Monday, August 31, 2009

Am I to the dark side of the force?

The other day I was talking with a friend of mine about my current job. When I told him I was currently working in the french IT Security dept of the Redmond firm, he suddenly told me "ouch, you now belong to the dark side of the force".

Let us face it: today's IT students are really close-minded when it comes about operating systems! Because three days after, another friend of mine gave me kind of the same speech about the differences between windows and linux, thinking he was teaching me what is a unix. You just have to know that I have been using linux and windows - for nearly 7 years for the first one, and 15 years for the second one- to imagine how it is embarassing when people tell you "you know, it is really better, more secure..." (I just cut the classic arguments in favor of linux, because hearing the same -wrong- ideas over and over is starting to make me feel nautious).

The day after, one of my co-worker -who used to be an IT architecture teacher- told me "today's students do not know anything about Windows. They just conceive it as a software they download and use illegally. Furthermore they do not have any idea about what is an Active Directory domain controller, meanwhile they are used to the bash shell!"

It just makes me wonder: Would it be their teachers' fault?

I am using a Macbook Pro and a Windows laptop every day. I have 4 servers in my hometown, several of them running debian linux. To sum up, I know enought about the differences between these OS architecture and user experience to be able to judge them. So let us face it: Linux is far from being perfect, so is Windows, so is Mac OS. They are just different.

They all have they pros and contras, but let us just focus on the IT security field. A report published during the first half of 2008 indicated that vulnerabilities found in Mac OS X 10.5 -on that same period of time- were more than 5 times more important than the ones found for Windows Vista during the same period and using the same criterias!

Finally I was just wondering: if Windows would be so bad, why would 90% of the computer client market be hosting that OS?

Thursday, August 20, 2009

Would you like to have a NAP?

In our days, we experience more and more deeply the following feeling: we need to be permanently connected to everything. It is surfing over the Internet, reading work emails at home, or even accessing an intranet during a trip. Let us assume that you are an IT administrator. On one hand you have to open more and more gates - for the users to be able to use these services - however on the other hand you have to face complex and sophisticated threats.

This dilemna already led us to a point where the firewall on the internal gateway is not enough. Just think about the following laptop scenario. The user has a remote VPN access thanks to which he is able to connect to the corporation intranet. Then the laptop gets infected. Since most of IT network administrators currently define network policy by topology, the laptop has a full network access and therefore is able infect other computers in the domain. And this is mainly because it is connected to the VPN, which is bypassing the firewall, as shown on this picture.

We do have a REAL PROBLEM: how to enforce the network security regardless of the location of the computer?

And here comes Microsoft's answer: NAP and UAG. (altough I will only blog about NAP in this post).

You probably already guessed it, NAP actually stands for Network Access Protection. This technology - also called the "network health layer" - aims at providing a controlled network access regarding of the "Health State" of the computers. Depending of its health status (a parameter defined by the administrator, regarding to rules like "the client firewall is on", "the client antivirus has the latests available definitions", "all important and critical windows security updates have been made"), it will have a full or limited network access.

In case of restricted access, we can define "remediations servers". A client with limited access will still be able to communicate with these servers (for instance in order to install updates via Windows Server Update Services, Windows Update, or the antivirus definitions websites). The goal is to fix the health state of that computer for it to be healthy, and then be able to access the full network.

There are 5 methods to enforce the network access: DHCP, VPN, 802.1x, IPSec or TS.

In a future post, we will study more precisely this mechanism, and especially analize some possible hacks of a Network Access Protection infrastructure.

If you are interested in knowing more about Network Access Protection, just check the previous link on technet.

Wednesday, August 12, 2009

Big BROWSER is watching you!

As the world goes on, so does the technological control on our lives. We constantly have less and less privacy because of technology "improvements". Since a several years, locating quite precisely a person only thanks to its relative gsm position is a reality, and best of breed our ISP are now forced to reveal PII (Private Identity Information) about any Internet user they serve!

IPRED in Sweden, Hadopi in France,... thinking that using the Internet anonymously is belonging each day more to a dream world than to the reality. As a protest act, set up an anonymous proxy. Called IPredator, this service allows users to connect via a classic PPTP VPN connection, and then surf anonymously only by paying a pay a tiny monthly fee (something like 7$/month). A smart way to fight - at their scale - for more privacy over the Internet, but I really do wonder if anyone is able to fight against the pressure of worldwide corporations owning dozen of thousand of digital media copyrights.

Because actually the jungle rule does still applies...

Monday, August 10, 2009

Club-Internet or the bad Wireless student..

Club-Internet, a french ISP - currently owned by Neuf Telecom which is itself currently owned by SFR (french Vodafone) - sold a lot of TECOM wireless Access Points.

On most of Hitachi and Tecom AP, the default WEP key is a result of a SHA-1 hash of the WEP SSID! The ISP offers a windows utility "WEPTool.exe" to compute this function and get the default WEP key: WEPTool website

That is why it is even easier to access these kind of wireless network than cracking the corresponding WEP network (with tools like aircrack)!!

Altough it could lead to a "simple" installation for a newbie, it seems like a huge security issue on the default configuration.

Sunday, August 9, 2009

The quieter you become the more you can hear.

As the first ticket on this IT security related blog, I would like you to think about this quote from Mr Baba Ram Dass, a spiritual teacher from Boston, USA.

"The quieter you become, the more you can hear" is a general assumption that could very well be applied to the field of IT related security.

Think twice about it:
- wireless hackers who put their cards in monitoring mode to check for network characteristics, and then perform an appropriate attack
- information stealing malware which create an https tunnel to send found information while the common firewall will think of a legitimate web browsing