Viruses and malicious attacks through common business avenues such as Web portals, extranets, wireless networks and database access have the potential to undermine the success of your business. Neil Rerup, senior security consultant with the Security and Privacy Group of EDS Canada in Vancouver, recently highlighted for IT Focus several security precautions he recommends for manufacturers, wholesalers and retailers.
Web portal concerns
While Web portals have become a popular way to let customers have a unique experience that will encourage them to return to your Web site, they can open the door to security problems, he warns. An added complexity and vulnerability to your Internet facing network results when you offer different capabilities for different types of end users such as corporate partners and your employees.
Rerup recommended companies “follow the principle of least privilege. Don’t give any additional privileges that are not necessary. This means that permissions for the different areas need to be hardened, specifically for the registry keys. Second, don’t allow any services on your servers that do not need to be there. This is an old motherhood principle but it is surprising how many system administrators don’t follow it. Third, never, ever allow traffic from your DMZ (demilitarized zone) to flow into your backend network. It just opens up a door to possible problems. Just because something doesn’t seem to have an exploit today doesn’t mean that one won’t be discovered tomorrow.”
When companies let in suppliers as partners into their network through extranets, you are vulnerable if a partner is taken over, Rerup suggested.
“Extranets are areas of an organization’s network that are accessible by corporate partners in order to speed up the delivery of products and services between the two organizations,” he explained. “The problem is that you can’t look at just your network’s security in isolation. You have to take into consideration any connections into it. As a result, more and more companies are requiring their partners to undergo security audits to determine their level of security. It is a step in helping determine whether a partner’s network is a backdoor into your own network.
“Some of the areas that have to be looked at are items like the security of your partner’s domain controllers,” he continued. “Since many companies are linking their active directories (or LDAP directories) together and having authentication on one controller flowing through to other domains, an unauthorized user could use Active Directory as a bridge into your network. This type of vulnerability has been referred to as a domain trust vulnerability with Active Directory. In short, authorization to resources in either network depends on trusts (and extranets use trusts to allow access).”
He pointed out that with Windows 2000, all domains within a network — including domains stretching across extranets — have an automatic, two-way transitive trust. If an attacker can gain administrative rights in one domain, these rights can flow to the trusting domains, he noted.
“There is a patch that has been provided by Microsoft that has something called SID (Secure Identifier) Filtering. The SID Filtering filters out the authorization data from flowing from one domain to another.”
Further information on SID Filtering can be found at www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp.
Securing wireless networks
Manufacturers who are turning to wireless networks in their warehouses to facilitate inventory tracking may also be facilitating an intrusion, he warned.
“Wireless Networks are starting to show up everywhere for the simple reason that there isn’t a requirement to install additional wiring to a location that a computer is going to be placed,” he explained. “It’s great for mobility and allows ‘hoteling’ which is the ability to locate a workstation wherever a user needs to work. The problem is that the signals that are sent out by a wireless network card are not limited to a direct feed between the workstation and the access point. Anyone within the broadcast radius is going to be able to receive the signals.
“Most Wireless cards come with an encryption capability called WEP (Wireless Encryption Protocol) which have some inherent weaknesses, the worst being that it can be easily cracked if enough encrypted packages have been captured (in the area of 5-10 million encrypted packages). Plus, the capture and decryption of wireless transmissions can be done easily with some tools that are freely available in the hacker community.”
He cited AirSnort and WEPCrack as hacker tools that are freely available, noting they are Linux-based and allow an attacker with an antenna connected to their wireless NIC card to capture packets and crack the encryption once enough packets are captured.
He recommended that beyond encrypting the wireless connection, that the data sent across the wireless connection be itself encrypted and that the broadcast range of the wireless signals be as small as possible.
He challenged the security of PDAs (personal digital assistants) that conveniently extend the functionality of the desktop around the warehouse.
He highlighted two security concerns relating to PDAs and smart phones. “First, you have to be aware of the wireless security aspects. Any transmissions can be seen by anyone out there, so you have to deal with encryption situations. And second, PDAs don’t have any built in security. As a result, if someone was to lose their PDA, all the information that is stored on them is available for anyone to look at.”
He noted that products are becoming available to address these security weaknesses.
“Since the connections already have an encryption capability, the products are focusing on the lack of security with regards to accessing the information in the PDA itself. The first area is the encryption of the data that is already existing on the PDA. By encrypting the information, only the person that knows the password for the application is able to view the data. The other area that is being worked on is the authentication mechanisms that can be used for using the PDA. Think of them as the log-on prompt for the PDA. If the user does not know the appropriate username/password combination, they will not be able to log into the PDA and use its functionality.”
He reported that the last area that is being dealt with is the anti-virus aspects of PDAs. Since they are capable of receiving emails, they are capable of receiving viruses and worms.
“As of May, there has only been one known virus for PDAs and only a few Trojans. As a result, many security organizations are predicting that this will be the next wave of virus attacks. The first person to put together a virus attack for PDAs will receive a great deal of notoriety. There is already a hacker’s challenge to create a virus for PDAs. It’s just a matter of time until it occurs.
“What I haven’t seen in the marketplace at the moment are personal firewalls for PDAs nor some form of end-to-end encryption capability,” he continued. “Just like laptops or personal workstations, if a PDA has the capability to connect to a network with different applications, it is just as capable of being taken over.”
Securing your databases
Rerup noted that databases also need to be secured from having corrupt information.
“When ever you hear a vendor announce that their product does not have any security vulnerabilities, watch out!” he warned. “This is like waving a red-flag in front of hackers and security consultants, challenging them to ‘come and get me!’ Oracle did this and, on March 14, CERT (the U.S. government funded research and development centre operated by Carnegie Mellon University) announced a list of 37 vulnerabilities found in their Oracle9i Application Server and Oracle91 Database. If you buy software of any sort, do your research to see if there are vulnerabilities with the software and patch the product the moment patches become available.”
He also explained that when applications connect to databases, they use a statement called ODBC_connect or, for SQL Databases, the statement is usually SQL_connect. The problem is that these statements pass user name and password information to the database in order to gain access to the database, he warned. Since many databases do not support encrypted communication, those user names and passwords are passing across the connection in clear text. As a result, anyone on a machine on the same segment will be able to sniff the traffic and discover the authentication information, he cautioned.
“One way around the clear text problem is to use SSH,” he suggested, referring to the secure log-on based on Secure Shell from SSH Communications Security, Inc. “SSH is a protocol that is used to encrypt all traffic, regardless of underlying protocol. As a result, the communication between the clients and the databases can be hidden from unauthenticated users.”
More information on SSH can be found at www.openssh.com, an open source provider of SSH solutions.
“Another way around the problem is to force the database to only accept encrypted information into its database,” he added. “As a result, all traffic that is sent to the database will need to be encrypted. The problem with this solution is that the transactions with the database will slow down since there are the extra steps of encryption and decryption.”