I took away three things from this article: computer systems are not essential for health care, someone wasn’t patching or following security policies, and the worm provides a back door for attackers. The doctors and the hospital are still providing medical care to patients. The computer systems certainly help them do this job more efficiently, but they’re not required. I think this points out the importance of security vs convenience. The doctors just want to help their patients, and if they have to do that without computer systems, so be it. Most of the computerized equipment they really need should not be (and usually isn’t) connected to a network. If the computer systems become difficult to use because of security – the doctors will just not use them.

The second thing I noticed, but wasn’t mentioned directly in this story was that the worm had to get on those systems in the first place. That was either over the network, or brought in from a user. Either way, it tells me that patches weren’t applied and anti-virus was not running on access. Someone wasn’t following policy.

The final piece of information that was glossed over in the Register’s article is that the worm opens back doors on systems and contains spyware. Now, I’m sure the writers of the worm didn’t think that it would end up on a healthcare system, so they’re probably not looking for Personally Identifiable Information (PII), but that information is still there, and likely accessed by the users of those systems. If a keylogger was installed, all of that is now “public” to the botnet’s users. I think the hospitals will have a larger job of cleaning up after this and determining what the worm did with that information than they do now in getting the systems back up and running.

Recovering from an “attack” is not as simple as restoring last known good configurations. You have to duplicate the drives, re-install the systems, then restore data (and hope you have good recent backups). If you want any chance of prosecuting the individual(s) responsible, duplicating the drives for forensic analysis is one of the most important steps. And until that’s done, these hospitals will be without computer systems.

But instead of simply telling you how to setup a plethora of VMs, configuring them, then going into endless tutorials on how to secure and exploit those “fake” servers yourself, why not point you to a place where you can get pre-configured VMs and the tutorials and assignments for learning how to discover the vulnerabilities? The focus point I’m speaking of is De-Ice.net. More specifically their pre-configured PenTesting Disks (they are actually distributed as LiveCDs, but I like to simply run them in a VM instead of burning them to disc and running them). There are currently two levels to choose from and a grand following of users that are there to help answer your questions, and some well written tutorials to show you what to look for and provide some helpful tips for when you get stuck.

I thought this was a great resource especially if you’re someone who learns through doing instead of simply reading or listening to lectures. So don’t take my word for it, give them a try, and if you’re already an experienced PenTester, then let us know your thoughts or other resources for those wishing to learn some more.

De-Ice.net

Each Tuesday, Security Musings features a topic to help educate our readers about security.  For more information about Gemini Security Solutions’ security education capabilities, contact us!

Because of my belief that education is important to the elimination of bad habits, I thought it would be a good idea to point our readers to some resources that will help them understand SQL injection and how to avoid it.

What is SQL injection?

The Wikipedia article on the subject has examples of the many forms of attack on SQL statements as well as samples of code to prevent them from occurring.

In Your Language

Using parameters in your SQL queries will eliminate most threats. Here are some useful links to learn how to use parameterized queries in your preferred programming language.

• VB .NET/C#: sample code using the SqlCommand object
• Java: using prepared statements
• PHP/MySQL: use MySQLi or escape all parameters
• ColdFusion: using cfqueryparam

Our custom application, SimpleCapiUI provides the ability to quickly check the revocation status of certificates stored in CAPI, but it also provides drag-and-drop functionality so that a user can install certificates into CAPI by dragging a certificate, PKCS#12 key file, or PKCS #7 signature file onto the interface.

Additionally, an entire folder may be dropped into the application and SimpleCapiUI will scan the folder recursively to find certificates to install. By reducing the complexity of dealing with the Windows certificate store, SimpleCapiUI streamlines the process of testing PKI-enabled software.

For example, on my development machine, I have a script that uses OpenSSL to create a two-tiered PKI with a root certificate, intermediate certification authority, end user, timestamp authority and OCSP certificates.  After running this script, I can drag the folder containing the script into the SimpleCAPI interface, and after entering the password common to all of the PKCS12 files, all of the certificates in the PKI are imported into CAPI with the appropriate trust settings.  This allows me to create and install an entire test PKI in a minute or two, without having to click through the certificate import wizard a dozen times.

If you have to perform a lot of PKI-based application testing, SimpleCAPI can make deployment of testing certificates a lot simpler.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

1) Google-caja project, Common Attack Vectors

This link gives an excellent breakdown of many methods by which a malicious user may try to break or exploit the page code. Information is given on both the JavaScript level and the DOM/environment/CSS level.

2) OWASP Application Security FAQ

The useful thing about the OWASP app. sec. FAQ is the way it’s written. The topics cover things that a web application developer might actually ask—“Should I really be concerned that my web server can be fingerprinted?” “What is Cross Site Tracing (XST)? How can it be prevented?”

In addition, the answers are informative without being too technical in nature. It’s almost as if the writers want to point you in the right direction and encourage independent research on the subjects… which is a very good thing.

3) Improving Web Application Security: Threats and Countermeasures

This MSDN Library document does an excellent job of outlining the theory behind web application security. From “best practices” to “threat modeling” this thing covers the multiple tiers and layers of web applications that are often targeted. Although a lot of focus is placed on .NET code, much of the stuff taught in this online document can generally be applied to other programming languages as well.

Each Tuesday, Security Musings features a topic to help educate our readers about security.  For more information about Gemini Security Solutions’ security education capabilities, contact us!

Today I’m going to outline how the new Remote Desktop Connection (RDC) works, or at least what’s changed. From a security perspective, the original RDC’s design was actually backwards from what is considered good security.

Think about how you connect to a pre-Server 2008 Terminal Server. You enter the name of the server and a connection is initiated to its logon screen. Then, once you hit that logon screen you begin the process to authenticate. From a security perspective, this isn’t a good idea. By doing it in this manner, you’re actually accessing a server prior to authenticating to it. This is the reverse of how nearly all other network services provide authentication security.

Network Level Authentication (NLA) with RDC 6.0, reverses the order in which a client attempts to connect. If you’ve used the new client, you’ve probably noticed how it asks for your username and password before it takes you to the logon screen. If you’re attempting to connect to a pre-Server 2008 server, a failure in that initial logon will fail back to the old login process. But where this new feature shines is when connecting to Windows Vista and W2008 servers with NLA configured. Here, that fallback authentication can be prevented from ever occurring. This prevents the bad guys from gaining console access to your server without a successful authentication.

You can set up Network Level Authentication in Vista and Server 2008 by right clicking on Computer and choosing Properties, then selecting Remote Settings. Under Remote Desktop, ensure Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).

I’m still exploring Server 2008 as I don’t have a direct everyday use for it in my job, so as new features come to mind I’ll continue to share them and their importance.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

The first step is removing the certificate from Firefox. Go to Firefox->Preferences and click the “advanced” logo at the top, then the “encryption” tab. Finally, click the “View Certificates” button. You should see a list of all the certificates you have. Unless you went through the trouble of getting your CACert certificate assured, it’ll just say “CACert WoT User”

If you highlight the certificate and click the “Backup…” Button at the bottom, you’ll be asked for where to save the file. You’ll notice at the bottom that the Save As type is PKCS12. This is a common format for transferring both your public and private key between computer systems. You will be asked for a password to protect your private key – this is so that only you can open it when you’re ready. And you will now have a .p12 file wherever you saved it. Since I’m just importing into Keychain, I saved it to my desktop.

Now, you’ve exported your certificate from Firefox, and it’s time to import it into OS X Keychain. This is as simple as double clicking on the file you just saved. The first window you’ll see is a confirmation that you want to import the certificates into your login keychain.

It will ask you for the password that protects the file.

Once you’ve typed in your password, the certificate is now part of OS X Keychain, and can be used by any application that uses Keychain.

Of course, this can be used to export certificates from Firefox into any application or framework that supports P12 files (most do).

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

According to their website:

RootKit Hook Analyzer is a security tool which will check if there are any rootkits installed on your computer which hook the kernel system services. Kernel RootKit Hooks are installed modules which intercept the principal system services that all programs and the operating system rely on.

The Hook Analyzer simply examines the system call lookup table to find system call module addresses pointing outside of the kernel memory area. This indicates that a service has been hooked. It also gives users some details about what foreign module/device driver is responsible for handling the system call. Used properly, this can help identify malicious rootkits.

Each Thursday, Security Musings features a security-related technology or tool. Featured items do not imply a recommendation by Gemini Security Solutions. For more information about how Gemini Security Solutions can help you solve your security issues, contact us!

Giving a nod to developers who’ve apparently given a lot of feedback, as well as “certain commercials,” Microsoft’s platform chief Steven Sinofsky acknowledged that perhaps User Account Control in Windows Vista may have been…a little annoying. In turn, Windows 7 has additional UAC settings.

Sinofsky said that with UAC, Microsoft had what he described as “the best intentions” in mind. But its attention to informing the user about what’s going on and getting consent “possibly went too far.”
...
For now, in the Pre-Beta version of Windows 7, there are now four settings for configuring how intrusive UAC will be: Never notify me, Only notify me when programs try to make changes, Always notify, and Notify and wait for my approval.