Thursday, January 29, 2009

The All New Windows 7 - Security Review (Out of the box)

Ok, i've just had my hands on Windows 7 Beta DVD (thanks to Rizal from MS). I took some time to test the base operating system and try to put a review up in here for those who are interested to know what's installed for this new operating system from Microsoft.

Ok, in a few words, Win7 is like Vista on steriods. Faster, slickier and more customizable than Vista is and probably will ever be. From installation, boot to user interface and response time, i was fairly impressed. Windows 7 is far sexier. Vista attempted to be pretty but sacrificied performance, Windows 7 has a fine balance of both. Security wise, it creates an environment more customizable and user friendly and not scare people off like what Vista did sometimes. So, Windows 7 achieved a nice balance here too.

NOTE: This review is a standalone Windows 7 review without having enterprise features such as Active Directory integration, Network Access Protection, Centralized management etc..

Ok, here's what i was running. 
  • 784MB Ram
  • 2 Processors enable
  • VMWare 6.5.1
Please note the recommened specs for running Windows 7 and downloading beta can be found here

I used a VMWare Workstation, it's not the best platform to evaluate an operating system. I am referring to testing Vista on VM which was slow like helllll....

Ok, so the installation starts with a nice impressive screen. Took me roughly 45 minutes to finish it all. Screenies below:

Ok, as i said, in 45 minutes flat, i've got to login and use the OS. First thing when i finished installing, i had 3 important updates available already so i downloaded and installed them. The version i was running was built 7000.

So as seen in the screenie above, obviously there was some more work done after the public beta was made available. Out of those 3 updates none for the operating system itself. The only one from Microsoft itself comes for Media Player which some decoder renderation corruption fix. 

So, then i launced Internet Explorer, yes, IE 8 is installed by default (version beta 8.0.7000, RC1 wont install on Windows 7 for streamlined testing purpose). IE8 is significantly faster (warm and cold start time) compared to its predecessors. The features do make the internet a little bit more safer (check this review on IE8) . 

Points to note on IE8 i personally liked
  • Cold and warm starts faster than Google Chrome
  • Uses much less memory than Firefox
  • When freshly installed, it will present a wizard to take you through securing and personalizing IE
  • It has a "Safety" tab which you can access to quickly do stuff like clear history and turn on safe browsing feature called Smart Screen.
  • InPrivate browsing (like Chrome's Incognito Mode) - Allows to lauch a new windows but nothing gets cached, remembered etc (normally used for browsing porn etc..haha
Alright, lets look at Windows network security a little. I ran an NMAP on the out of the box install of Windows 7 with the following nmap command arguments:

Nmap scan: nmap -PE -PA21,23,80,3389 -A -v -T4

NMAP couldn't identify the OS fingerprint well simply because Windows firewall was turned on. So, i set my network location to be Home (thus relaxing the firewall setting etc). I ran the NMAP scan again and the only thing that poped up was this:
This is what Nmap found: 5357/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Which was not too bad considering UPnP is probably used to connect to other Windows machines to share music etc.

So, by design, Windows Firewall was turned on and even in "Home" mode, no risky services was published out. Which i thought was better than XP (Vista had it the same also)

So, now i turned off the firewall completely and ran the same scan/test:

Nmap found the following ports opened.
  • Discovered open port 49153/tcp on
  • Discovered open port 135/tcp on
  • Discovered open port 445/tcp on
  • Discovered open port 49155/tcp on
  • Discovered open port 49154/tcp on
  • Discovered open port 139/tcp on
  • Discovered open port 5357/tcp on
  • Discovered open port 49152/tcp on
  • Discovered open port 49156/tcp on

Those ports all are RPC/UPnP ports and are normal on Windows. By turning off the firewall, i couldn't find any other "weird"services running. NMAP discovered the OS to be Windows Vista SP0 or SP1 or Windows 2008 in its finger printing. Through NetBIOS we could find (of course) its Windows 7 7000.

Then i ran Nessus with latest plugin update as of 29 Jan 2009. The scan with all options enabled and with SMB password provided yielded almost the same result as Nmap. There were no vulnerabilities (probably none developed for Nessus yet) discovered for now and thus the it had 0 high, 0 medium and 22 low (10 open ports were found). The 22 low ones are service enumeration from NetBIOS. But of course. Nothing was discovered again when the firewall was turned on.

Note: Hundreds of scans were performed through Nessus including DoS attacks, common exploits, etc.. 

Ok, moving out of TCP-IP, i was poking around with a few more features of security that might be of interest to you:

Security that i liked in Windows 7:

  1. Microsoft delivered as promised - Windows 7 does come secure out of the box with enabled UAC, firewall, IE's Protected Mode, Action Center etc...
  2. Action Center - This combines all the security related tasks under one roof like Firewall, Malware protection, Restoration Points, backups, User Access Control, Troubleshooting these that i've just mentioned.
  3. Bitlocker now supports encryption of removable drives! (Finally!)
  4. UAC - UAC or User Access Control now can be customized to four settings basically to reduce any annoying messages from Windows that may look pretty serious and malicious but in actual fact you were just changing IP (like what happened in Vista..pff)
  5. Windows Vault - Where you can manage clear passwords, certificates and other Windows passwords within this vault therefore removing the need to install 3rd party tools

Well, there you have if (for now). I hope to get more apps installed and i hope to post the results of my outcome here as well.


Wednesday, January 21, 2009

World's Fastest MD5 Crack

Ever wondered what does this "463c8a7593a8a79078cb5c119424e62a" MD5 string mean? Well, i don't and will never (i am no God) probably.

Lets say you get your hands into a database which so calls hashed passwords using MD5 (without salts) and would like to reverse this hash (yes, i said reverse an MD5 hash-how kewl) then try this tool from Svarychevski Michail Aleksandrovich called BarsWF. Its by far the world's fastest Md5 cracker:

There are multiple versions, some use the power of your video card and some just the CPU to run the process.

AMD BROOK Beta 0.9: - ATi/AMD card 2xxx, 3xxx, 4xxx
BarsWF Brook x64
BarsWF Brook x32

CUDA 0.8: - nVidia GeForce 8xxx and up, at least 256mb of video memory.
BarsWF CUDA x64
BarsWF CUDA x32

SSE2: (P4, Core2Duo, Athlon64, Sempron64, Phenom)
BarsWF SSE x64
BarsWF SSE x32

It took me a couple of seconds to unhash "pass" and as i am writing this, i am trying to unhash another "complex" password of mine from an application that stores the passwords in MD5 (web based).

Check out my CPU and the application in action

Just download the appropriate version, or just use the SSE2 one if you are unsure and try to crack the hash "463c8a7593a8a79078cb5c119424e62a" as seen above. Location:

To give you a hint and make life easy, this MD5 just have alphabets in lowercase only :).

So, to run the tool with knowing the "hint" above (well in real life you won't really know but to just guess, of course, having more complex phrases and lenght will definately increase the time it will take to reverse)

BarsWF_SSE2_x32.exe -h 463c8a7593a8a79078cb5c119424e62a -c a
[the .exe] + -h [the hashed Md5 string] + -c [a]

-? Prints this help
-r Continue previous work from BarsWF updates it every 5 minutes or on exit
-h [hash] Set hash to attack
-c 0aA~ Set charset. 0 - digits, a - small chars , A - capitals, ~ - special symbols
-C "abc23#" Add custom characters to charset.
-X "0D0A00" Add custom characters in hex to charset.
-min_len 3 Minimal password length. Default 0. MAX 15!!! :-]

Once you've runned the command above, let me know the value of the Md5 string :). Have fun.

One tip, notice only 15 characters MAX, meaning, if you are planning to use MD5, encourage the use of >15 chars, it is computationally very very very hard to crack that in humanly possible time.

MD5 according to wiki: n cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash function with a 128-bit hash value. As an Internet standard (RFC 1321), MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. However, it is now known to be partially insecure[1] thus reducing its suitability for these purposes. An MD5 hash is typically expressed as a 32 digit hexadecimal number.

Tuesday, January 20, 2009

How To Suck At Information Security

Hi guys, been a while, hope you are all well.. Thought of starting the new year with an interesting article from SANS..hope you enjoy it.

The following list presents common information security mistakes and misconceptions, so you can avoid making them.

Security Policy and Compliance

* Ignore regulatory compliance requirements.
* Assume the users will read the security policy because you've asked them to.
* Use security templates without customizing them.
* Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you're ready.
* Create security policies you cannot enforce.
* Enforce policies that are not properly approved.
* Blindly follow compliance requirements without creating overall security architecture.
* Create a security policy just to mark a checkbox.
* Pay someone to write your security policy without any knowledge of your business or processes.
* Translate policies in a multi-language environment without consistent meaning across the languages.
* Make sure none of the employees finds the policies.
* Assume that if the policies worked for you last year, they'll be valid for the next year.
* Assume that being compliant means you're secure.
* Assume that policies don't apply to executives.
* Hide from the auditors.

Security Tools

* Deploy a security product out of the box without tuning it.
* Tune the IDS to be too noisy, or too quiet.
* Buy security products without considering the maintenance and implementation costs.
* Rely on anti-virus and firewall products without having additional controls.
* Run regular vulnerability scans, but don’t follow through on the results.
* Let your anti-virus, IDS, and other security tools run on "auto-pilot."
* Employ multiple security technologies without understanding how each of them contributes.
* Focus on widgets, while omitting to consider the importance of maintaining accountability.
* Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

* Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
* Make someone responsible for managing risk, but don't give the person any power to make decisions.
* Ignore the big picture while focusing on quantitative risk analysis.
* Assume you don't have to worry about security, because your company is too small or insignificant.
* Assume you're secure because you haven’t been compromised recently.
* Be paranoid without considering the value of the asset or its exposure factor.
* Classify all data assets as "top secret."

Security Practices

* Don't review system, application, and security logs.
* Expect end-users to forgo convenience in place of security.
* Lock down the infrastructure so tightly, that getting work done becomes very difficult.
* Say "no" whenever asked to approve a request.
* Impose security requirements without providing the necessary tools and training.
* Focus on preventative mechanisms while ignoring detective controls.
* Have no DMZ for Internet-accessible servers.
* Assume your patch management process is working, without checking on it.
* Delete logs because they get too big to read.
* Expect SSL to address all security problems with your web application.
* Ban the use of external USB drives while not restricting outbound access to the Internet.
* Act superior to your counterparts on the network, system admin, and development teams.
* Stop learning about technologies and attacks.
* Adopt hot new IT or security technologies before they have had a chance to mature.
* Hire somebody just because he or she has a lot of certifications.
* Don't apprise your manager of the security problems your efforts have avoided.
* Don't cross-train the IT and security staff.

Password Management

* Require your users to change passwords too frequently.
* Expect your users to remember passwords without writing them down.
* Impose overly-onerous password selection requirements.
* Use the same password on systems that differ in risk exposure or data criticality.
* Impose password requirements without considering the ease with which a password could be reset.