Farooq
Your statement might lead someone to believe that just using BSD or Linux makes you safe. I believe that a shift to Linux or BSD can also potentially open similar serious security issues. The staff must be well versed in these OSs and the hardening and security process for them. Either that, or they should outsource the secure operation of the servers to someone with a clue.
--
Muhammad Saqib Ilyas
PhD Student, Computer Science and Engineering
Lahore University of Management Sciences
On Mon, Sep 12, 2011 at 10:56 PM, Muhammad Farooq-i-Azam <farooq_a_azam@yahoo.com> wrote:
I have gone through your entire report and it was interesting to note that critical operations such as CA were running on windows machines. People who *know* state of security of a windows machine, would NEVER trust it to be deployed for such a task. Let me say, quite humbly, that people running this operation need a bit of further training on security. What I can't believe is that there was NO antivirus software installed and that the software was not patched which should be a bare minimum for such an operation.
* For such a critical system, one would not rather depend on an anitvirus alone. A more elaborate network and host based IDS should be in place.
* The only recommended operating systems for such critical tasks are OpenBSD or FreeBSD or a Linux machine at the least. The advantage is that you can customize such a system for CA operation by turning off all the unnecessary software. The windows run a lot of bloatware which increases possible points of intrusion on systems running this operating system [sic].
* I will be foolish to use my IP addresses to make intrusion attempts into a system. I would rather *own* another machine, may be in another country, which in this case may be Iran, and then launch my attacks from that owned machine. So, attacks originating from IP addresses located in Iran does not necessarily mean that attackers are also located within that geographical territory. If I would want to intercept communications in a country xyz, I would rather own some zombies in that country xyz and that launch attacks from those owned machined.
* The certificates obtained by the attackers could only be used against advanced users who know certificates and security. Novice and normal users can normally be lured to use a locally made fake certificate singed by your own CA in which case browsers normally give an initial warning and if the user agrees, they let the user to go on using that certificate for the session.
* Currently, only gmail encrypts the entire email communication as a free service. Hotmail and yahoo only encrypt the initial login session. The sent and received emails are still in cleartext and could be intercepted without need of any fake certificates. Therefore, only gmail could be a possible target IF email interception was the goal of the attackers.
Best wishes
--
Muhammad Farooq-i-Azam
--- On Thu, 9/8/11, qureshi ahmed <saffafali@gmail.com> wrote:
From: qureshi ahmed <saffafali@gmail.com>
Subject: [pakgrid] Security Breach Analysis - Your Input Required
To: pakgrid@yahoogroups.com
Date: Thursday, September 8, 2011, 9:05 AM
HI!I am analysing security breach, and trying to figure out the severe flaw. below is the link where you can find the incident report( it is not very detailed) . Section 4.4 describes the network infrastructure and some design flaws.From my understanding, the severe security flaw could be the poor authentication mechanism with week password (which actually allows the hacker to gain full control of the domain) , beside other design flaws. I will really appreciate your inputs inorder to understand and conclude my analysis.Best RegardsSyed Affaf Ahmed Qureshi
Muhammad Saqib Ilyas
PhD Student, Computer Science and Engineering
Lahore University of Management Sciences
__._,_.___
MARKETPLACE
.
__,_._,___
No comments:
Post a Comment