File Changes, what constitutes a high risk file change. If you have been following along 1 & 1.1, what we have is a list of file changes. This is a list of all modified, deleted, and added files from installing a piece of software. As before we obtained this list from running InstallWatch.
First lets look at some guidance from the source itself - Microsoft. The logo program from Microsoft is a a certification that basically says that the software follows good programing guidelines and is compatible with the microsoft windows operating system. This document is the specifications for XP logo program (If you are looking for the Vista one its here). These are the requirements from the logo document that apply:
2.1 Do not attempt to replace files that are protected by Windows File Protection (.sys, .dll,.exe, .ocx os files)
2.3 Do Not overwrite non-proprietary files with older versions
2.5 Install to Program Files by default
3.1 Default to the correct location for storing user-created data
3.2 Classify and store application data correctly
From these requirements, two general rules can be developed:
- All files written to the Program Files folder are considered okay
- Review the files written everywhere else
Just by using these two general rules will reduce our list down from couple hundred to only having to review about 10 - 20 changes. Again I use excel to filter down the results.
Basically the excel sheet logs all folders under program files where file changes are made, by doing this we can review our list quickly to ensure the program is not writing to another program's folder.
The second list created (usually a short list ~10-20) is all the files and paths that are modified, created, or deleted outside of the program files folder. Especially focus on changes made to the Windows directory (windows, system32, ..), for this I use google to look up the .dll and .ocx files that are installed, in order to determine what function they are providing. I have come across software that installs hundreds of files to the system32 folder, I then go back to the people requesting the software and ask then to find something else as this software does not following good programming practices and is a risk to the secure system.
You should have anti-virus software on your computer, the anti-virus should alert you if any of the installed files are known to be malicious. Remember the point of this exercise is not to determine if the software is malicious, but to get a general idea of how the software operates and if changes the security of our secure system. We are trying to perform a quick risk assessment of a piece of software to our secure system.
A book that talks about this subject is Professional Windows Desktop and Server Hardening by Roger A. Grimes - This book talks about malicious files, the following website, with downloadable files, one file to look at is the MasterTable file.
Another test that should be performed, is to see if the software can be run as a limited user under windows xp. Log into the computer as limited user, and run the program to see if it runs without errors. If a program cannot run without administrator privileges, consider this as a risk to the system - to have a secure system all users on the network should be logging in as a standard user.
Saturday, December 29, 2007
Software Assessment 1.2
Friday, December 21, 2007
Software Assessment 1.1
Understanding the windows registry. This is following the previous post Software Assessment 1 . What we have done is installed the software using InstallWatch. This has given us a listing of all deleted, added, and modified registry keys and files. Now it's time to process this information. Let's talk about the windows registry. Basically the registry is just a database to hold settings for the operating system and the software installed. The five main trees of the registry are:
- HKEY_CLASSES_ROOT
- HKEY_CURRENT_USER
- HKEY_LOCAL_MACHINE
- HKEY_USERS
- HKEY_CURRENT_CONFIG
I don't have a link for HK_USERS, but basically that just contains information about each active user who has a user profile. So this information is nice and good but how does it help. For example with a typical software installation you might see about 10,000 registry changes. The proper thing would be to go through each one and ensure that the key change does not affect the security of our machine. But in the real world there is not enough time. So I have broken down this task using the following:
The information contained in HKEY_CLASSES_ROOT is identical to information found in the subkey HKEY_LOCAL_MACHINE\Software\Classes. Actually, these two objects are physically the same. A change made in one will automatically modify the other. - So we will ignore all HKEY_CLASSES_ROOT changes.
Then I like to focus in on these keys:
HKEY_LOCAL_MACHINE\Hardware\ - hardware changes
HKEY_LOCAL_MACHINE\SAM\ - account changes
HKEY_LOCAL_MACHINE\Security\ - security settings
HKEY_LOCAL_MACHINE\System\ - contains information about the system and system configuration
Changes in these keys can have the effect of changing the system causing it to be inoperable or change the security of the system. Should review all changes made in the above areas.
Key to look out for is the:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run or RunOnce - these keys will auto run a program
HKEY_CURRENT_CONFIG, key is basically the hardware profile. I usually review these changes to see what is going on. An example of something to look for is HKLM\System\Current ControlSet\Services\Tcpip\Parameters\ - this changes the tcp/ip parameters. Info on CurrentControlSet.
It should be noted the information in HKEY_CURRENT_CONFIG is the same as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\CurrentControlSet\Hardware Profiles
Our last two are the HKEY_USERS and the HKEY_Current_USER, the data in the current_user is actually a pointer to HKEY_USERS\Security. To make things easier I would just review the changes made to HKEY_USERS to see if anything seems out of place.
So basically you can now sort the information into two categories:
- HKEY_LOCAL_MACHINE\Software\Classes
- Everything else (except the HKEY_CLASSES_ROOT).
The HKLM\Software\Classes keys will contain all the information about the software you are installing, however they usually do not affect the security of the machine - I do keep a log of them as reference if a question arises. These keys can affect compatibility.
If you want to do an in-depth analysis, then you should check each key to ensure that this program is not affecting another already installed program. I find that by splitting up the keys into these two categories we go from about 10,000 to review into 30-40 keys to review. Basically just by looking at the keys it is easy to determine what they are doing or use google!
So how to parse the big list? Why the power of excel of course. I have an automated script that imports the output from InstallWatch and
performs the following:
1. Ignore all HKEY_Classes_Root
2. Log all HKEY_LOCAL_MACHINE\Software\Classes\*\*\ to 5 places, if another key change is the same to 5 places then we ignore it
3. Log anything else to 5 places *\*\*\*\*\, if another key change is the same to 5 places then we ignore it
4. Separate the entries from steps 2 and 3 into 2 different spreadsheets
5. Just review entries from step 3, to see if any key changes affect the security of the system.
Now is this perfect, not always, but allows us to assess the software in a relative short time frame, when we need just to get an understanding of how the software will affect our secure system. Also from this we will have log files that we can go back and review if a problem arises.
Two good books on this subject are:
Mastering Windows XP Registry by Peter Hipson
Professional Windows Desktop and Server Hardening by Roger A. Grimes - This book has the following website, with downloadable files, one file to look at is the MasterTable file. Happy Registry Analyzing!
Wednesday, December 12, 2007
Software Risk Assessment - 1
At some point, if you work in the computer security arena, you will be asked – hey we just got some software can you check it out to see if it is okay to use? So what do you do.
This task can be broken down into 3 parts - determine how the software affects the computer, determine the software’s vulnerabilities, and determine the network resources required to operate the software. As a side note I am going to limit this discussion to windows, since that is 90% of the world and what you often see in the business environment. Also the focus is on desktop software, web and server software is a whole another ballpark. One more assumption the source code is not available to us.
The first step; determine how the software modifies the computer’s current configuration.
There are a couple of ways to track changes in windows:
- Use regedit to export registry settings- Install the software
- Use regedit to export registry settings
- Use windiff to find differences in the two registry files
- Determine file changes by using the search command to search for all files *.* , select when it was modified and enter the date the software was installed. Then sort the search results by date modified. Using the timestamps you can tell what files where modified by the installation of the software.
Now that is one way, but an easier way is to use an automated program that can perform all these functions at once. InstallWatch is a free software program that will track all registry and file changes, and provides an easy to use interface. The program will also allow you to export the data into text file, for an automated means of processing.
InstallWatch Process
- Install InstallWatch
- Use Installwatch to take a Snapshot of the computer
- Install the software
- Use Installwatch to take a Snapshot of the computer
- Installwatch will automatically compare the two snapshots and you can Review the results
Sunday, December 2, 2007
Wifi Pirate
Arr!!!, I worked on this wifi project awhile back. I had read on several sites, on multiple people using satellite dishes to receive wifi signals over long distances. Just so happens I had a JVC satellite dish laying around. My goal was to see if I could create a connection with the coffee shop (has free wifi) that is ~5miles away.
I built a Cantenna and mounted it to the front of the dish with electrical tape. Mounted the dish to a swivel (the swivel was for a boat seat).
I tweaked the angle of the cantenna to the dish, by first pointing the dish at my neighbor’s wireless network, then using wood shims to lower or raise the angle of the can until I received the highest signal level. I was using netstumbler with a dell truemobile wireless
card.
I was unable to receive the coffee shop’s wifi signal, so what does a pirate do? Well mount it to your pirate ship and sail the seas. So I ended up driving around with the dish just to see how many access points I could receive. After about 40 minutes, I already had logged 200 access points, with about half of them unsecured.
So does this work, yes. Without the dish and just the cantenna I am able to pick-up about 6 wireless signals, that number doubled once the cantenna was mounted to the dish, some of the signals are very weak but I was still able to receive them. Also the dish setup has to be aligned exactly, half-inch off and the signal is completely gone, that’s why I recommend mounting it to a swivel, this made the aligning a simple task. Next step mount the dish to a motorized swivel, it would be great if the dish would auto scan the area and find the best wifi signals to use.
