‘Digital Prophecy’ – Server Virtualization Security survey results
Title inspired by ‘Hypocrisy’
I’m not really sure if this is of value to anyone, but just in case i thought I’ll publish the results of a survey i ran during 2009. Part of my MSc dissertation (Server virtualization security and its impact on compliance) was based on the results of this survey and i want to once more thank everyone who participated. The information below is pretty much a copy of the dissertation appendix, so no commentary or interpretation of the result.
“In the course of this dissertation I’ve conducted a survey with the title ‘Server virtualization security and compliance’ consisting of 15 questions specifically crafted to address the key questions of my research. To encourage the target group to participate the survey was broken down in multiple pages with a logical sequence of questions building on to each other. None of the questions were mandatory to answer to minimize the loss of respondents due to technical frustration. The survey ran for approximately 6 weeks and had been advertised to selected communities. The target groups have been carefully selected to ensure relevance and quality of the feedback.
Participation was requested through postings to the following groups
- Certified Information Systems Security Professionals (Linkedin.com)
- Information Systems Security Association (LinkedIn.com)
- virtualization.info Vanguards (LinkedIn.com)
- NT System Admin (Sunbeltsoftware.com)
- VMWare Communities (VMWare.com)
Special thanks to Stu Sjouwerman and Alessandro Perilli for their support.
As expected with an uncomfortable topic like compliance the response rate was quite low. After 6 weeks roughly 60 participants filled out the survey in parts or in full. The feedback was nevertheless highly valuable considering that the respondents have in real world insider knowledge about the subject.
The following pages contain the results for all questions of the survey.”
‘Undo Control’ – The CCC and airport access controls
Title inspired by ‘Dark Tranquility’
So this is an interesting one; the CCC (Chaos Computer Club), well known to probably anyone who can spell ‘hacking’, did a field exercize at the Hamburg airport following a talk which took place at the 26C3. The focus of their attention was the Legic Prime RFID based access control system which is the method of choice, not only for Hamburg airport, to control sensitive areas of the area. Originally reported by Kontraste and later on picked up by other news media the two CCC members, Karsten and Henryk, used a close proximity RFID device (likely Proxmark 3) to read and replay security badges of staff members. Surprised how easy it was Karsten stated “It was easy to annul the system which surprised us a bit as it is marketed as security system and widely used. We were simply shocked that there were no further obstacles we had to overcome.” From the sound of it seems that this was as easy as standing close to airport staff (around 15 cm distance) to read the badge and then just walk past the security checkpoint waving the copied tag.
Statements about this incident from the Airport spokes person are a bit unclear, but baseline seems to be ‘Yeah we know, its an old system but we will not be able to replace it too soon due to budget constrains. Sensitive areas will be guarded by staff members. ” Brilliant, i’m sure staff is much cheaper than technology – especially in Germany. I bet that goes down nicely in times where half the planet is in heated discussions about ‘Naked scanners‘ and airport security in general.
‘Be quick or be dead’ – Catch a worm with file screening
“Title inspired by Iron Maiden”
It happens every now and then – you are looking for something on your file shares and notice one file that just doesn’t seem to fit in. They are usually executable files with rather obscure names (e.g. qZrkrf.exe) and have most certainly no business being on your servers. You realize that once again a worm made it into your environment and your trusted antivirus solution is not recognizing this variant yet – great.
This is probably a familiar scenario for most IT/Security teams and doesn’t cause too much of a headache. Still it would be nice to be a bit ahead of the curve and have some way to get an early warning without deploying complicated technology. One option that you might not think of right away is leveraging Windows file screening functionality. Introduced in Windows 2003 R2 it provides a simple way to prevent users from storing certain file types on your shares… purposely or inadvertently. Jose Barreto provides a brilliant guide showing how to install and configure file screening so i’ll keep the technical details brief.
For this purpose we are only interested in potentially malicious content. Windows already provides a file group that includes executable file types which is what we are looking for.
Even more convenient there already is a template we can use.
Really all we need to do is to select ‘ Create File Screen’ in the action panel and choose the ‘Block Executable files’ in the configuration section. This can be applied to the root of the share or any subdirectory. Keep in mind however that you can only directly apply one file screen per directory. Higher level screens will be inherited by lower level directories however.
Once it is applied the server will no longer allow any of the file types listed in the group to be written to the directory and present an ‘Access denied’ error. This is quite useful but probably won’t fly in most environments as it restricts the user considerably.
Fine, we can’t prevent the potentially malicious file from being stored on the share but we can at least make sure we know about it and raise a red flag that something is going on! All we need to do is to modify the properties of the file screen and select passive mode.
Assuming that the SMTP settings were configured (File Server Resource Manager/Configure Options) and the file screen is set up with an email address to reach the administrator no executable file should find its way onto your server undetected going forward. As you can see from the picture below the notification also shows the user account which is writing the file to the share making it very easy to contact or cut off the culprit.
In most environments users are not supposed to store executable files on a regular basis so the noise should be fairly low. The next time a worm goes undetected by your antivirus solution you will know about it pretty quickly as the notification messages pile up in your inbox. And all it cost was a couple minutes configuration which can even be automated.
