Friday, October 2, 2020

On secure storage of passwords

Secure software protects users' passwords at rest. That is, unauthorized access by either an intruder or anyone having access to the storage space would not leak passwords. Password hashing is the accepted method for secure password storage. OWASP provides a comprehensive cheatsheet on secure password storage. 

It is recommended to use hash algorithms with salt (a random unique value for each password) so that cracking of the hash value using brute force and rainbow tables becomes harder. Salts are stored in the same database as passwords. Reusing the salt and using short length salts are among common implementation errors.  There are standard salted hash algorithms such as bcrypt and Argon2 (the winner of 2015 Password Hashing Competition) which are suitable for password hashing. In a 2019 post, Michele Preziuso discussed different attacks against password hashing algorithms (PBK2, bcrypt, scrypt, and argon2). He recommends the 'id' variant of Argon2 as well as scrypt as the most suitable choices considering different attack scenarios. 

Peppering is another step toward the security of password hashes. A (cryptographic) pepper is a secret input added to the password before hashing. Unlike the salt, the pepper is not stored with the hashed password, it is usually hardcoded in the application. The pepper is an additional defense when the attacker has access to the password storage area.

In her dev.to post, Nathalia Pierce provides best practices for secure password storage from a developer's viewpoint, and happycoding.io has a comprehensive tutorial for Java programmers.

Posted by at No comments:
Labels: , ,

Tuesday, July 7, 2020

PCI Guidance on Responding to a Cardholder Data Breach

PCI SSC has recently published guidance on responding to a cardholder data breach. The aim of the document is "to help merchants and service providers with incident response preparation. This guide also describes how and when a Payment Card Industry Forensic Investigator (PFI) should be engaged to assist."
 
As everyone knows, protecting the cardholder data is the main goal of PCI DSS, especially the PCI DSS. Therefore it obvious that PCI compliance mandates strict incident response activities in case of a data breach.
According to the guidance, an organization should be prepared for the data breach response by performing the following activities:
1- Implementing an IR (Incident Response) plan.
2- Limiting data exposure.
3- Planning the notification of all required parties.
4- Ensuring the inclusion of necessary measures in third-party contracts.   
The next steps are mainly about identifying and engaging a PFI (PCI Forensic Investigator).
Posted by at No comments:
Labels: , , ,

Saturday, May 16, 2020

Microsoft SQL Vulnerability Assessment

One of the best sources of security guidelines for different IT products is the product vendor. If you need a security baseline guide for an OS, DBSMS, and network device, first look for it in its vendor-provided documents. Microsoft products are a good example of above. For example, Microsoft has published SQL Vulnerability Assessment tool to aid DB admins in hardening the database as well as the DBMS. The tool is part of SQL Server Management Studio and requires it.
Which security policies, configurations and rules does the tool check? The below links provide a comprehensive checklist:
https://eitanblumin.com/sql-vulnerability-assessment-tool-rules-reference-list/
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-vulnerability-assessment-rules

Posted by at No comments:
Labels: , , ,

Thursday, May 7, 2020

Reviewing logs of perimeter firewalls

When considering perimeter firewall policies, it is important how we collect logs of the traffic matching with each rule. A good practice is to collect all the outbound traffic logs that are matched by the last ''Deny All'' policy where all other rules are strictly accepting only the legitimate traffic. If the ''Accept'' policies are configured precisely, we can detect deviations from normal or expected behavior by reviewing logs of dropped outbound traffic. In specific, one may find internal IP addresses and ports that have been dropped, which means that the user was trying to bypass the restriction of the perimeter firewall and connect to an external IP/service.
Posted by at No comments:
Labels: ,

Wednesday, April 29, 2020

Online materials for a Cambridge University course

Professor Ross Anderson of Cambridge University has published the materials, including videos, of his undergraduate course Software and Security Engineering. If you haven't been in academic security courses, or it is a long time since you have been in such classes, this course may seem interesting to you.
Posted by at No comments:
Labels: , ,

Saturday, April 18, 2020

Ransomware with exfiltration capabilities

As we basically know, ransomware is all about blocking the victim's access to his/her files in exchange for ransom. However, this is not the case for a new instance of ransomware named DoppelPaymer. Recently, a bunch of proprietary documents were leaked by criminals behind the DoppelPaymer after Visser Precision, a contractor company in the aerospace market, declined to pay a ransom. In general, it is not a good idea to pay the ransom when you are hit by ransomware. However, ransomware with exfiltration capabilities may be more convincing for the victims to pay the ransom.
Posted by at No comments:
Labels: , ,

Friday, April 3, 2020

About bug bounty programs

According to Schneier on Security, recent research shows that bug bounty programs may be used to buy silence. That means some companies expect the researchers to be silent about their vulnerabilities in exchange for a payout. 
Posted by at No comments:
Labels: ,

Wednesday, March 25, 2020

Apt-get "NO_PUBKEY" issue

After enabling Windows Subsystem for Linux (WSL), I was trying Kali Linux on Windows after installing it from Microsoft Store. During the distro update, a public key error appeared:

"The following signatures couldn’t be verified because the public key is not available: NO_PUBKEY ..."

According to this page: https://github.com/yarnpkg/yarn/issues/4453, you can solve the issue using 

"curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -"

Posted by at No comments:
Labels: ,

Monday, March 23, 2020

Enabling WSL using Powershell

If you want to enable Linux Subsystem for Windows (WSL), you can run the following command on Powershell. You need to open Powershell as administrator.

Enable-WindowsOptionalFeature -Online -FeatureName 
Microsoft-Windows-Subsystem-Linux 
 
 
 
 
Posted by at No comments:
Labels: , ,

Wednesday, January 29, 2020

Features of SELKS IDS


SELKS is an open-source platform which provides Suricata IDS as well as tools to manage rules, alerts, flows, etc. I had worked with earlier versions of SELKS, and now I'm really surprised seeing the enhancements made in the latest version. Here are some of the changes:

1- SELKS comes with hundreds of pre-built visualization objects and dashboards. You can use those objects or create new ones to modify existing/create new dashboards.

2- The administration interface for SELKS components - from basic components such as Elasticsearch to individual Suricata rules - have been enhanced extensively.

3- You can use EveBox to analyze individual or groups of alerts, escalate them for further analysis, comment on alerts, etc.

4- As an open-source tool, the level of integration between SELKS components is interesting.

5- Most of the outputs, from high-level visualized ones to raw alerts, can be filtered based on multiple types of fields using the web interface.

6- You can manage and customize individual Suricata IDS rules easily in the web interface.

SELKS is highly recommended if you do not have an IDS sensor in your network.
Posted by at No comments:
Subscribe to: Comments (Atom)