Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Saturday, April 14, 2018

Kali Virtual Appliance Installation and Usage

Kali Linux is the world’s most powerful and popular penetration testing platform, used by security professionals in a wide range of specializations, including penetration testing, forensics, reverse engineering, and vulnerability assessment. It is the culmination of years of refinement and the result of a continuous evolution of the platform, from WHoppiX to WHAX, to BackTrack, and now to a complete penetration testing framework leveraging many features of Debian GNU/Linux and the vibrant open source community worldwide.

Kali Linux has not been built to be a simple collection of tools, but rather a flexible framework that professional penetration testers, security enthusiasts, students, and amateurs can customize to fit their specific needs.
1. Installation Kali Virtual Appliance


Thursday, February 22, 2018

Installation and Configuration of Sophos Enterprise Console 5.1 in your Networks - 2. Configuration

Continue with previous post "Installation and Configuration of Sophos Enterprise Console 5.1 in your Networks - 1. Installation"


Steps: 
After the installation of the Sophos Enterprise Console you had logged off.
Now you logged in and the Console starts automatically.
This Windows will appear:


image001


Installation and Configuration of Sophos Enterprise Console 5.1 in your Networks - 1. Installation

This post is a detail documentation how to install Sophos Enterprise Console 5.1 in your networks.


Pre-Requirements:
  1. copy the Sophos Enterprise Console to the Server (ProdInstall\Sophos\Sophos Console\sec_5.1.exe)
  2. check if you are able to connect to the infrastructure server like this: http://IP Server:8085
  3. A webpage like this should be shown to you:



Tuesday, February 20, 2018

OWASP Top 10 (2010, 2013, 2017)

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security. 
The OWASP Top 10 Web Application Security Risks was created  in 2010, 2013 and  2017 to provide guidance to developers and security professionals on the most critical vulnerabilities that are commonly found in web applications, which are also easy to exploit. These 10 application risks are dangerous because they may allow attackers to plant malware, steal data, or completely take over your computers or web servers.
Meeting OWASP Compliance Standards usually is the First Step Toward Secure Code.


Tuesday, February 6, 2018

Gartner Magic Quadrant for Endpoint Protection Platforms (2018,2017,2016,2015)

Research firm Gartner defines the Endpoint Protection Platform (EPP) market as one with offerings that "provide a collection of security capabilities to protect PCs, smartphones and tablets," which it said could include anti-malware, personal firewall, port and device control, and more.

The endpoint protection platform provides a collection of security capabilities to protect PCs, smartphones and tablets. Buyers of endpoint protection should investigate the quality of protection capabilities, the depth and breadth of features, and the ease of administration. The enterprise endpoint protection platform (EPP) is an integrated solution that has the following capabilities: anti-malware, personal firewall, port and device control. EPP solutions will also often include: vulnerability assessment, application control and application sandboxing, enterprise mobility management (EMM), typically in a parallel nonintegrated product, memory protection, behavioral monitoring of application code, endpoint detection and remediation technology full-disk and file encryption, also known as mobile data protection, endpoint data loss prevention (DLP).

2018

Symantec , Sophos and Trend Micro are in leaders quadrant. ESET is in Challengers.



Thursday, December 7, 2017

Cisco IOS Internet Key Exchange version 1 (IKEv1) Vulnerability and Fix

Cisco IKEv1 is still popular in VPN configuration. Most of my vpn configuration is based on IKE v1 although there are more demands for v2.  I had a post "Cisco Router IKE v2 Site to Site IPSec VPN Configuration" to quickly show what the difference is between v1 and v2, and how to do v2 configuration.  Recently some vulnerabilities scan tools raised a red flag to my IKE v1 configuration.

Symptoms 

There is IKE v1 vulnerability found and it lists severity level high.


Monday, July 24, 2017

Gartner Magic Quadrant for Enterprise Network Firewall (2017, 2016, 2015, 2014, 2013, 2011, 2010)

Based on Gartner's definition, the enterprise network firewall
" is composed primarily of purpose-built appliances for securing enterprise corporate networks. Products must be able to support single-enterprise firewall deployments and large and/or complex deployments, including branch offices, multitiered demilitarized zones (DMZs) and, increasingly, the option to include virtual versions for the data center. Customers should also have the option to deploy versions within Amazon Web Services (AWS) and Microsoft Azure public cloud environments. These products are accompanied by highly scalable (and granular) management and reporting consoles, and there is a range of offerings to support the network edge, the data center, branch offices and deployments within virtualized servers and the public cloud. "

Here is the difference from UTM appliance, which  UTM approaches are suitable for small or midsize businesses (SMBs), but not for the remainder of the enterprise market.

2017 Gartner Magic Quadrant for Enterprise Network Firewalls



2017 Gartner Magic Quadrant for Enterprise Network Firewalls

Gartner Magic Quadrant for Unified Threat Management (2017, 2016, 2015, 2014, 2013, 2012, 2010,...)

Gartner defines the unified threat management (UTM) market as multifunction network security products used by small or midsize businesses (SMBs) (< 1000 employees).

2017 Gartner Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls)

Not much changes from 2016.

Sunday, April 17, 2016

Real-Time Cyber Attack Threat Map

More and more security companies use a webpage to show their monitored global security events such as the  Live Status of Cyber Attacks being launched from where and who is the target of that attack. It is become interesting by watching those websites. Actually those are not games but actually happening globally.


1.  Kaspersky CYBERTHREAT REAL-TIME MAP



Sunday, March 20, 2016

Ransomware Locked Files on My Test Machine

One of my test machines which I am using to download and test software from Internet was hit by Ransomware recently.

Check out what it did to my machine.

In most computer folders including c driver and d driver, even on the desktop, there are three following files which obviously is from hackers who is asking for money to decrypt your files.:
  • +REcovER+gdqvd+.txt
  • +REcovER+gdqvd+.html
  • +REcovER+gdqvd+.png
 

Tuesday, March 8, 2016

How Firewalls (Security Gateways) Handle the Packets? (Traffic Flow)






Different firewall (security gateway) vendor has different solution to handle the passing traffic. This post compiles some useful Internet posts that interpret major vendors' solutions including:
1. Checkpoint
2. Palo Alto
3. Fortigate
4. Cisco
5. Juniper
6. F5



1. Checkpoint Firewall Packets Flow:

Here is official Check Point R77 Packet Flow Diagram from sk116255 updated April 2017:


Note: Checkpoint can define destination NAT happens at client side (default) or server side. Source NAT always at outbound, and ACL is checked before NAT. More details are on SK85460

Monday, February 8, 2016

Gartner Magic Quadrant for Mobile Data Protection (2015, 2014, 2013, 2012, 2011..., 2006)

According to Gartner, "Mobile Data Protection (MDP) systems and procedures are needed to protect business data privacy, meet regulatory and contractual requirements, and comply with audits." Additionally, "Most companies, even if not in sensitive or regulated industries, recognize that encrypting business data is a best practice."

2015

Magic Quadrant for Mobile Data Protection Solutions 2015

Monday, December 21, 2015

Information Security Tools

I listed some of my favorite and useful Internet websites and IT tools in previous post which has been used in my daily IT life. There are some network security related tools I am also using in my IT life environment. This post is a just summaize for those tools and also I am trying to extend this list to add more later.
PDCA Methodology
  • Benchmarks / Hardening Policies
  • Security/Malware/Vun Scanning
  • Packets Capturing and Analysing Tools
  • TCP/UDP Tools
  • Integrity Check
  • Penetration Test Tools
  • Proxy Software
  • Network Automation Tools
  • Threat Intelligence Tools
  • Encryption Tools
  • Antivirus
  • Firewall Management Tools
  • HoneyPot
  • IP Reputation Lookup
  • Forensic Tools

Thursday, March 26, 2015

Troubleshooting Java HTTPS Security Warning Message

One of our Internal Website is always having a Security Warning message when using Internet Explorer https to it, but this message is not showing when using Google Chrome.

Symptoms:

As following screenshot shows, a pop-up window will ask you "Do you want to Continue? The connection to this website is untrusted".
 Click More Information link:
 The Warning message will warm you a Risk;

Monday, February 2, 2015

CVE-2015-0235: GHOST - A Critical Vulnerability in the Glibc Library


GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. If a remote attacker can make an application call to gethostbyname() or gethostbyname2(), this vulnerability allows the remote attacker to execute arbitrary code with the permissions of the user running the application.

GHOST was originally published by Red Hat as CVE-2015-0235: https://access.redhat.com/articles/1332213


1. Check Point Response to CVE-2015-0235 (glibc - GHOST)

Solution ID: sk104443
Severity: Low

IPS Protection: 

Check Point released "GNU C Library gethostbyname Buffer Overflow" IPS protection that protects customer environments.
This protection is part of the Recommended_Protection profile. It enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.

OS Level Protection: 


  • IPSO OS is not vulnerable.
  • While Check Point Gaia and SecurePlatform operating systems may be susceptible to CVE-2015-0235, there are no known exploits to Check Point software.


Hotfix Packages

Hotfix packages are available for R77.20R77.10R77R76,  and R75.47
R77.20R77.10R77R76R75.47
Gaia
SecurePlatform

2. Juniper: 2015-01 Out of Cycle Security Bulletin: GHOST glibc gethostbyname() buffer overflow vulnerability (CVE-2015-0235)

Vulnerable Products


  • Junos Space
  • CTPView
  • CTP
  • IDP-SA
  • SRC
  • NSM Appliance
  • JSA and STRM Series

SOLUTION:


  • Junos Space: PR 1060102 has been logged to resolve this issue.
  • IDP-SA: PR 1060071 has been logged to resolve this issue in IDP-OS.
  • CTPView: PR 1060060 has been logged to resolve this issue in CTPView.
  • CTP: PR 1060352 has been logged to resolve this issue in CTP-OS.
  • SRC: PR 1060350 has been logged to resolve this issue.
  • NSM Appliance: PR 1059948 has been logged to resolve this issue.
  • QFabric Director: gethostbyname() functions are used internally, but DNS name resolution is not supplied as a service on external ports.
  • Firefly Host/vGW: The C/C++ based daemon running on the vGW/FFH Security VM agent is not exploitable. Also, the vGW/FFH management system (SD VM) is Java based (Apache Java application server) is not applicable.
  • JSA and STRM: A fix is pending release.
  • IDP Anomaly: The IDP anomaly ​SMTP:OVERFLOW:COMMAND-LINE should cover the known SMTP variant of this vulnerability. For easy attack lookup, the Signatures team has linked CVE-2015-0235 as a reference to this anomaly and also made it part of the recommended policy. All these changes will be reflected in the next signature pack which is scheduled to release on 29-Jan-2015 at 12:00 PST.

WORKAROUND: General Mitigation:

The affected gethostbyname() functions are primarily called in response to references to DNS host names and addresses from the CLI or via services listening on the device.  ​Apply and maintain good security best current practices (BCPs) to limit the exploitable attack surface of critical infrastructure networking equipment.  Use access lists or firewall filters to limit access to networking equipment only from trusted, administrative networks or hosts.  This reduces the risk of remote malicious exploitation of the GHOST vulnerability.

3. Cisco : GNU glibc gethostbyname Function Buffer Overflow Vulnerability

Advisory ID: cisco-sa-20150128-ghost:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost

Workarounds: 

There are currently no network-based mitigations for this vulnerability or any mitigations that can be performed directly on affected systems.

Sunday, October 19, 2014

Poodle : New SSL 3.0 Bug (CVE-2014-3566)

Oct 14 2014, this bug CVE_2014-3566 has been found as a subtle but significant security weakness in version 3 of the SSL protocol. Severity level is Medium. Basically this vulnerability is not critical as Shellshock and Heartbleed

The vendors's Recommendations: 

1. Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

a. Check Point Customers

  • Check Point products are not vulnerable to the “POODLE Bites” vulnerability (CVE-2014-3566). See our Security Alert: sk102989
  • Implement the IPS protection, CPAI-2014-1909, to detect or block the use of SSL 3.0
  • Configure Multi Portal, HTTPS Inspection, and Check Point OS to prevent web browser use of SSL 3.0

b. Non Check Point Customers

  • Use Active Directory Group Policy Objects to disable the use of SSL 3.0
  • Update your browser when a patch is available
  • Disable SSL 3.0 in your clients and servers
  • Test if your browser is vulnerable at www.poodletest.com
  • Test if a particular domain name is vulnerable at www.poodlescan.com

2. Juniper Responding:

a. Junos:

Junos OS will update OpenSSL to add support for SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV) in a future release.

Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series:
Please refer to Pulse Secure TSB16540 for details on mitigating risk from this vulnerability.

b. ScreenOS:

A problem report has been submitted.  Development is in the process of evaluating the best method to resolve this issue.

c. Junos Space:

Disable SSLv3 by changing the following files.

/etc/httpd/conf.d/webProxy.conf
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/webConf/webProxyCertAuth.conf

The following line needs to be updated to remove references to SSLv3:

Original:
SSLProtocol -ALL +SSLv3 +TLSv1

Updated:
SSLProtocol -ALL +TLSv1

Restart httpd by typing 'service httpd restart'.

A future release of Junos Space will disable SSLv3 by default.

d. STRM/JSA Series:

Development is working on a patch to resolve this issue.

e. NSM3000/NSMXpress:

Edit /etc/httpd/conf/ssl.conf and change the SSLProtocol entry to:
SSLProtocol all -SSLv2 -SSLv3

f. IDP Signature:

Juniper has released signature SSL:AUDIT:SSL-V3-TRAFFIC in Sigpack 2430 to detect SSLv3 traffic.

3. Cisco Event Response: POODLE Vulnerability:

Details are in Cisco Page : 

 Vulnerable Products

Customers interested in tracking the progress of any of the following bugs can visit the Cisco Bug Search Tool to view the defect details and optionally select Save Bug and activate the Email Notification feature to receive automatic notifications when the bug is updated.

Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues.
Collaboration and Social Media
Endpoint Clients and Client Software
Network Application, Service, and Acceleration
  • Cisco ACE 4710 Application Control Engine (A5) [CSCur27691]
  • Cisco ACE10 / ACE20 / 4710 (A3x) [CSCur27985]
  • Cisco ACE30 Application Control Engine Module [CSCur23683]
  • Cisco CSS 11500 Series Content Security Switch [CSCur27999]
Network and Content Security Devices
  • Cisco Adaptive Security Appliance (ASA) Software [CSCur23709]
  • Cisco Email Security Appliance (ESA) [CSCur27131]
  • Cisco Intrusion Prevention System Solutions (IPS) [CSCur29000]
  • Cisco Prime Security Manager (PRSM) [CSCur29172]
Network Management and Provisioning
Routing and Switching - Enterprise and Service Provider
  • Cisco Application Policy Infrastructure Controller (ACI/APIC) [CSCur28110]
  • Cisco IOS and Cisco IOS-XE (IOSd only) [CSCur23656]
  • Cisco Nexus 3000 Series Switches [CSCur28178]
  • Cisco Nexus 9000 (ACI/Fabric Switch) [CSCur28114]
  • Cisco Nexus 9000 Series (standalone, running NxOS) [CSCur28092]
Unified Computing
Voice and Unified Communications Devices
  • Cisco IM and Presence Service (CUPS) [CSCur33203]
  • Cisco Unified Communications Manager (CUCM) [CSCur23720]
Video, Streaming, TelePresence, and Transcoding Devices
  • Cisco TelePresence Advanced Media Gateway 3610 [CSCur33286]
  • Cisco TelePresence IP Gateway Series [CSCur33289]
  • Cisco TelePresence IP VCR Series [CSCur33294]
  • Cisco TelePresence ISDN Gateway [CSCur33282]
  • Cisco TelePresence MCU (8510, 8420, 4200, 4500 and 5300) [CSCur33260]
  • Cisco TelePresence MSE 8050 Supervisor [CSCur33267]
  • Cisco TelePresence Serial Gateway Series [CSCur33297]
  • Cisco TelePresence Server 8710, 7010 [CSCur33274]
  • Cisco TelePresence Server on Multiparty Media 310, 320 [CSCur33274]
  • Cisco TelePresence Server on Virtual Machine [CSCur33274]
  • Cisco TelePresence Video Communication Server [CSCur23698]
Wireless
  • Cisco Wireless LAN Controller (WLC) [CSCur27551]
Cisco Hosted Services

4. Other Vendors

Apple has released a security update at the following link:Security Update 2014-005

Asterisk has released a security advisory at the following link:AST-2014-011

BlackBerry has released a security notice at the following link: KB36397

FreeBSD has released a VuXML document at the following link: OpenSSL -- multiple vulnerabilities


Microsoft has released a security advisory at the following link: 3009008

OpenSSL has released a security advisory at the following link: secadv_20141015

Oracle has released a security advisory at the following link:Cryptographic Issues vulnerability

Red Hat has released a CVE statement and security advisories for bug ID 1152789 at the following links: CVE-2014-3566RHSA-2014:1653, and RHSA-2014:1652


References:

a.  Check Point response to the POODLE Bites vulnerability (CVE-2014-3566)

Friday, September 26, 2014

Shellshock (Bash Computer Bug) Exploited - Responding from Venders


Heartbleed Extension Vulnerability caused lots of worries for Internet system. The affects still do not go away and now Shellshock coming.  This latest vulnerability affects the command line software Bash operating at Linux , Unix and Mac OS X.


Vendors have been posting the patches and suggestions on their websites already. Here is some quick collections for my environment.


1. Checkpoint's Responding:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102673

2. Cisco's Responding: 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash

3. Juniper's Responding:

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648&actp=RSS

4. Vmware:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740


Note: How it happened? (from Symantec)

An attacker can potentially use CGI to send a malformed environment variable to a vulnerable Web server. Because the server uses Bash to interpret the variable, it will also run any malicious command tacked-on to it.

Thursday, May 1, 2014

Reset SonicWall NSA 4500 to Factory Default Configuration

SonicWall NSA 4500 is Next-Generation Firewall features integrate intrusion prevention, gateway
anti-virus, anti-spyware and URL filtering with application intelligence and control, and SSL decryption to
block threats from entering the network and provide granular application control without compromising performance.

Here is the steps to reset SonicWall to factory default configuration:

SonicWALL security appliance has a special SafeMode which allows you to quickly recover from uncertain configuration states with a simplified management interface that includes the same settings available on the System > Settings page.

Step 1. 

Connect your management station to a LAN port (NSA 4500 is X0 port) on the SonicWALL security appliance and configure you management workstation IP address to 192.168.168.20/24.


Step 2. 

Use a narrow, straight object, like a straightened paper clip or a toothpick, to press and hold the reset button on the back of the security appliance for five to ten seconds. The reset button is in a small hole next to the console port or next to the power supply, depending on your SonicWALL security appliance model. 
The Test light starts blinking when the SonicWALL security appliance has rebooted into SafeMode.

Step 3. 

Connect to the SonicWALL management interface: Point the Web browser on your Workstation to 192.168.168.168. The SafeMode management interface displays. Choose Current firmware with Factory Default Settings and boot device.


Step 4. 

After system rebooted and came back online, using browser navigator to http://192.168.168.168 and log into authentication page with following default username/password based on your SonicWall device model:
The following list provides the factory default administrator (admin) username, password and IP address for all categories of SonicWALL appliances.
 NOTE: All IP addresses listed are in the 255.255.255.0 subnet mask.
Product
Default Username
Default Password
Default IP Address
SonicWALL FIREWALL (UTM) APPLIANCES
admin
password
192.168.168.168
SonicWALL CONTENT SECURITY MANAGER (CSM) APPLIANCES
admin
password
192.168.168.168
SonicWALL SMB SSL-VPN APPLIANCES
admin
password
192.168.200.1
SonicWALL Aventail EX Series SSL-VPN Appliances
admin (AMC), 
root (CLI)
Defined during 
initial configuration.
192.168.0.10 
(on internal interface)
SonicWALL  EMAIL SECURITY APPLIANCES
admin
password
192.168.168.169
SonicWALL CONTINUOUS DATA PROTECTION (CDP) APPLIANCES
admin
password
192.168.168.169
SonicWALL SonicPoint appliance
admin
password
192.168.1.20

Step 5. 

Check the default configuration.









Tuesday, September 10, 2013

PKI Basic Flow Chart

PKI = Public Key  Infrastructure(公钥基础设施)
 
基础设施:
就是一个普适性基础,它在一个大环境里起着基本框架的作用,,设施基本原理共通,操作简便,只要遵循基本原则,不同的实体就可以方便地使用基础设施提供的服务。
 
公钥基础设施:
用非对称密码算法原理和技术是实现并提供安全服务的具有通用性的安全基础设施。
 
公钥证书:
用户的身份与之所持有的公钥的结合,在结合之前,由一个可信任的权威机构——认证机构(CA)来证实用户的身份。然后由可信任的CA对该用户身份及对应公钥相结合的证书进行数字签名,用来证明证书的有效性。
 
一个PKI系统主要包括:
认证机构,证书库,密钥备份及恢复系统,证书撤销处理系统,PKI应用接口系统。
 
PKI主要包括四个部分:
X.509格式证书,证书注销列表CRL;
CA/RA操作协议;
CA管理协议;
CA政策制定。
 
 
密钥对产生的两种方式:
 
用户自己产生密钥对,然后将公钥以安全方式传给CA,该过程应保证用户公钥的可检验性和完整性(验证身份的密钥对应先产生)
 
CA替用户产生密钥对,然后将其以安全方式传送给用户,必须保证密钥的机密性,完整性和可检验性。该方式下由于用户的私钥为CA所产生,故对CA的可信性有更高的要求。
 
 
 
证书签发两种方式:
 
离线方式发放:面对面发放,用于企业级高级证书的发放;
在线方式发放:通过Internet使用LDAP(Lightweight Directory Access Protocol ),在i500目录服务器上下载证书。
 
离线方式发放:
 
批准注册---->
RA(审核授权部门)在LDAP目录服务器中添加企业证书申请人的有关信息----->
RA将申请人信息传给CA----->
CA产生一个参照号(一次性密钥)和一个认证码(也称user ID和Password),以电子邮件,或打印在保密信封中传给申请者----->
申请者输入参照号级认证密码,在RA面对面领取证书(存在软盘或IC卡等介质中)。
 
在线方式发放:
个人证书申请者将个人信息写入CA的申请人信息数据库中------>
RA端接收从CA端发放的参照号和认证码,并打印出来,交给申请人----->
证书申请人回到自己的计算机上,登陆网站,通过浏览器安装Root CA证书------>
申请人在网页上按提示填入参照号和授权号,自助式地下载自己的证书
 
下图给出了PKI认证和加密数据的基本流图:


传送过程:
A要给B 发送“我们的五年计划是····”的明文,将不定长的明文用摘要算法计算后变为定长的的摘要,然后用认证私钥对摘要进行签名,再将明文和签名后的摘要用相应的对称密钥(用B的加密公钥对对称密钥进行加密传输)进行加密变为密文。
 
接收过程:
B用自己的加密私钥对对称密钥解密,用得到的对称密钥对密文进行解密,用A的公钥对摘要进行认证,通过认证后,对明文以同样的摘要算法进行摘要计算,如果得到的摘要与A传送过来的摘要一致,则说明明文正确。