SecuringahostMatsuzaki ‘maz’Yoshinobu

<maz@iij.ad.jp>

1

Hardeningahost

2

Hardeningahost

• Differsperoperatingsystem• Windows:userscannotbetrustedtomakesecurityrelateddecisionsinalmostallcases• OSX:makethingsworkmagicallyforusers.Trytohandlesecurityissuesinthebackground• Linux:variesbydistribution:

• Ubuntu:trylikeOSXtomakethingsjustwork.• RedHat:includeveryusefultoolsbutturnedoffbydefault

• BSD:userswillfigureitout• Changeswithtime

3

Generalconsideration

• Defineapersonalusageprofileandpolicy.• Whathardwaredoyouuse?• Whatsoftwaretasksdoyoudoonyourcomputer?• Dothefirsttwochangewhenyoutravel?• Whathabitsfromtheabovetwodoyouneedtochangetobemoresecure?• Decideifyoureally needVPNaccesstoyournetworkwhiletravelling.

4

Generalpractices

• Installonlytheservicesandsoftwareyouactuallyneed.• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.• Periodicallyactivelyscanyourmachineforvulnerabilities.• Haveasfewuseraccountsonyoursystemsaspossible

• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.

5

Hardware

• Rule1:allbetsareoffwithphysicalaccesstoyourdevices.• Considerremovinghardwareyouneveruse– saybluetooth.• DisableinBIOSorEFIoryouroperatingsystemthehardwareorfeaturesyoucannotremovephysically.• wakeonlan• Bluetoothdiscoverability• USBports?

• BIOSpasswordsnotthatuseful• BIOSlevelencryp8on/lockingofharddisksmaynotbeportable

6

OSHardening:General

• Installonlytheservicesandsoftwareyouactuallyneed.• Uninstallordisableallsoftwareandservicesyoudonotuseorneed.• Periodicallyactivelyscanyourmachineforvulnerabilities.• Haveasfewuseraccountsonyoursystemsaspossible• Protectyouradministrativeaccount.Haveastrongpassword,donotpermitremotepasswordbasedloginsanddonotloginasanadministratorunlessyouneedtodoanadministrativetask.

7

OSHardening:Windows

• ConsideranUbuntuinstallationCD.• Multiplewindowseditionswithinasingleversionmakethisverydifficult.• Somesecurityfeaturesandtoolsonlyavailabletoprofessional/ultimate/enterpriseeditionsofwindows7/8/10:getlicensesforthisonyourenterprisenetwork.

• Installanantivirusapplication• Disableunneededaccounts• Mayneedtousethenetcommandon“low”editionsofwindows

8

OSHardening:Windows

• Editsecuritypolicyforwindows:• Enable accesstotheregistryeditor• Disablebuilt-inaccounts

• Disablehidingoffileextensions• Installanantivirusapplication• Disabletheservicesthatarerunningbydefaultinwindows.• Difficulttodoproperlywiththestartereditionsofwindows

9

OSHardening:Linux

• Availablefeaturesdifferbydistribution.• Useasfewdifferentdistributionsinyourenvironmentaspossible.

• Somedistributionshaveoptionalscriptsto“harden”yoursysteme.g.SuSE,RedHat• Whenpossible,runinstallationswithmachinesofflineuntilyouarereadytorunupdates.

10

OSHardening:Linux

• UNIXsecuritymodelisbasedonpermissions–ensuretheyaresane:• checkforSUID/SGIDapplications

• Somedistros willincludeanightlycheckforsuchapplications.• Manydistros havepermissionprofilesthatrangefrompermissivetoparanoidthatessentiallylimitorpermitpeoplefrom/torun(ning)particularapplicationsoraccessingparticularfileslikelogs.• Runtheperiodicscriptsthatresetthesepermissions.

11

OSHardening:Linux

• Sandboxapplicationswherenecessaryusingchroot• SELinux givescomprehensivesystemaccesscontrol• AppArmor forrolebasedapplicationprotection• Forservers,considerrecompilingkernelswithsupportforonlythedriversyouneed.• Mostdriverstodayareloadablemodulessoyoucanalsodeletetheonesyoudonotneed.

12

OSHardening:Linux

• Forservers,alwayspickthe“minimal”installationtoensureasfewpackagesaspossibleenduponthesystembydefault.• Usesystemtoolstodisableservicesthatarerequiredbyotherpackagesbutdonotneedtoberunning.E.g somepackageswillnotinstallifyoudonothaveanSMTPserver.

13

OSHardening:Linux

• Periodicsecuritychecks:• Checksumsofsystemfileskeptofflineandcheckedagainsttherunningsystem• tripwire• fcheck

• Periodicscansofthesystem.• nmap• Openvas

• Realtime checks• incrond /inotify – kernelfeaturetonotifyyouassoonasaspecifiedwatchlist ofinodes arechanged.

14

OSHardening:MacOSX

• SimilartoLinuxandFreeBSD• Readandunderstandsecurityguidesathttp://www.apple.com/support/security/guides/(onlyforSnowLeopard)• Editpreferencesforsafaritodisableunsafedefaultslikeautomaticallylaunching“safe”filesafterdownloading

15

OSHardening:MacOSX

• Disableunusedservices• Someneedtobedisabledfromthecommandlineorbyeditingplist files.• Filesharingonbydefault• Considerdisablingbonjour– Apple’simplementationofzeroconf

• Bepickyaboutinstallationsourcesforapplications:ifit’sintheapplicationstore,usethatversion

16

SoftwareManagement

17

Softwaremanagement:general

• Usesystempackagemanagertoinstallthirdpartysoftwarewhereavailable.• Installaslittle softwarepackagesonhostsaspossible.• Uninstallasmuch softwarethatcomesbydefaultonoperatingsystemsaspossible.• Subscribetoatminimumthe–announcemailinglistofeveryserverpieceofsoftwareyourun• Considertheversionsyouwanttouseandupgradeto.Latest≠greatest

18

Softwaremanagement:Windows

• Keepallsoftwareuptodate– automaticallywherepossibleforyourpersonalsystem.• Considerimplicationstoyour3gdataplan

• Useasoftwareupdateserverforenterprises.• IfusingActiveDirectorythenusepoliciestopushoutsoftwareupdatesforthirdpartyapplicationstoallusersaswellasenterpriseantivirussoftware.• Considerimplicationswhensomeonesignsonremotely

19

Softwaremanagement:Windows

• Mostsoftwaredistributionisbinaryonlysonowaytodoincrementalupdates.• Avoidcrackedsoftware– besidesthelegalissuesinvolvedyouhavenowaytoverifytheintegrityoftheapplicationsyouareinstalling.• Consideropensource equivalentswhereavailableinstead.

20

Softwaremanagement:Linux

• Wherepossibleusethesystem’spackagemanagertoinstallsoftware.• Learnhowtocompileapplicationsfromsource:sometimessecuritypatchesaredistributedassourcecode.• Hugenumbersofcomputersrequirecertainconsiderationstosaveenterprisebandwidth:• Centralizedsoftwarecaches/mirrors• Puppettomanagesoftwareversionsondifferentmachines

21

Softwaremanagement:OSX

• MoresimilartoLinuxthanWindows.• Inparticular,OSXserverisdead:usepuppetinsteadtomanagelargenumbersofOSXmachinesonanetwork.• InstallpackagemanagersforthirdpartyOSS–macports orfinkorhomebrew.• Runupdatersforperiodicupdatesofanythingyouinstall.

22

Softwaremanagement:OSX

• Checktheapplicationstore– comeswithsomelevelofcodeassuranceandfreeautomatedsoftwareupdateservice.• Carefullyconsidertheversion(s)ofOSXyourun:• Thirdpartysupportmeansthelatestversionmaynotbesogreate.g dynamips onML• Oldversionssoonstopgettingupdatesofothersoftwaree.g JavaonSL

23

Antivirus

24

Malware

• Thegenerictermforcomputervirus,worms,spywareandothermalicioussoftware• Skilledattackercanmakeit,funattackercanuseit.• eventherearemalwarebuildtoolswithGUIL

25

Infection

• Attackerstrytomakeyourdevicesinfectedinmanyways• Securityholes,e-mail,web• USBmemory,fileservers

26

Causes

• Vulnerability• 0-daysecurityholes• oldsecurityholesarestillusedtoinfect

• Auto-executionforremovalmedia• USBmemory,CDloading

• Users’carelessopen• infectedfiles• sometimeshappentoexecutemalwares

27

Detection

• Signature-baseddetection• blacklistofmalwares• checkafilewiththesignatures• updateneededtodetectnewermalware

• Heuristicsdetection• behavior,characteristiccode

28

Whereandwhen?

e-mailserverfileserver

webproxyclient

Finaltargethere

29

Hiding

• Attackersmodifymalwares• nottobedetectedbyanti-virusdetectors• theycancheckthislocally

• UpdatingyoursignatureDBisneeded30

Fakesecuritysoftware

• Donothing,orisjustamalware• alsoknownas‘scareware’

31

Compromisedsystem

• Anyfileonthesystemisalreadysuspicious• Youmaybeabletoremoveamalware• therecouldbeanotheronethatyoucannotdetect

32

Wipe

• Don’tusefilesinthecompromisedsystem• programs• documents• images

• Cleanupthestoragesthatwasconnectedtothesystem• HDD• SSD• flashmemory

33

Howcanwerescueinformationfromsuspiciousdatafiles•Convertitintoanotherformat• png ->jpg,jpg ->png• doc->txt• excel->csv• pdf->png/jpg

• Infectedcodecannotsurvivesuchadrasticmodification

34

Wipetogiveaway

• Dataisstillthereevenifit’sformatted• expertscanreadthedatabyusingspecialtools• anelectricmicroscopecanreadmore• leakageofsecretdata

• Youneedtomakesurethedataiserased• #dd if=/dev/urandom of=/dev/<disk>bs=16M

35

Recover

• ‘cleaninstall’fromascratch• formatthedisk,useaproperOSimage

• ApplylatestOSpatchestobeup-to-date• itcouldbevulnerablebeforepatched• doupdateinasecurenetwork

• Installneededapplications• checkupgrades,ofcourse

36

Recover(cont.)

• Disableunnecessaryservices• Thesameashardeningprocedure

• Checkconfigurations• Ifanyweakness

• Changeallpasswordonthesystem• Anypasswordmightbestolen

37

Replacingmightbeyourchoice

• Securingthecompromisedsystemasis• forfurtherinvestigation• malwarethatstaysinthememoryonly

• Justreplacethecompromisedsystem• sparehardware

38

Backups

• Encryption• Automation• Generations

39

Encryption

• Assumetheftandlost• Yourbackupsmusthaveatminimumthesameencryptionlevelasthesourcedata

40

Automation

• Wearelazy!• Easytoforget

• Automatedbackupwillhelpyou• Mostsystemshavescheduledbackup

41

Generations

• Youshouldhavea‘good’versionofbackupthere• ifasystemiscompromised,malwaremightbealsobackupinthearchive,youwon’twanttorestorethatthough• ifsomethinggoeswrongbychange,youmayrestorethepreviousversion

• Finda‘good’versionfromyourarchives

42

Off-sitearchives

• 2011Tohokuearthquakeandtsunami• flushedbuildings,datacenters• 4localgovernmentslostwholedataonthefamilyregistrationsystem

• Theyhaveoff-sitebackupsJ• tookabout1monthtorecoverthough• wantedtomakesurenothingismissed

43

email

44

Securingemail

• Donotusepop,itisintheclear• Usepop3s,port995overTLS• Donotuseimap,itisintheclear• Useimaps,port993overTLS• Donotusesmtp forposting,itisintheclear• Usesubmission,port587overTLS

45

Authenticateservers

• AssumetheWireisTapped• AssumeSomeonewillSpoofServers• KnowYourServers’RootCertificates• ConfirmCertificatesonConfiguration• ChooseGoodPassphrases

46

Encryptcriticalemails

• BasicallyusePGP

• Enigma+pgp forThunderbird• Mailvelope forwebmail• CryptUp forGmail• https://cryptup.org/

47

Issh andemail

48

ssh.serverMacBook

smtp.server pops.server

ssh

Itunnel&email

$ ssh <ssh.server> -L 4465:<smtp.server>:465

ssh.serverMacBook

POP3S/SMTPS

StepHost

PortonMacBook

TunnelEndPoint

sshtunnel

$ ssh <ssh.server> -L 9955:<pops.server>:995

smtp.server pops.server

49

Example:LocalForward

.ssh/config

$ssh mail

HostmailHostName <step.host>LocalForward 4465<smtp.server>:465LocalForward 9995<pops.server>:995

50

Example:stephost

.ssh/config

$ssh internal

HoststephostHostName <step.host>

HostinternalHostName <internal.ssh.server>ProxyCommand ssh -W%h:%pstephost

51

webbrowsing

52

Browsers

• MicrosoftInternetExplorer• MicrosoftEdge• Safari• Chrome• Firefox

53

Letbrowsersrememberpassword

• OnlyifyouuseFullDiskEncryption• OnlyifyourLaptopLocksQuickly• LoseLaptopandLoseyourBankAccount• Or,useotherpasswordmanagers• 1Password,LastPass,gpg textfile

54

Youaretraced

55

UsefulPlug-ins

• NoScript SecuritySuite• Allowactivecontenttorunonlyfromsitesyoutrust,andprotectyourselfagainstXSSandClickjackingattacks

• Lightbeam• a Firefox add-onthatenablesyoutoseethefirstandthirdpartysitesyouinteractwithontheWeb

56

PrivateorSecretmode

• Browserwillerasedataafteryourbrowsing• cookies,histories,cachefiles,passwords

• Usefulonashareddevice

• Itdoesn’tprovideanonymity

57

BasicFeaturesofGoogleSearch

• Automatic“AND”Queries• Bydefault,Googleonlyreturnspagesthatincludeallofyoursearchterms.• Thereisnoneedtoinclude“AND”betweenterms.

• AutomaticExclusionofCommonWords• Googleignorescommonwordsandcharacterssuchasand,or,in,of,beetc.aswellascertainsingledigitsandsingleletters,becausetheytendtoslowdownyoursearchwithoutimprovingtheresults.Googlewillindicateifacommonwordhasbeenexcludedbydisplayingdetailsontheresultspagebelowthesearchbox.

58

BasicFeaturesofGoogleSearch

• Capitalization• GooglesearchareNOTcasesensitive.Forexamplesearchesfor“APNIC”,• “Apnic”and“apnic”willallretrievethesameresults.

• SpellChecker• Google’sspellcheckingsoftwareautomaticallylooksatyourquerytoseeifyouareusingthemostcommonversionofaword’sspelling.Ifitislikelythatanalternativespellingwouldretrievemorerelevantresults,itwillas”Did youmean:(morecommonspelling)?”

59

DifferentSearchOperators

• +Searches• - Searches• ~Searches• PhraseSearches• DomainRestrictSearches• DefinitionSearches• FileTypeSearches• OrSearches

• FillintheBlank• CurrencyConversion• CalculatorFunction• UnitConversion• TimeCheck

60

AdvancedOperators

• Googleadvancedoperatorshelprefinesearches.• TheyareincludedaspartofastandardGooglequery.• Advancedoperatorsuseasyntaxsuchasthefollowing:

operator:search_term• There’snospacebetweentheoperator,thecolon,andthesearchterm!

61

AdvancedOperatorsataGlance

Operators Purpose

intitle Searchpagetitle

allintitle Searchpagetitle

inurl SearchURL

allinurl SearchURL

filetype Searchspecificfiles

allintext Searchtextofpageonly

site Searchspecificsite

link Searchforlinkstopages

inanchor Searchlinkanchortext

Operators Purpose

numrange Locatenumber

daterange Searchindaterange

author Groupauthorsearch

group Groupnamesearch

insubject Groupsubjectsearch

msgid Groupmsgid search

62

AdvancedGoogleSearching

Someoperatorssearchoverlappingareas.Considersite,inurl andfiletype.

63

Exercise:

• Findwebserversofyourorganization• Anyadminloginpageavailable?• Any.docfilewhichcontainsword“Confidential”underyourdomainnames?

64