FSSCC releases new tool to streamline compliance efforts

Posted on by Chris Leave a comment

The FSSCC released a new tool that hopes to reduce the number of hours spent answering redundant security control questions. Like the ACAT tool, the new Cybersecurity Profile attempts to determine an institutions risk impact level. The main difference is the ACAT attempts to define the scale of the risk based on organization size, whereas the Cybersecurity Profile attempts to define the impact of the institution on everyone else. Much like how NERC attempts to establish a utility’s impact on the greater grid before applying controls, the FSSCC’s modifies some controls based on the impact assessment results.
Read more

Uncover credit card numbers with PANHunt

Posted on by Chris Leave a comment

It’s always good to know where random credit card numbers live on your network, even if PCI compliance isn’t a concern for you. Any unencrypted credit card information should be purged from the network to prevent accidental disclosure. I have used grep and Nessus in the past for these audits, but both where lacking in their functionality. Fortunately, I recently stumbled across the PANhunt repo on GitHub.

What is PANHunt?

PANhunt is a Python-based script which scans text files, Office documents, Outlook files, and even ZIP archives for data resembling a credit card number. PANhunt can also be compiled into a Windows executable, making it extremely useful for these types of test.

Build PANHunt

While there appears to be a per-built EXE version in the repo, it is older than panhunt.py itself. I recommend building it using the rough steps below:

Using PANHunt

If you run PANHunt with no options, it appears to scan C:\ for all files you have permission to. The defaults also scan “text” files and “zip” files, which includes all the major Office formats. It will additionally scan email (.MSG), Outlook (.PST/.OST) and Access (.ACCDB/.MDB).

My initial run picked up on a few test files under the C:\Python27 folder but nothing valid on the build computer. For a better test, I went to getCreditCardNumbers and copied those numbers into a text file, excel file, and possibly a word file on your computer. The site generates invalid test data that conforms to the expected formats used by Amex, Mastercard, Discover, and Visa. This scan picked up all my test files accurately, but it does seem to generate a false positive on a Chrome log file.

PAN Hunt Report - 11:46:18 02/10/2018
====================================================================================================
Searched c:users
Excluded C:Windows,C:Program Files,C:Program Files (x86)
Command: panhunt -s c:users
Uname: Windows | GOMERS-PC | 10 | 10.0.17134 | AMD64 | Intel64 Family 6 Model 44 Stepping 2, GenuineIntel
Searched 2171 files. Found 52 possible PANs.
====================================================================================================
FOUND PANs: c:\users\gomer\Desktop\cardnums.txt (401B 02/10/2018)
	 AMEX:***********3773
	 AMEX:***********3723
	 AMEX:***********0966
	 AMEX:***********7487
	 AMEX:***********2958
	 Visa:************0764
	 Visa:************9813
	 Visa:************9100
	 Visa:************0909
	 Visa:************5143
	 Mastercard:************4084
	 Mastercard:************3389
	 Mastercard:************0212
	 Mastercard:************8065
	 Mastercard:************5314
FOUND PANs: c:\users\gomer\Documents\test-cc-data.xlsx (11KB 02/10/2018)
	xl/sharedStrings.xml AMEX:***********3039
	xl/sharedStrings.xml AMEX:***********7916
	xl/sharedStrings.xml AMEX:***********9168
	xl/sharedStrings.xml AMEX:***********0795
	xl/sharedStrings.xml AMEX:***********3384
	xl/sharedStrings.xml Visa:************0527
	xl/sharedStrings.xml Visa:************1455
	xl/sharedStrings.xml Visa:************4899
	xl/sharedStrings.xml Visa:************6760
	xl/sharedStrings.xml Visa:************5262
	xl/sharedStrings.xml Mastercard:************7492
	xl/sharedStrings.xml Mastercard:************3734
	xl/sharedStrings.xml Mastercard:************8957
	xl/sharedStrings.xml Mastercard:************6043
	xl/sharedStrings.xml Mastercard:************3496
FOUND PANs: c:\users\gomer\Documents\Visa.docx (14KB 02/10/2018)
	word/document.xml AMEX:***********2914
	word/document.xml AMEX:***********5174
	word/document.xml AMEX:***********6675
	word/document.xml AMEX:***********0825
	word/document.xml AMEX:***********1297
	word/document.xml Visa:************5349
	word/document.xml Visa:************7362
	word/document.xml Visa:************7608
	word/document.xml Visa:************3546
	word/document.xml Visa:************8202
	word/document.xml Mastercard:************4025
	word/document.xml Mastercard:************2316
	word/document.xml Mastercard:************9032
	word/document.xml Mastercard:************8105
	word/document.xml Mastercard:************6284
216e98d79fe438a717b108553434e3bab8b30d5ab0e3679c7ebc5d6dc66b38b778c5943eb7a94c82287a072a2b472a68a5c8266c7d4f3b7d6d59473343f797f1

Scanning the network

With a little ingeniutiy and the right permissions, you should be able to scan your entire network for any credit card data. But there are some caveats worth mentioning:

Anti-malware programs will probably intercept your new EXE. Symantec gave me a couple fits before allowing it to run on my computer, and I am unsure how this would impact a network scan. I suspect it trips off the same triggers than ransomware would.

You are going to get more false positives scanning a whole PC. Everything from ClickToRun stream files to random log files contain credit card like information. Consider using the -s switch to limit your search path.

You can scan mapped network drives and UNC paths, so the entire scan can be run from one machine with the right credentials. Coupling PANHunt with PSExec might be useful as well, but you would need to pull the report back to a central location.

Files will need to be manually validated. I encountered a fair number of false positives due to strings of numbers which contained something PANHunt decided was a credit card number. Use your judgement on this – some files I could eliminate just by the names, but others required me to actually look at the offending file. I also recommend validating files that give you the “Invalid ZIP file” error to determine if they are password protected, corrupted, or you simply do not have access to them.

One last thing – Put padding down in the spot where you normally bang your head on the desk. You might need it.

Time Management for System Administrators

Posted on by Chris Leave a comment

This book contains a number of valueable concepts for those new to IT as well as those who have been around for a while. While the book is somewhat dated technically (circa 2005), the advice is not. Topics range from how to deal with your boss, customers, managing email, automation, and eliminating busy work. It’s a quick read and definately worth a look.
Read more

Moving to Jekyll

Posted on by Chris Leave a comment

Why Jekyll?

Jekyll makes sense for me. Operationally, I want a a low overhead to generating and publishing my content. I want to be able to maintain a backup copy of my site without having to setup a duplicate WordPress server. I’ve already become accustomed to writing in markdown since moving over to NextCloud and using the Markdown plugin. And I know my way around a command line.

I would not recommend Jekyll for everyone…or anyone not technically inclined. You need to install a Ruby dev environment, learn the syntax, and understand how it all works to produce a static site. If none of that makes sense to you, move to a hosted WordPress site where someone else does all of the crap work for you.

As a matter of fact, run over to Jordan Harbinger’s to listen to a podcast or two and support his show using a HostGator discount code! And if you want to hear random geek-induced fits of techno-rage, check out his producer’s show Grumpy Old Geeks. Boom – two shameless plugs in one paragraph. Seriously tho – both are great shows!

How do you do it? Well there’s plenty of good blog posts on that, so instead of re-inventing the wheel:

Jekyll Install Docs – For the RTFM in all of us.
GirlieMac’s How To – Well done post on getting up and running.
Neal Buerger’s How To
From WordPress to Jekyll

How I did it…

I didn’t bother moving my comments over to Discus. If you want to comment, use my twitter please.
Installed the prereqs, then installed Jekyll.
Created a new skeleton blog in a folder syncing with my NextCloud to facilitate use on multiple machines.
Installed Ben Balter WordPress Exporter for Jekyll on my existing site.

Make sure you have php-zip and php-gd installed or you will get a 500 error.

Rename _config.yml to _orig_config.yml so you can grab what you might need out of it.
Copy the exported files into your skeleton directory.
CD into the blog directory and run jekyll build

Extra points if you remember to actually CD into that new directory before you run the build/serve commands. I had a facepalm moment here.

Run jekyll server to see the site on http://127.0.0.1:4000.
Fixed any issues
Removed my WP site and published this one.

Poke around – you will definately need to fix a few things, like deleting the defaults that Jekyll drops in. You will also need to alter _config.yml to fit your site, social media links, etc. as the defaults are pretty bare.

Things to fix

Make sure to set the site’s title directive in the config file.
Delete the empty directories. Also delete anything from your wp-content/uploads directories related to any WAF plugins.
Fix any HTML entity issues by hand. I tried recode and it borked all of my posts up in good shape.

Left to do

I need to integrate the site deployments directly into my jekyll config…because lazy.
Decide if I want a different theme

Handy tidbits

Limiting the number of posts on the homepage.

I have a substaintial number of posts ported over from WordPress and my Blogger sites, but I really only want the most recent posts on the home page. After spending a lot of time playing with paginator and not getting it working, I stumbled across a dead-simple option. First, copy home.html from the gem’s _layout folder into the _layout folder in your blog (create if it doesn’t exists). This will allow you to override the original file completely. Open home.html, then find the for post loop and add limit:3 and you should only have the 3 latest posts displayed. As a bonus, my build time dropped to a couple second.

{% for post in posts limit:3 %}

{% endfor %}

If you do not know where to find the original files in the gem, issue this command:

bundle show <gemname>

Excerpts

Want to break long blog posts up so only a bit will show on the homepage, etc.? Setup a seperator tag in your _config.yml, then embed those into your blog posts. See the Jekyll Docs for more info.

excerpt_separator: <!–more–>

Themes

Here’s the most important tip for working with themes: MAKE A BACKUP BEFORE YOU DO! You could fork the code if you are using git, but I chose to just create a new skeleton blog using jekyll new and start from there.

If you are new to Jekyll, I’d advise sticking to gem-based themes to ease your confusion level. The default Minima theme is great, but lacking a few key features that I wanted such as pagination or limiting the # of posts of the home page. I started digging into Minima-Reboot after a few less than stellar attempts to customize Minima. There are a ton of great themes out there, but not many are gem-based for some reason.

Email Security Checklist

Posted on by Chris Leave a comment

General

Pick an MTA that supports the options described below, and configure them appropriate to your situation.
Leave room for exceptions as not everyone on the internet will come close to running a complaint MTA. You will always have a critical business partner that just doesn’t care.

When making exceptions, try not to make global exceptions like whitelisting a domain. Be as granular as possible by whitelisting the sender’s specific mail server, or an individual address.
Exceptions for non-compliance to RFCs should not exempt the message from passing thru higher-level security scans such as malware, phishing filters, etc.

Client Security

Require strong passwords (KC)
Use multifactor authentication when appropriate – webmail, etc. (KC)
Use TLS to secure all client access methods (not just web) (NIST)
User awareness

Server Security

Network

Deploy behind firewall/IPS

At least deploy a host firewall and possibly HIDS (NIST)

Deploy in a DMZ, behind a firewall and not NAT’d from the local network

Logging

Ensure logging is configured and forwarded to a centralized logging server

DNS

Multiple DNS Servers

Find supporting information

MX Records

According to RFC5321 section 2.3.5, MX records must point to one or more A/AAAA records, and cannot be CNAME records. The sending MTA will loop the destination’s MX records in order of ascending priority until a connection can be made and the message successfully transferred (RFC5321 section 5)
While SMTP does have a store-and-forward design, servers will typically purge undeliverable email after a certain period of time has passed. Having at least two MX records ensures that email can be delivered to an online server.
Resilience Strategies

At least 2 MX records in different subnets, similar to how DNS recommends servers in difference subnets for DoS protection.
A primary MX and a backup MX which could be another service provider paid to store your mail if you go offline.

Reverse DNS matches Forward DNS (KC)
SPF Record (KC)
DMARC Record
DomainKeys/DKIM (KC)

SMTP

RFC

Simple Mail Transfer Protocol
Anti-Spam Recommendations for SMTP MTAs
*

Prefer (or enforce) TLS transmission (KC)

SMTP Service Extension for Secure SMTP over Transport Layer Security
Will forcing TLS transmission to prevent legit emails? Will it cut down on spam/malware?
Only allow connectivity with certificates which can be validated (i.e. not self-signed or expired.

Enforce relay control (KC)

Anti-Spam Recommendations for SMTP MTAs
Only accept mail for hosted domains/users (Chris)
Enforce authentication controls for relay (i.e. only hosted domain/users can send outbound email) (KC)

Rate Control/Tarpitting

Anti-Spam Recommendations for SMTP MTAs
Use “tarpitting” to increase the resources/time required to send multiple emails to the domain

Verify FROM

Anti-Spam Recommendations for SMTP MTAs
FROM domain MX record should exist

Verify RECEIVED BY Headers

RDNS lookups – reject if (KC)

RBL lookups – reject/flag (KC)
SPF lookups – flag/reject
DKIM/DomainKeys – flag/reject
Content Filtering (Chris)

Attachment blocking (Chris) – block executables and common malware vectors

Use both file extension and file headers to determine file type – foils renamed files
Executables – EXE, BIN, COM (others)
Scripts – BAT CMD PS1
Screen Savers – SCR
Flash/Shockwave
Windows Help Files – HLP and newer version?
Compiled HTML – MHT, MHTML files
Advanced level – stripping based on regex’s for commonly used schemes to hide dangerous extensions from users (but this really wont be needed if you are doing the basics)

Malware scanning (KC)

Strip known malware (matching sigs) (Chris)
Scan within archive/zip files (Chris) – multilevel
Mark encrypted attachments as suspect? (Chris) – worth the discussion as malware vector but also common for security
AdvancedConsidering deploying unknown files in a sandbox

POP3/IMAP

Find RFC/Documentation backup

Enforce the use of TLS (KC)
Strong Passwords (KC)

Require strong passwords which have not been used in a known breach.

Backup/Recovery

Perform a routine configuration backup – at least before each time you change the configuration. Store the configuration off-server for security.
Perform a routine data backup of all mailbox contents.

Patching – routinely patch the server (NIST)
Prevent password guessing (NIST)

Account lockouts, etc.
Consider fail2ban on linux machines (Chris)

After-reception attack prevention

Scan mailboxes on a routine basis and remove malware. This will provide malware protection for messages received before the attachment or sender was determined to be dangerous.

Sources

NIST https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-45ver2.pdf
KC https://www.alienvault.com/blogs/security-essentials/basic-best-practices-for-configuring-email-servers (by Kim Crawley)

Echo in Ramadi: The Firsthand Story of US Marines in Iraq’s Deadliest City

Posted on by Chris Leave a comment

Echo in Ramadi: The Firsthand Story of US Marines in Iraq’s Deadliest City by Scott A. Huesing

Echo In Ramadi details the hell on earth faced by Echo Company, Second Battalion, Fourth Marine Regiment during 2006.  This book is very dear to me as this was my brother’s (Cpl Dustin J Libby) final tour.  Read more