chmeee's questions

I've been looking at several data leak/loss prevention suites but, in their documentation, I'm unable to find how they treat HTTPS.

One of the 'leakage vectors' is sending information to webapps through HTTPS. In which case, the only way to detect the leakage would be to decrypt it.

But, to do that, it would have to impersonate the remote server, using fake certificates, like a man in the middle attack. To avoid users being suspicious or complaining, I guess the coroporation needs to insert their certificate as a valid CA on the company owned devices' browsers.

My questions are:

• Has anyone first-hand experience on this kind of scenario? Can you tell us how do you implemented it?
• Am I right or is there another way of managing HTTPS (for example, detecting the data in use at the desktop level with an agent)?

I was watching the funny server type from http://www.reddit.com with curl -I http://www.reddit.com when I guessed that curl -X HEAD http://www.reddit.com would do the same. But, in fact, it doesn't.

I'm curious about why.

This is what I observe running the two commands:

• curl -I: works as expected, outputs the header and exists.

• curl -X HEAD: does not show anything and seems to wait for user input.

But, sniffing with tshark I see the second command actually sends the same HTML query and receives the correct answer, but it does not show it and it doesn't close the connection.

curl -I

0.000000 333.33.33.33 -> 213.248.111.106 TCP 59675 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=47267342 TSER=0 WS=6
0.045392 213.248.111.106 -> 333.33.33.33 TCP http > 59675 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=2552532839 TSER=47267342 WS=1
0.045441 333.33.33.33 -> 213.248.111.106 TCP 59675 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=47267353 TSER=2552532839
0.045623 333.33.33.33 -> 213.248.111.106 HTTP HEAD / HTTP/1.1
0.091665 213.248.111.106 -> 333.33.33.33 TCP http > 59675 [ACK] Seq=1 Ack=155 Win=6432 Len=0 TSV=2552532886 TSER=47267353
0.861782 213.248.111.106 -> 333.33.33.33 HTTP HTTP/1.1 200 OK
0.861830 333.33.33.33 -> 213.248.111.106 TCP 59675 > http [ACK] Seq=155 Ack=321 Win=6912 Len=0 TSV=47267557 TSER=2552533656
0.862127 333.33.33.33 -> 213.248.111.106 TCP 59675 > http [FIN, ACK] Seq=155 Ack=321 Win=6912 Len=0 TSV=47267557 TSER=2552533656
0.910810 213.248.111.106 -> 333.33.33.33 TCP http > 59675 [FIN, ACK] Seq=321 Ack=156 Win=6432 Len=0 TSV=2552533705 TSER=47267557
0.910880 333.33.33.33 -> 213.248.111.106 TCP 59675 > http [ACK] Seq=156 Ack=322 Win=6912 Len=0 TSV=47267570 TSER=2552533705

curl -X HEAD

34.106389 333.33.33.33 -> 213.248.111.90 TCP 51690 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=47275868 TSER=0 WS=6
34.149507 213.248.111.90 -> 333.33.33.33 TCP http > 51690 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=3920268348 TSER=47275868 WS=1
34.149560 333.33.33.33 -> 213.248.111.90 TCP 51690 > http [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=47275879 TSER=3920268348
34.149646 333.33.33.33 -> 213.248.111.90 HTTP HEAD / HTTP/1.1
34.191484 213.248.111.90 -> 333.33.33.33 TCP http > 51690 [ACK] Seq=1 Ack=155 Win=6432 Len=0 TSV=3920268390 TSER=47275879
34.192657 213.248.111.90 -> 333.33.33.33 TCP [TCP Dup ACK 15#1] http > 51690 [ACK] Seq=1 Ack=155 Win=6432 Len=0 TSV=3920268390 TSER=47275879
34.823399 213.248.111.90 -> 333.33.33.33 HTTP HTTP/1.1 200 OK
34.823453 333.33.33.33 -> 213.248.111.90 TCP 51690 > http [ACK] Seq=155 Ack=321 Win=6912 Len=0 TSV=47276048 TSER=3920269022

Any idea about why this difference in behaviour?

I think it would be interesting to have a list of bad habits you observe related to system administration. For example:

• Always using root on servers
• Sharing account passwords
• Inserting passwords on code
• Still using telnet
• ...

Although I'm mostly interested on security, you bad habit doesn't have to be security related. Bad habits stories are also welcomed.

I'm looking for different ways to do security awareness for 'normal' users. As they usually have not much attention span and not a single bit of interest on the subject, they usual formal means of awareness simply doesn't work.

I'm thinking of new means for security awareness and wanted to hear what you think on the subject, if you have conducted or know about awareness campaigns that really worked.

I'm talking about initiatives like Symantec's scary internet stuff or mindful security.

Also, regarding to IT staff, what security awareness campaigns or initiatives have worked better for you?

Trying to set up a linux server to authenticate users on the corporate active directory we're facing a problem. We're using SAMBA, winbind, krb5 and PAM.

The problem arises when trying to list users from the system. winbind tries to look them up in all the trusted domains from the company branches. As they cannot be accessed from the linux server we get a timeout.

How can we tell samba or winbind to only look for users in the parent domain and avoid the rest?

We want users from company.com but not from branch1.comapny.com.

EDIT:

SAMBA version is 3.0.33 on RH4.

I need to review firewall rules of a CheckPoint firewall for a customer (with 200+ rules).

I have used FWDoc in the past to extract the rules and convert them to other formats but there was some errors with exclusions. I then analyze them manually to produce an improved version of the rules (usually in OOo Calc) with comments.

I know there are several visualization techniques but they all go down to analyzing the traffic and I want static analysis.

So I was wondering, what process do you follow to analyze firewall rules? What tools do you use (not only for Checkpoint)?

I have been asked to disable access to USB devices on Windows machines for information disclosure reasons.

Although this can be done with Active Directory, the problem is that the solution should let us enable access for certain users for limited authorised periods.

How can this be done with Active Directory (if it's possible)?

If not, which software can I use to do it?

In a farm of virtualized Red Hat servers, there's the need to install a minimal system for security reasons. Minimal installs have several advantages (even no security related):

1. Less exposure to vulnerabilities (if you don't need it, don't install it)
2. Better update process (less packages to update, less probability of breaking the system)
3. Better performance (no unneeded daemons or processes)
4. The less software you have the easier it is to harden the system

Unfortunately, this is not easy because the "Minimal Installation" on Red Hat contains lots of unnecessary packages.

There is an added challenge as the farm is running Oracle iAS. I've been told that iAS has dependencies with local graphical environment. So finally every server in the farm has gnome, X, etc.

I've been searching the web and one solution seems to be making a kickstart script that will install only the necessary packages. But I find this difficult and have several doubts about how to maintain the system dependencies afterwards.

How do you install minimal Red Hat servers? Is it OK to use kickstart or will I have dependency problems in the installation or in updates? Is there any way to avoid installing the graphical environment for iAS?

In the need to centralize logs we have selected syslog as the collector and Splunk (free for now) as the analysis tool, but there's always the question about which events should get to the central repository and from which systems.

The selection should address only those logs of interest from a security point of view.

Which logs do you centralize and how do you select them?

The answers should indicate types of devices, systems or software, types of logs/events and the reason for choosing them.

We have a discussion in my company's security group about what's the worse of the following options to manage SSL private key.

The web server needs access to the private key for the encryption operation. This file should be protected from unauthorized access. At the same time, the server should start automatically, without human intervention (if it's secure enough).

We are discussing three options:

1. Protect the key with file system perms.

2. Use a password protected key and enter the key manually in every restart.

3. Use a password protected key and store the key in the filesystem to automate restart.

Our concerns are the following:

1. With option 1, restarts are automatic but a compromise could copy the private key and, as is un protected, could be used to decypher the communication or impersonate our servers.

2. Option 2 seems the more secure but it needs human intervention and sysadmins are concerned if it happens off-hours. Also, the password should be shared with several sysadmins and you know a shared secret is no longer a secret.

3. Option 3 has the best of both previous options but if someone has access to the key could also has access to the password :(, so it doesn't seem so secure at all.

How do you manage the security of your servers' private keys? Is there any other (more secure) options?