map Trackbar = Display diff for a specific compression level Text box = (heat map mode) the change threshold (diff mode) the color scaling factor.
When using ELA to check the “911 Tourist” photo at 75% compression level, we got the heat map in Figure 7.
Figure 8
Page 28 of 34
7
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
Forensics
7
Digital Imaging Forensic – Uncover the Truth
Next, I added some text to the photo of Lucky the dog, resulting in a new photo (Figure 9).
Summary The above illustrations serve as a start point of the basic digital imaging forensic and analysis. If you are interested, please read Dr. Neal Krawetz's presentation and other references. © copyright Anthony Lai, 2008
References [1] A Pictures’ Worth by Dr. Neal Krawetz http://www.blackhat.com/html/bh-media-archives/bharchives-2007.html
Figure 9 The ELA analysis of this photo (Figure 10) showed the added/modified part with different heat map distribution.
Get more details and there is a book titled with Adobe Photoshop Forensic http://www.hackerfactor.com/blog/index.php?/categorie s/1-Image-Analysis [2] 911 Tourist - He traveled to many places http://urbanlegends.about.com/od/mishapsdisasters/ig/T ourist-Guy/ [3] Exiftool – Reading metadata of an image http://www.sno.phy.queensu.ca/~phil/exiftool/ JPEG Quantization Table (Q-Table) For Various Brands of Camera http://www.impulseadventure.com/photo/jpegquantization.html
Figure 10 Copyright & Disclaimer
Copyright owned by the author. This article is the
[4] JPEGsnoop – Study the Q-Table and compression history of an image http://www.impulseadventure.com/photo/jpegsnoop.html [5] Error Level Analyzer from Noah – Product heat map to identify any modified section in an image http://www.tinyappz.com/wiki/Error_Level_Analyser
views of the author and does not necessarily reflect the opinion of PISA.
Page 29 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Event
Issue
7
Snapshot We Contribute. We Achieve.
Source Code Review Seminar (Mar-2008) The event was coorganized by PISA and OWASP. The speaker analyzed the approaches to review code with illustrated cases from US online banks. The usual interface of a code review tool was demonstrated.
Speakers: Mr. Robert Rachwald and Mr. Nevin Ng, Fortify Software
Seminar: Live! Wi-Fi Attack and Defense (Feb-2008) The event was organized by PISA, WTIA,ISOC, coorganized by WDC and e-Zone and sponsored by Cyberport. Over 180 participants occupied the Function Rooms of Cyberport. Hacking demonstration and clear illustrations help the participants understanding the issues. We called for strong encryption, good bye to WEP. The attentive audiences travelled all the way to Cyberport in a Saturday afternoon.
The Panel had a very open discussion on the challenges and opportunity of a WiFi city. (from left) Ken Fong, Larry Leung, Charles Mok (moderator), Jim Shek and S.C. Leung
Speakers: (upper photo from left) Ken Fong, Alan Ho (lower photo from left) Sang Young, Anthony Lai
Page 30 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Event
Issue
7
Snapshot We Share, We Progress.
PISA Annual Dinner (Jan-2008)
Charles Mok
Hon. Sin Chung Kai
Our guests and members enjoyed a wonderful even-ing of PISA Annual Dinner. Among the guests we had Hon. Sin Chung Kai (ITFC), Tiger Wong (HKPF), Cari Wu (OGCIO) Chales Mok (ISOC HK), Francis Fong (HKITF), Lento Yip (HKISPA), Edmon Chung (DotAsia), Abert Wong (AiTLE), Wilson Yuen (Hon. Advisor) and Ricky Lou.
Francis Fong
Lento Yip
Visit to Digital Magic (Dec-2007) The Digital Magic in Causeway Bay is the earliest and the most well established studio in Hong Kong. With the state of art equipment and a very high calibre team, they handle a lot of film post processing and TV advertisements were processed here.
Bruce Schneier Talk - The Psychology of Security (Nov-2007) Mr. Bruce Schneier, CTO of BT Global Service gave a stimulating talk on the psychology of security. He cited a lot of experiments in psychology about human (wrong) perception of security and how these perceptions affect our judgement. His current research opens a new study area for information security.
Page 31 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Event
Issue
Snapshot We Exchange. We Collaborate.
Anti-Virus Security Experience Sharing Session (Nov-2007) Raymond Ng led a closed door discussion on anti-virus security protection. The interaction was exceptionally good.
War Driving on Tram (Nov-2007) The War Driving Team of PISA and WTIA took out their annual war tramming from Kennedy Town to Shaukiwan. The survey plotted the profile of WiFi security development in Hong Kong.
Next Changes 1. BCP certification by Dr. Goh Moh Heng (Apr 2008) 2. iSCSI application and security by Alex Wu (Apr 2008) 3. PCI Security (May 2008) Do not miss these great events. Please register as member to join these events free of charge.
Page 32 of 34
7
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Issue
7
Our vision provides us our destination. Our missions provide us the directions.
Giving Expert Opinions on info-sec issues PISA and WTIA were invited to 新聞透視 “Wi-Fi 危 機”, Pearl Report “Wireless Woes” (Jan-2008)
KEN FONG
PISA was invited to Pearl Report “Mobile Menace” and 新聞透視 “電腦黑客” (Mar 2008)
JIM SHEK
• Howard Lau was interviewed by TVB 事必關己, ATV 時事追擊 and Ming Pao on Data Protection (Feb 2008)
Delivering public talks on Information Security • PISA gave a talk on “Strength and Weakness of Native Wi-Fi Security Protection” at the Hong Kong Clean PC Day organized by the HKCERT (Nov-2007) • Howard Lau spoke in the IT Security Seminar for 600-700 parents in Tuen Mun Schools (Jan-2008) Howard Lau at the Tuen Mun schools talk
Page 33 of 34
An Organization for Information Security Professionals
P I S A J o u r n a l
Professional Information Security Association
MAR-2008
Professional Information Security Association
Issue
7
http://www.pisa.org.hk
Vision to be the prominent body of professional information security practitioners, and utilize expertise and knowledge to help bring prosperity to the society in the Information Age
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical information and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information
Many Ways
Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit
Membership Information
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, WLAN & Bluetooth Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using postnominal designation
Membership Requirements Enquiry email: membership@pisa.org.hk
Membership Application Form: http://www.pisa.org.hk/me mbership/member.htm
Annual Membership Fee (HK$) Type Full
500
Associate
300
Affiliate
300
Student
100
Qualifications
Requirements Relevant Experience
Recognized Degree in Computing discipline, OR other appropriate educational / professional qual. Tertiary Education Interested in furthering any of the objects of the society Full-time student over 18 years old
3 years Info-Sec working experience Info-Sec related experience Nil Nil
Code of Ethics: http://www.pisa.org.hk/ethi cs/ethics.htm
Page 34 of 34
• Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. • All members must commit to the Code of Ethics of the Association, pay the required fees and abide by the Constitution and Bylaws of the Association An Organization for Information Security Professionals