J Wolfgang Goerlich's thoughts on Information Security
Apache Versus Internet Information Services Security

By wolfgang. 29 March 2009 19:21

Fresh from a recent debate on Apache versus IIS security, I bring you this summary. I am not in a position to directly compare IIS versus Apache. When I build an IIS server, I am fairly confident in its security. If I were to build an Apache server, I would have little confidence due to my inexperience. So much depends upon the admin's skillset.

Quantitatively, Apache has more known vulnerabilities and attacks than IIS. IIS5 on Windows 2003 has 4 vulnerabilities. IIS6 on Windows 2008 has 1 published vulnerability. By contrast, Apache 2.0.x has 23 vulnerabilities.

The counter-argument to these statistics is this: most of the 23 vulnerabilities were in Apache modules. The attack surface drops significantly if you disable these modules. (And, of course, if you know how to disable the modules.)

Another counter-argument is that the web server depends upon the operating system. A determined attacker goes around your defenses rather than thru them. Thus I would suspect the security would turn more on the OS and the Web applications.

Secunia: IIS 6.x

Secunia: IIS 7.x

Secunia: Apache 2.0.x


Security | Apache | IIS

Cross Site Scripting: eWeek

By wolfgang. 28 March 2009 19:21

Cross Site Scripting (XSS) is a big concern these days. Below is an article that describes in more detail how XSS attacks work. Two ways to mitigate these is static code analysis and Web application firewalls. The first, code analysis, would be a good way for eWeek to scan and check their advertisers' content.

A Web Developer's Guide to Cross-Site Scripting

At eWeek.com, malware was inserted into advertising on the web page. If a user clicked on the ad, it would "redirect the user to a malicious Web site through a series of IFrames. The new URL led to an adult Web site, which attempted to load a PDF that exploits a known Adobe vulnerability. The vulnerability affects versions 8.12 and earlier and has been patched" (B Prince 2009)

The company caught the problem and although indicating that it was not a problem of their own, they would take measures to see that this would not happen again. They did not state the measures that will be taken but some measures that can help prevent this are as follows.

  • Web Vulnerability Scanner which will scan for potential weaknesses on the page.
  • Encode output based on input parameters
  • Filter input parameters for special characters
  • Filter output based on input parameters for special characters
  • By filtering it allows you to remove special characters that may allow malicious scripts to run and URLEncodeing and HTMLEncodeing, you can prevent malicious script from executing

Although eWeeks webserver was not broken into I feel it should be responsible for the content it chooses to display. Therefore they should have checked the page and its advertisers content to make sure it was secure. By following some of the methods listed above would have been a proper step. CSS has been cited as one of the more prominent web attacks, so when doing business on the web the company should have been aware of this and made it a priority to scan the content for vulnerabilities. I should hope that eWeek implement some of the techniques mentioned in its process when presenting web content.







VeriFace Facial Recognition

By wolfgang. 22 March 2009 23:24

Some modern notebooks come with facial recognition. A face being something you have, of course. This can be paired with a Windows password (what you know) for two-factor security.

This is not strong two factor security as facial recognition, at least as currently implemented, is susceptible to a wide range of attacks. A presentation at Blackhat covered these vulnerabilities in detail.

J Wolfgang Goerlich

YouTube - Face Recognition Commercial Lenovo

BlackHat: Your face is NOT your password


Security | Biometrics

Open Up and Lock Down

By wolfgang. 13 March 2009 04:31

Today's networks balance opening up with locking down. The model perimeter, with a single access gateway protected with a firewall, is quickly disappearing. All end-points should now run their own firewalls. All hosts (particularly high valued servers) should now be bastion hosts. Access across the network should be locked down by default, and then opened up only for particular services.

I think we see this change reflected in several trends. The ongoing focus on detection controls over defensive controls is because modern networks have a significantly broader attack surface. Last year's focus on end-point security was about making computers bastion hosts. Risk management and governance is a hot topic now and it seeks to understand and protect business networks in their entirety, end-to-end.

I can only use my own firm as an example. We have some 17 dedicated connections coming in from partners and exchanges. We have five inter-office connections. We have 6 perimeter firewalls, or 7 if you include the Microsoft ISA server. All servers are running a host firewall and are locked down. All this so we can gain access to the resources of partners and vendors, and to provide resources to partners and clients. And this is in a relatively small company with less than 200 employees. Imagine the complexity of mid-sized and enterprise networks.

Open Up. Collaborate and succeed. Lock Down. Secure and protect.

J Wolfgang Goerlich

The eroding enterprise boundary: Lock Down and Open Up

IBM Security Technology Outlook: An outlook on emerging security technology trends.


Architecture | Security

Delegating management in Hyper-V

By wolfgang. 11 March 2009 19:27

Separation of duties is a concept we keep coming back to. One individual (or one group) should not have full authority to complete a process. This goes hand-in-hand with least privilege. Any one individual (or group) should have just enough system privileges to complete their portion of the process, and no more. In the realm of server virtualization, this means dividing up duties between those who manage the hypervisor, those who manage the vms, and those who manage the guest computers.


In Hyper-V, you can delegate permission to manage or monitor the vms separately from managing the hypervisor. To do so, use the Authorization Manager console (AzMan.msc) to edit the \ProgramData\Microsoft\Windows\Hyper-V\InitialStore.xml configuration file. Create a Windows security group first, then use AzMan.msc to create a role, specify tasks, and assign the role to the security group.


For step-by-step instructions, please see Microsoft’s documentation.


Configure Hyper-V for Role-based Access Control




Hyper-V | Security

Fun Stuff -- Wireshark, L0phtcrack, Netcat

By wolfgang. 2 March 2009 15:46

Wireshark was updated last month. “Updated Protocol Support: AFS, ATM, DHCPv6, DIS, E.212, RTP, UDP, USB, WCCP, WPS.” This is excellent as I have been playing around with IPv6 more, and the DHCPv6 and UDP enhancements will be a big help. They also fixed the multi-monitor issue that has been plaguing my setup. I am now running on the latest.


L0phtCrack is making a come back. “More than two years after Symantec pulled the plug on L0phtCrack, the venerable password cracking tool is being prepped for a return to the spotlight. The original creators of L0phtCrack has reacquired the tool with plans to release a new version at next week’s SOURCE Boston conference.”


There are also rumors that the L0pht crack folks, Peiter “Mudge” Zatko and Chris “Weld Pond” Wysopal, are working on a 64-bit release of Netcat. While it is debatable whether 32-bit and 64-bit versions will bring any performance boost in connectivity and cryptography, it does get me one step closer to my goal of running only 64-bit code on my notebook.


It is a very exciting week.



    Log in