Editor's Note: HP 3000 shops migrating will encounter new challenges to security. Whether it's a move to Windows, to Unix, or to Linux, all non-3000 environments carry greater risk of breaches. the issues are current, even for existing 3000 sites continuing to homestead. One manager of N-Class servers was seeking backup tape encryption solutions this week, after his auditors required it.
After showing the penetration testing required to assess the risks in yesterday's article, Certified Information Security Professional Steve Hardwick explains tech countermeasures to secure enterprise servers. Passwording always has been a skill in the 3000 community. Entering the commodity systems world makes password practices even more critical to security.
By Steve Hardwick
Second in a series
There are always problems with passwords. Using easy to guess passwords -- especially dictionary words -- creates a vulnerability in any authentication system. It allows a hacker to streamline a brute-force attack (applying specific password attempts to determine the actual password). One way to mitigate this is to develop a password construction rule. For example, a password would have to contain an uppercase/lowercase letter, a number and a symbol, be 6-8 characters long -- and be changed every 90 days. The length is chosen so users can remember the passwords but they are not too short to easily guess. Unfortunately, this approach creates a new vulnerability.
Take an example of a 4-character password. If no rules are applied and any of the 90 standard printable keyboard characters are allowed in passwords, the number of possible combinations is 90x90x90x90 or 65,610,000 combinations. If the above algorithm is used one upper case, one lower case, one number and one symbol, then the resulting number of combinations is 26x26x10x28 or 189,280. This gives a hacker an advantage: if the password rules are known, then the number of allowable password combinations is reduced significantly. This is the basis of Rainbow hacking. Pre-computing these various password combinations, using a Rainbow table, can be fairly straightforward and save a lot of time guessing. In fact, there are websites dedicated to producing Rainbow tables.
Then there is always social engineering: tricking someone into giving you their password over the phone. A typical method is to masquerade as a trusted user. For example, a call into the IT department pretending to be a senior manager and explaining that you have forgot your password. With the right amount of verbal threat ("I'll report you to HR for insubordination") it may be possible to have the IT support tech change the password to something that the hacker gives them.
One of the most publicized security breaches was the loss of system backup tapes. In 2011 an SAIC employee had backup tapes containing 4.9 million healthcare records stolen from their car. The backup tapes were not encrypted. Similarly, many IT departments routinely create system backup tapes that include a copy of the password files (full backup). Very often these backup copies are not encrypted and can provide an easy way to get access to password files.
One other countermeasure to stop brute force or rainbow hacking is to limit the number of password attempts. For example, after three incorrect password attempts are made, the user is locked out of the account until the account is reset. But this has a nasty side-effect. A denial of service attack can be launched that will deliberately use invalid password attempts to block out a user. Although this may not compromise any information, it can cause a lot of frustration and require considerable resources to correct. A disgruntled employee may resort to this type of tactic as a parting gesture.
The next countermeasures fall under Change Management -- an area of security concerned with ensuring that the software platforms are maintained to a specific security standard.
With respect to passwords, there are two key components. First, security measures that ensure no unauthorized changes are made to the software. One of these measures is Unified Threat Management. This encompasses measures to prevent hackers installing tools -- such as key loggers to steal passwords -- onto users' machines. It also detects user privilege escalation used to compromise authentication.
The second measure is server hardening. Among other things, it involves removing default passwords and accounts. The NIST has a good site to review hardening procedures. Part of any pentest should include attempting to access default passwords and accounts.
One area that is overlooked is factory-default passwords. (Ed. note: Even in classic HP 3000s, key accounts were always shipped with defaults that hackers claimed to discover unchanged.) On many devices, there is a factory default password used to access the machine should the user forget their password, particularly an administrative password. A good example of this are routers, wireless or wired.
Such a device can be reset in one of two ways. Physically, when a user uses the reset button, typically using a paper clip, on the device. Remotely, by overloading the system and forcing a hard reboot of the device which results in loading from factory defaults. Another example of a factory default is the Guest account on servers. These most be removed what the system is commissioned or they can offer a simple method of attack as the password is non-existent or trivial.
Finally, let's have a look at passwords used in browsers. Passwords are entered into web applications using a browser, or mobile applications. This can be a web service or part of a cloud-based application. In either case, the authentication mechanism may involve comparing the password value to one stored in a database using SQL queries. This opens up the webserver to SQL injection.
A great place to start to understand this type of vulnerability is the Open Web Application Security Project. This non-profit group is a worldwide organization that is dedicated to improving server-side software. Not only will this site give you valuable information regarding web-based security threats, but it also has tool kits for specialized pentesting of web based password input software.
Managing passwords and other authentication mechanisms is a key component of any security program. There is more just appearing on the horizon. Another driving factor forcing re-evaluation of password security is the new Bring Your Own Device (BYOD) strategy. Not only does it exacerbate the control of classical password methodologies, but new approaches have to be taken into consideration: voice/face recognition, such as the new Windows 8 picture password for example. Even that won’t assure protection: Windows 8 picture password will still be susceptible to shoulder-surfing.
Steve Hardwick manages security for pre-payments provider Oxygen Finance, a Euro-founded company now extending its services to North American IT operations.