Threat Modeling

As part of new application development, I've been starting to use Threat Modeling in the design of new applications. When I get some time, I'm planning on saying a whole lot more about the Threat Modeling process. For now, here's the introduction:



According to MSDN, Threat Modeling is one of the top security analysis methodoligies that MS developers are using to identify security risks and make better application design, coding, and testing decisions.

They've also released a related application, the "Threat Modeling Tool" which generates a nice XML dataset of the information and provides a decent XSLT document to output the Threat Modeling report.

You can watch Frank Swiderski's demo of this tool at Channel 9 here.

0 comments:

LIVE LIVE LIVE

MS has been hard at work trying to keep up with Google.

Check out the following new Microsoft AJAX (or ATLAS) enabled web sites:

The Landing Page: Windows Live Ideas

Some of the offerings:
Windows Live
Windows Live Favorites
  • Favorites you can take with you (perhaps like del.icio.us)
Windows Live Local (powered by Virtual Earth)
  • This just may be better then google maps.
Windows Live Safety Center
  • Virus, system cleanup, and system tune up
Windows Live OneCare
Windows Live Mail
Windows Live Messenger

I haven’t had time to try all of these yet, but I was impressed with the Windows Live Local. Other offerings coming soon from Microsoft are Office Live and Xbox Live.

0 comments:

y.ah.oo! + del.icio.us = y.del.ah.icio.oo!.us

Yahoo! has recognized just how cool del.icio.us is and Yahoo! and del.icio.us have joined forces.

I’m hoping this will bring more features and tighter integration into the browser. This just goes to show that a great simple ideas that can really pay off.

2 comments:

Hackers Steal Sensitive Data using Digital Cameras

While reading this article, I was struck with how stupid technology jargon for doing naughty things with a computer is becoming.

What is UP with the stupid trendy names - it reminds me of the juvenile language started originally in the cracking/hacking communities and is now considered the language of script kiddies - leet speak or l33t sp3@k if you prefer. Most of us just make fun of it...

So to test your new vocabulary, I'll write out some words and you pick the correct definition:

Camsnuffling:
a. a rotating disk shaped to convert circular into linear motion that is liable to sniffle
b. camel with a cold
c. using a digital camera to steal corporate sensitive data

Podslurping
a. Pod person drinking a slushy
b. using an iPod to steal corporate sensitive data
c. a blended drink made of the dryish fruit of a plant that contains one to many seeds

Bluetooting:
a. using a bluetooth device to steal sensitive corporate data
b. the blue light district in the London Borough of Wandsworth in south London
c. carouse: revelry in drinking; a merry drinking party


Yea yea, i made up bluetooting, but it will be on the front page of the tech news next week.

Give me a break....

2 comments:

Active Directory and lastlogontimestamp

The Problem
I was tasked with retrieving all of the enabled Machines accounts from Active Directory and the date/time they last logged in. After googling some articles on the topic, I found some reasonable solutions, but ran into a couple issues on the topic so I thought I’d document it here for others.

To start off, here is the one article you want to read to introduce the topic and give some background:
Dandelions, VCR Clocks, and Last Logon Times: These are a Few of Our Least Favorite Things

Most of the references online show how to retrieve the lastlogontimestamp using the DirectoryEntry object, as illustrated in the next snippet of code I pulled from one post on a forum showing how to properly retrieve the lastlogontimestamp value:
DirectoryEntry user =
new DirectoryEntry("LDAP://" + strDN);
if (user.Properties.Contains("lastlogontimestamp"))
{
// lastlogontimestamp is a IADsLargeInteger
IADsLargeInteger li = (IADsLargeInteger)
user.Properties[
"lastlogontimestamp"][0];
long lastlogonts =
(
long)li.HighPart << 32 | (uint)li.LowPart;
user.Close();
return DateTime.FromFileTime(lastlogonts);
}

What the post failed to do was explain what any of this meant.
The lastlogontimestamp is stored in Active Directory as object that implements the IADsLargeInteger (an ActiveDS object). Ideally, AD would return a long (Int64) instead of the IADsLargeInteger object, eliminating the need to reference COM (ActiveDS is where this interface is defined), as well as allowing use to work with a .NET primitive.

Instead we have to use the IADsLargeInteger interface to extract the HighPart, stored as an Int32, shift it left 32 and cast it to a long (Int64) and then OR that with the LowPart, another Int32. If you’re wondering what the bit shifting and OR ‘’ code is doing – it essentially converts the IADsLargeInteger into a long (Int64).

Now let’s say you are using the DirectorySearcher object instead of the DirectoryEntry object to find the object in Active Directory you need. If you try to use similar code as provided in the sample above, you will get an InvalidCastException when casting the lastlogontimestamp to the IADsLargeInteger. For some reasone, when using the DirectorySearcher object, the lastlogontimestamp object is returned as a long (Int64) instead of an IADsLargeInteger. I found this behavior to be a bit schizophrenic.

Here’s an example of what I’m talking about:
SearchResultCollection resultCollection = null;
DirectoryEntry entry
=
new DirectoryEntry("LDAP://DC=BLAH,DC=COM/");
DirectorySearcher searcher
=
new DirectorySearcher(entry);
searcher.SearchScope
= SearchScope.Subtree;

// Filter out only Enabled Computer Accounts
searcher.Filter =
"(&(objectCategory=computer)(name=*)(!" +
"userAccountControl:1.2.840.113556.1.4.803:=2))";

resultCollection
= searcher.FindAll();

foreach (SearchResult result in resultCollection)
{
// Huh, this time it’s a long (Int64)!
long lastlogontimestamp =
(
long)result.Properties["lastlogontimestamp"][0];
DateTime dtLastLoginTimeStamp
=
DateTime.FromFileTime(lastlogontimestamp);
...
}

A Poorly Named Method
The next thing you may be wondering is why I show an examples that use the DateTime.FromFileTime() method. What does a file time have to do with Active Directory and the lastlogontimestamp?

Well, I’m guessing whoever wrote the .NET DateTime object must have thought something like this – “a time expressed in a 100 nanosecond units starting from January 1, 1601 is how file times are stored. I’ll write a method on DateTime called FromFileTime(long nanotime)” or maybe “AH crap, I’ve got this file timestamp as a long and I need an easy way to convert it to a DateTime object without repeating the same code over and over again. I’ll just add a method to DateTime that takes a long and returns the corresponding DateTime.”

This method name, while accurate, is a limited expression of what is expressed as a 100 nanosecond unit starting from 1/1/1601- namely ANY time that is expressed as an Int64. Active Directory uses this same 100 nanosecond unit to store its timestamps and I’m better there are other things that do as well.

What IS nice about the FromFileTime() method is that it returns a DateTime using the current Time Zone, so we don’t have to convert it.

There are actually a couple ways to convert the Int64 100 nano second representation to the DateTime object in .NET and they are as follows:

1. One of the TimeSpan object constructor overloads takes a period expressed in 100 nanosecond units which is exactly what AD is returning, if we create a DateTime object that starts at 1/1/1601, and then add a TimeSpan created with our Int64 value, we should get the corresponding UTC time expressed in a DateTime object. Finally we need to convert the UTC time to local time. Here is the code to illustrate this:


long lastlogontimestamp =
(
long)result.Properties["lastlogontimestamp"][0];
// Create a date object starting at 1/1/1601
DateTime dt = new DateTime(1601, 1, 1, 0, 0, 0);
// Convert it to local time
DateTime dtLastLoginTimeStamp =
dt.Add(
new TimeSpan(lastlogontimestamp)
).ToLocalTime();

2. More simply, we can just use the DateTime.FromFileTime() and this will accomplish what the code above does, though with less code.
Here’s some sample code:

long lastlogontimestamp =
(
long)result.Properties["lastlogontimestamp"][0];
DateTime dtLastLoginTimeStamp
=
DateTime.FromFileTime(lastlogontimestamp);
With all of that said, the solution I came up with to report on the lastlogontimestamp of the machine accounts in AD is pretty straight forward:
SearchResultCollection resultCollection = null;
DirectoryEntry entry
=
new DirectoryEntry("LDAP://DC=BLAH,DC=COM/");
DirectorySearcher searcher
= new DirectorySearcher(entry);
searcher.SearchScope
= SearchScope.Subtree;

// Filter out only Enabled Computer Accounts
searcher.Filter = "(&(objectCategory=computer)(name=*)" +
"(!userAccountControl:1.2.840.113556.1.4.803:=2))";

searcher.PropertiesToLoad.Add(
"name");
searcher.PropertiesToLoad.Add(
"description");
searcher.PropertiesToLoad.Add(
"operatingSystem");
searcher.PropertiesToLoad.Add(
"operatingSystemVersion");
searcher.PropertiesToLoad.Add(
"lastlogontimestamp");

try
{
resultCollection
= searcher.FindAll();

foreach (SearchResult result in resultCollection)
{
//...
long lastlogontimestamp =
(
long)result.Properties["lastlogontimestamp"][0];
DateTime dtLastLoginTimeStamp
=
DateTime.FromFileTime(lastlogontimestamp);
string answer =
dtLastLoginTimeStamp.ToShortDateString()
+
" " +
dtLastLoginTimeStamp.ToShortTimeString();
//...
}
}
finally
{
resultCollection.Dispose();
searcher.Dispose();
entry.Close();
}
One Last Problem:
It turns out, the value of lastlogontimestamp is replicated from the DC's to the GC every 14 days. This ends up presenting a problem if you want real-time data. If you really want the latest and greatest value logon time, the solution is as follows: Connect to EACH domain controller and check the lastlogon value instead. I wrote code to do this and found that on a LARGE domain with over 4,000 computers the time it takes to run this report takes a loooooong time to run. If anyone has any suggestions on how to practically do this efficiently, please let me know.

Further reading:
Decimal Time - Computers – a reference describing how Computers store times in Decimal.

16 comments:

DSW Inc. Settles FTC Charges

In my line of work I run into people/companies who just don't understand the importance of security as it pertains to their customers data - especially credit card data. The latest news on the DSW fiasco illustrates this point very well.

"Shoe discounter DSW Inc. has agreed to settle Federal Trade Commission charges that its failure to take reasonable security measures to protect sensitive customer data was an unfair practice that violated federal law. "

I'm finding many people and companies I talk with DO NOT understand the following - If your company fails to take reasonable security measures to protect sensitive customer data , your company CAN be held liable by federal law.

When reviewing the allegations against DSW, I'm amazed (quoted from the FTC article):
  • created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
  • failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
  • stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
  • failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
  • failed to employ sufficient measures to detect unauthorized access.

These days, one doesn't have look very far to learn industry best practices on storing Credit Card or banking information. Lets use VISA as an example - VISA has the Cardholder Information Security Program (CISP) .

VISA's policy is this: "CISP compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data."

These standards are clearly spelled out by the Credit Card Industry in the Payment Card Industry (PCI) Data Security Standard. Anyone who is handling payment information should take this standard seriously and comply with it or face restrictions by the major card brands.

The date of compliance was June 30, 2005 - certainly DSW did not have the luxury of this standard back in March 2005 when they were compromised. HOWEVER, I'm still hearing from people who work at different companies who hold onto credit card data who STILL ARE NOT taking security of this data seriously nor are they even aware of the PCI Data Security Standard.

Certainly the PCI Data Security Standard is the "silver bullet" by any means, but it is a start. Ideally companies could use this standard more as a baseline and work from there to implement policies above and beyond the PCI Data Security Standard.

Better yet, for small/mid-size companies , maybe they should consider outsourcing payment services to a company who will properly hold and store this data appropriately (i.e. Verisign's Payment Services, etc.).

0 comments:

CISSP Final Results (a little late)

8:20 AM j. montgomery 0 Comments

I did forget to mention that I did make it through the endorsement phase around 2 months ago for the CISSP certification.

I am officially now CISSP certified.

0 comments:

It's del.icio.us!

The problem of storing Bookmarks/Favorites:

I think about all the links I've lost over the years, forgetting to backup my bookmarks when moving from an old system to a new system or reinstalling the OS. OH the bookmarks I've lost - I finally quit wasting my time. I don't add bookmarks to IE or Firefox anymore. I had given up.

THEN Matt E. showed me the answer and now I have discovered del.icio.us (yes, i know - where have i been) and it is del.icio.us. Now I am able. And I haven't begun to discuss the community aspects of this system, the relationships. The new sites I have found. And yet its so basic, so utterly simple, yet so useful.

The 'Bookmarks' / 'Favorites' menu in the browsers are AWFUL and haven't changed since 1995. Firefox tried to make it better by making them RSS aware, but that was a failed attempt IMHO. Let's hope they can glean some knowledge from from del.icio.us and raise the bar somehow.

Now if someone could figure out how to tie del.icio.us together with my browser (aside from the obvious) we'd really have a good solution.

Where and what are my links you ask? -> del.icio.us/j.monty

4 comments: