www.chmag.

in

Aug 2013 | Page - 1

www.chmag.in

Aug 2013 | Page - 2

Oracle Hardening - Part 2

Introduction
While Oracle is designed "secure by default," this article explores a variety of those defaults and administrative approaches that help to minimize vulnerabilities. Please remember that the strategies discussed here are presented as options to consider rather than definitive rules to apply. In previous article (June 2013 issue) I went through OS level permissions for securing Oracle databases; I will be taking you a step closer towards Oracle Hardening to make it hard for perpetrators to break into the system. Focus will be on the parameters you need to consider and explanation on what the parameter does; why it should be changed; and how it can be done. Oracle security parameters will be covered in this part.

VERSION: Versions applicable for;

of

Oracle

it

is

COMMAND: The command to help you make the changes (wherever applicable); Thumb-rule: The Information clichs (wherever applicable); security

Recommended settings: Table of recommended settings mostly combined for multiple parameters that are of similar type. (wherever applicable);

Solution
As mentioned above lets start with important OS security parameters in Oracle Database: O7_DICTIONARY_ACCESSIBILITY WHAT: Controls restrictions on SYSTEM privileges. If the parameter is set to true, access to objects in the SYS schema is allowed. The default setting is false. P.S: System privileges that allow access to objects in "any schema" are not allowed access to objects in the SYS schema WHY: Unauthorized/ Inadvertent access and changes to SYSTEM Thumb-rule: Least privileges VERSION: ALL Command: Login as SYSDBA and execute ALTER SYSTEM command as:

Abstract
Following template will be used for each parameter: WHAT: This will explain what the parameter is used for and where it can be found; WHY: The reason you should consider changing/not-changing it;

www.chmag.in

Aug 2013 | Page - 3

ALTER SYSTEM SET O7_DICTIONARY_ACCESSIBILITY = true SCOPE=spfile _TRACE_FILES_PUBLIC WHAT: Some errors in Oracle lead to generation of Trace files. We can generate them forcefully after enabling SQL_TRACE parameter. All trace files are logged in USER_DUMP_DEST or BACKGROUND_DUMP_DEST parameter. In general all trace files have read and write permission for Oracle software owner and group of Oracle installation has permission of read only. Other users dont have privilege of read. Trace files can be found at /opt/oracle/ora11g/admin/orcl/udump. Oracle applies this permission using hidden parameter called _TRACE_FILES_PUBLIC. Due to this parameter trace files dont have read permission to other users or public. P.S: Default value of _TRACE_FILES_PUBLIC is FALSE. It is not recommended to change value. WHY: Trace files may contain important information about database security or some sensitive details of data. Thumb-rule: Need-to-know privileges VERSION: ALL Commands: Login as SYSDBA and execute ALTER SYSTEM command as: ALTER SYSTEM SET _trace_files_public = TRUE SCOPE=SPFILE P.S: After changing _TRACE_FILES_PUBLIC

parameter to TRUE. Newly generated trace will have read permission granted to other users and public. USER_DUMP_DEST WHAT: Specifies the directory where the server will write debugging trace files on behalf of a user process. Value should never be set to * WHY: Trace files may contain important information about database security or some sensitive details of data. VERSION: ALL Commands: The parameter can be set in the initialisation file as user_dump_dest = 'directory' e.g. user_dump_dest = 'R:\Oracle\Admin\NT92001\udump'; This parameter can be also set at system level E.g. ALTER SYSTEM user_dump_dest = 'Q:\Udump'; UTL_FILE_DIR WHAT: Specifies one or more directories that Oracle should use for PL/SQL file I/O. Value should never be set to * WHY: All users can read or write to all files specified by this parameter. Therefore this value means that the package UTL_FILE can be used to write to any directory in the system where oracle has write permissions. GREAT!! VERSION: ALL Commands: The parameter can be set in the initialisation file as utl_file_dir = 'directory' SET

www.chmag.in

Aug 2013 | Page - 4

P.S: Quite often databases have the utl_file_dir is set to the user_dump_dest. If this is the case then it should be possible to be able to read trace files you wouldn't ordinarily have access to UTL_FILE_DIR and USER_DUMP_DEST should not be same. RESOURCE_LIMIT WHAT: Specifies whether resource limits are enforced in database profiles. Value should be set to TRUE WHY: This is not a security issue but a performance issue. Limits specified in profiles will not be applied to users. VERSION: ALL Commands: This parameter can be set at system level. E.g. ALTER SYSTEM RESOURCE_LIMIT = TRUE; TRANSACTION_AUDITING WHAT: TRANSACTION_AUDITING to be set to TRUE. Oracle generates a special redo record that contains the user logon name user name the session ID some operating system information and client insformation. For each successive transaction. Oracle generates a record that contains only the session ID. These subsequent records link back to the first record which also contains the session ID WHY: Redo log will not be generated if set to false. Useful if you are using redo log analysis tools. VERSION: ALL Commands: This parameter can be set at system level www.chmag.in SET

E.g. ALTER SYSTEM SET TRANSACTION_AUDITING = TRUE; REMOTE_OS_AUTHENT WHAT: REMOTE_OS_AUTHENT specifies whether remote clients will be authenticated with the value of the OS_AUTHENT_PREFIX parameter. WHY: Allowing the OS to control OS authentication without intervention can be very risky. VERSION: ALL Commands: This parameter can be set at system level E.g. ALTER SYSTEM SET REMOTE_OS_AUTHENT= FALSE; P.S: The remote_os_authent parameter has been deprecated in Oracle 11g, and a safer method is now used. These are some of the important OS parameters; we will focus on permissions on Oracle tables and packages in next article. About the Author

Ajinkya Patil
http://avsecurity.in

Ajinkya is an Information Security professional with experience in conducting Web application security, IT governance reviews, Network security, Database and OS. He holds a CISA (Associate of ISACA) certification, Information Security Management certification. He also listed in Hall of Fame of Blackberry (RIM).

Aug 2013 | Page - 5

DSCI Security Framework for ISO 27001 Implementers

DSCI (Data Security Council of India), a NASSCOM body, has been setup as an independent Self-Regulatory organization to promote data protection, develop security and privacy best practices & standards and encourage the Indian industries to implement the same1. DSCI has developed best practices for data protection in the form of two frameworks:1. The Privacy Framework; 2. The Security Framework. We will discuss the DSCI Security Framework (DSF from here onwards) for now (discussion on Privacy Framework will come in subsequent articles) and its relevance for ISO 27001 implementers. The DSF have been developed in the form of 16 disciplines across 4 layers each that need to be implemented / established in order to help organizations implement information
1

security. The discipline centric approach helps in aligning an organizations thought process to the market and helps in putting up a maturity based approach for both implementation and assessments.

The 16 disciplines are as follows:1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Security Strategy and Policy (SSP) Security Organizations (SEO) Asset Management (ASM) Governance Risk and Compliance (GRC) Infrastructure Security (INS) Application Security (APS) Secure Content Management (SCM) Threat and Vulnerability Management (TVM) User Access and Privilege Management (UAP) Business Continuity and Disaster Recovery Management (BDM)

http://www.dsci.in/about-us

www.chmag.in

Aug 2013 | Page - 6

11. Security Audit and Testing (SAT) 12. Security Monitoring and Incident Management (MIM) 13. Physical and Environmental Security (PEN) 14. Third Party Security Management (TSM) 15. Personnel Security (PES) 16. Data Security (DSC) The four layers in which each discipline has been divided into are:1) Approach An attempt has been made to describe the discipline and to set the expectations and the rationale behind inclusion of the same; 2) Strategy Policy statements pertaining to implementation of the discipline has been provided in this section to help management (senior / middle) in putting up appropriate direction towards successful implementation of the discipline; 3) Best Practices This section details some of the best practices that have been observed over a period of time across industries pertaining to this discipline; 4) Maturity This section identifies & articulates some characteristics of the discipline that showcases the evolution of the same in an organization;

Benefits of DSCI Privacy and Security Frameworks:1. The discipline based approach helps align an organization to the market realities; 2. The layered approach helps in implementation and in client assurance; in light of the recent regulations, security and privacy implementations have been implemented in many organizations across the country, both towards due diligence and to provide appropriate assurance to clients regarding the security and privacy of their data. Improvements Wishlist:1. A maturity model would be a welcome move (e.g., similar to ISM3 & SSECMM) 2. Awareness on the eco-system needs to be strengthened (expect more traction in coming days as the system is new). DSF and ISO 27001 For ISMS implementers, the framework puts up important guidance towards implementation; In other words, the DSF can be used to implement an ISO 27001:2005 compliant ISMS. A partial mapping table of DSF disciplines vis--vis ISO 27001 has been presented below (NB this is not an exhaustive list and has been provided as an illustration):-

www.chmag.in

Aug 2013 | Page - 7

Image Credits 1) DSF (DSCI Security Framework) Book Image http://images.nasscom.org/sites/defaul t/files/imagecache/product_full/researc hreports/images/DSF.jpg 2) http://www.dsci.in/sites/default/files/S ecurity_homepage_0.jpg Information Sources 1) http://www.dsci.in 2) http://www.ism3.com 3) http://csrc.nist.gov/groups/SMA/fasp/ documents/incident_response/SSAIRB SP/SSECMMv2Final.pdf Disclaimer The opinions and viewpoints expressed here are personal.

About the Author

M.S.Sripati, CISA
maanav.saavadhaan@gmail.com
Sripati is an information security process consultant & software developer with an overall experience of 8+ years, doing ISO 27001 & HIPA compliant ISMS Implementation, Risk Assessment and Management. He is a self-driven professional who continuously keeps himself abreast of the latest happenings & regulations by being part of & participating in various information security forums. Check out his site (www.sripati.info) to know more.

www.chmag.in

Aug 2013 | Page - 8

Viproy - VoIP Penetration Testing and Exploitation Kit

Introduction
Viproy is developed to improve quality of SIP Penetration Tests. It's a collection of Metasploit Framework modules focused on SIP tests, it can be used with Metasploit Framework Github edition or Metasploit Framework Pro edition. It has 10 different modules to test target SIP servers with authentication and fuzzing support. Also Viproy has a SIP library to extend Metasploit Framework REX library.

3) INVITE Invite module is prepared to test call features of target SIP services. Invite spoofing, billing or CDR bypass using custom proxy headers, Invite based DoS attacks and sample call tests can be performed using Invite module. 4) ENUMERATOR Enumerator module is prepared to enumerate of users and internal numbers of target SIP servers. Enumeration step of the SIP pen-test could be performed with a user list file or numeric user range. 5) BRUTE FORCE

Description of Modules:
1) OPTION Options module can be used to discover target SIP services and devices. 2) REGISTER Register module can be used to discover target SIP services and devices too. Also Register module can register a client, a service or test a valid account. www.chmag.in

Brute force module is prepared to perform advanced password attacks against SIP services. Password attacks could be initiated using user list files, numeric ranges and passwords file. Password attack operations can be customized easily, for example It can be used to initiate password attacks to a target user with a passwords file, to a numeric range or user list with a few specific passwords.

Aug 2013 | Page - 9

6) MESSAGE Message module is prepared to test message features of SIP services. Message support is required to test value added services and service operations of SIP operators. It supports message spoofing, simple fuzz features and message based DoS attacks. 7) PORT SCANNER Port scanner module can test registration features of SIP proxies. It can perform SIP bounce attacks to discover 3rd party SIP servers using target SIP services. 8) DDOS AMPLIFICATION DDoS testing module prepared to initiate DDoS attack demos based on SIP error messages. SIP servers send error messages 10+ times for bogus requests. DDoS module can send IP spoofed SIP requests to target SIP services and initiate an attack to 3rd party victims. 9) PROXY Proxy module is prepared to test SIP clients and SIP services with MITM proxy features. It supports basic search & replace functions to test SIP services. Also it can be used to add new features to SIP clients, such as invite spoofing, proxy headers and fuzzing. 10) TRUST ANALYZER Trust analyzer module is prepared to test trust relationships of SIP trunks. SIP trunks trust each other in UDP based communications. This module can send IP spoofed invite or message requests to targets to determine trusted

SIP trunks. When a trusted SIP trunk detected, it can send spoofed call and message to target SIP clients. Also it has simple fuzzing support to test target SIP clients using trust relationship. About the Author

Fatih Ozavci
fatih.ozavci@gamasec.net
Fatih Ozavci is Sr. Security Consultant of Sense of Security, Australia. He is author of Viproy VoIP Penetration and Exploitation Testing Kit, also he has published a paper about Hacking of SIP Trust Relationships. He has discovered many unknown private security vulnerabilities, design and protocol flaws in VoIP environments for his customers. Also he analyzes VoIP design and implementation flaws, and helps to improve VoIP infrastructures as a service. While Fatih's primary expertise is in VoIP penetration testing, mobile application testing and IPTV testing, he is also well versed at network penetration testing, web application testing, reverse engineering, fuzzing and exploit development. He is one of the speakers of Defcon 21, Blackhat 2013, Cluecon 2013 and Athcon 2013.

www.chmag.in

Aug 2013 | Page - 10

Network Security Basics Part-2

This section will demonstrate common information security problems mapped with OSI seven layers and evaluate the same for solutions to secure the organisations information resources.

Layer 1 - Physical Layer

The physical layer is responsible for the physical communication between end devices . The logical first step in securing our information is to insure that the physical resources are not compromised. Quite often, technologists fail to recognize the importance of the simple measures, like properly locking storage units, server cabinets, equipment rooms and office spaces. Gaining access to resources is the first step in compromising them. Where is the information stored and who might have physical access to it? Typically, efforts to physically secure information are a shared

responsibility between technologists and those who manage the facility in which the information resides. In some organizations, you must have a card key, hardware key, biometric access to enter areas where sensitive information can be accessed. Even with the resources physically locked, they are at risk. Social engineering is a form of infiltration that takes advantage of common social interaction to gain physical access. Environmental factors should also be considered. In extreme circumstances, a good disaster recovery plan is essential in the event that information resources are compromised. Off-site data storage, asset inventories and vendor contacts are critical to knowing what to replace, where to get replacements and how to restore access.

Physical Layer Vulnerabilities Loss of Power Loss of Environmental Control Physical Theft of Data and Hardware

www.chmag.in

Aug 2013 | Page - 11

Physical Damage or Destruction of Data And Hardware Unauthorized changes to the functional environment (data connections, removable media, adding/removing resources) Disconnection of Physical Data Links Undetectable Interception of Data Keystroke & Other Input Logging

A hacker prefers using software to spoof a MAC address, capturing traffic destined for a specific machine. In either event, contained in the traffic could be important data or even usernames and passwords for access to even more sensitive information. Data Link Examples Layer Vulnerability

Physical Layer Controls Locked perimeters and enclosures Electronic lock mechanisms for logging & detailed authorization Video & Audio Surveillance PIN & password secured locks Biometric authentication system Training users against Social Engineering Physical locks, both on equipment and facilities housing the equipment, are imperative to keep intruders out. In order to use information one must have access to it. Building up good Disaster Recovery Plan

Layer 2 - Data Link Layer

Data Link Layer is responsibility is to place frames on the network medium and insure that delivery is error free. This is where the MAC (hardware) address of communication devices is utilized and checksums for error in delivery are applied. A device that runs on promiscuous mode when used with packet filter can be helpful for analysers and hackers as well to analysis traffic for flow analysis, problem determination and code debugging. www.chmag.in

MAC Address Spoofing (station claims the identity of another) VLAN circumvention (station may force direct communication with other stations, bypassing logical controls such as subnets and firewalls.) ARP Poisoning attack. Spanning Tree errors may be accidentally or purposefully introduced, causing the layer two environments to transmit packets in infinite loops. In wireless media situations, layer two protocols may allow free connection to the network by unauthorized entities, or weak authentication and encryption may allow a false sense of security. Switches may be forced to flood traffic to all VLAN ports rather than selectively forwarding to the appropriate ports, allowing interception of data by any device connected to a VLAN.

Data Link Layer Controls MAC Address Filtering- Identifying stations by address and crossreferencing physical port or logical access

Aug 2013 | Page - 12

Layer 2 switches provide the ability to create logically separate LANs on the same physical device, called VLANs. Using traffic and protocol access control lists or filters provides us with some form of protection at this layer. Quality-of-Service marking and prioritization control protocols give us the ability to control and better utilize existing bandwidth. This is typically accomplished using appropriate class-of-service or differentiated services code point (DSCP) values. Disabling untrusted Layer 2 ports will reduce traffic to and from hosts. Disable the default VLAN 1 port [5]. As you tighten up your defences at Layer 2, you will need to leave a port open for management purposes, preferably out-of-band. Do not always use VLANs to enforce secure designs. Layers of trust should be physically isolated from one another, with policy engines such as firewalls between. Wireless applications must be carefully evaluated for unauthorized access exposure. Built-in encryption, authentication, and MAC filtering may be applied to secure networks. Telnet capabilities should be completely filtered if not required.

allows a system to contact the outside world and allows the outside world to contact the host. It is logical to consider this border to our system vulnerable. Network Layer Vulnerabilities Route spoofing - propagation of false network topology IP Address Spoofing- false source addressing on malicious packets Identity & Resource ID Vulnerability - Reliance on addressing to identify resources and peers can be brittle and vulnerable

Network Layer Controls Route policy controls - Use strict anti-spoofing and route filters at network edges Firewalls with strong filter & antispoof policy ARP/Broadcast monitoring software Implementations that minimize the ability to abuse protocol features such as Broadcast Network Address Translation (NAT) is a service that temporarily assigns a private IP address to a public IP address. In this sense, for a time, there is a one-to-one relationship between a private and a public address. It is necessary to lease a pool of public IP address for NAT to work. Port Address Translations (PAT), on the other hand, allows a single public IP address to be bound to multiple virtual ports. In this way, multiple networked hosts can share a single public identity on the Internet, providing a more cost effective and secure solution. In either event, the

Layer 3 - Network Layer

Network layer is used to determine the best path from source to destination host on a network. IP addresses are assigned and utilized at this layer for unique identification. For communication with internet public IP address should be assigned. This address www.chmag.in

Aug 2013 | Page - 13

internal IP address is hidden to the outside world, providing us with some anonymity. Remote access through Internet tunnelling takes place at Layer 3. Virtual Private Networking (VPN) allows us to establish credentialed connections and transmit encrypted payloads across pre-existing Internet channels. This is not a safe assumption considering only external threat statistically, most information breeches take place from the inside. If a system requires an IP address to participate in network communications, then perhaps we may need to consider how IP addresses will be assigned. Dynamic Host Configuration Protocol (DHCP) has been widely accepted and used due to its ease of administration, lower risk of human error and flexibility. When securing a network from unauthorized access is more important than the benefits of DHCP, static IP assignment should be considered. When identification of specific hosts on a network is particularly threatening, then DHCP with a very short lease length may be more appropriate.

Layer 4 - Transport Layer

Finding a system on the Internet requires knowing the public IP address assigned to it. To target a specific application on a system, an intruder would need to know the IP address to locate the system and the port number assigned to the application, collectively referred to www.chmag.in

as a socket. A computer system has 65535 ports. These ports can be further broken down into three categories: well known, registered and dynamic. This is where Layer 4 security is applied. Many applications utilize well known TCP and UDP ports. An FTP server will, by default, utilize TCP port 21. If the file server providing the FTP service is not meant for public domain, it is best to change the default port number and divulge the new port number to authorized users only. In this way, we can confuse and stall potential intruders by using private ports in place of well-known ports. Trojans, malicious programs masquerading as benign programs, tend to target specific TCP and UDP ports . An open port that is infected by a Trojan will require cleaning. Virus scan software helps to protect systems at this layer. Security issues at the Transport Layer are concerned with availability of end-to-end data transmissions. Layer 4 switching provides the ability to control traffic, not only utilizing IP addresses and MAC addresses of the lower layers, but also by specific application incorporating the upper layers of the OSI model.

Transport Layer Vulnerabilities Mishandling of undefined, poorly defined, or illegal conditions Differences in transport protocol implementation allow fingerprinting and other enumeration of host information

Aug 2013 | Page - 14

Overloading of transport-layer mechanisms such as port numbers limit the ability to effectively filter and qualify traffic. Transmission mechanisms can be subject to spoofing and attack based on crafted packets and the educated guessing of flow and transmission values, allowing the disruption or seizure of control of communications.

Data integrity can be achieved through MAC (Message Authentication Code) to identify if an attacker has modified data. Data confidentiality can be achieved through encryption and must be addressed at the same time as data integrity.

Layer 5 - Session Layer

Session layer is use to facilitate communication with a receiving device by establishing, maintaining, synchronizing, controlling and terminating connections. In short deals with session handling between systems. During this process of communication, verification of entities can take place. Also referred to as Transport Layer Security, Secure Socket Layers (SSL) is a technology designed to confirm the identity of hosts and servers. Although called Transport Layer Security, this function lies just above the transport layer and is truly session layer based. SSL is often the protocol used for secure credit card transactions on the Internet. Using server authentication, a servers identity can be verified by a Certificate Authority (CA) using Public Key cryptography. The same can be applied using client side authentication. SSL uses different ciphers, cryptographic algorithms, to provide encrypted session services. Cipher suits provide a wide range of encryption settings. The SSL Handshake Protocol enables the authenticated client and server to negotiate which cipher will Aug 2013 | Page - 15

Transport Layer Controls Strict firewall rules limiting access to specific transmission protocols and subprotocol information such as TCP/UDP port number or ICMP type Stateful inspection at firewall layer, preventing out-of-state packets, illegal flags, and other phony packet profiles from entering the perimeter Stronger transmission and layer session identification mechanisms to prevent the attack and takeover of communications Prioritization based on application allows us to better control and utilize our bandwidth. Better control measures offer a more secure a level of service. Further securing of this layer can take place by using a secure form of TCP. Extended Three-way Handshake extends traditional TCP handshaking techniques to deliver negotiation data and key exchange data. State Transition is a secure TCP method that utilizes host state to differentiate authorized transmissions.

www.chmag.in

 be used. This helps reduce susceptibility to a man-in-themiddle attack, so even if the session gets intercepted, the data would be protected by encryption. Session Layer Vulnerabilities Weak or non-existent authentication mechanisms Passing of session credentials such as user ID and password in the clear, allowing intercept and unauthorized use Session identification may be subject to spoofing and hijack Leakage of information based on failed authentication attempts Unlimited failed sessions allow brute-force attacks on access credentials

Proper planning is necessary to calculate security needs and balance them with resource limitations. Presentation Layer Vulnerabilities Poor handling of unexpected input can lead to application crashes or surrender of control to execute arbitrary instructions. Unintentional or ill-advised use of externally supplied input in control contexts may allow remote manipulation or information leakage. Cryptographic flaws may be exploited to circumvent privacy protections

Presentation Layer Controls Careful specification and checking of received input incoming into applications or library functions Separation of user input and program control functions- input should be sanitized and sanity checked before being passed into functions that use the input to control operation Careful and continuous review of cryptography solutions to ensure current security versus know and emerging threats.

Session Layer Controls Encrypted password exchange and storage Accounts have specific expirations for credentials and authorization Protect session identification information via random/cryptographic means Limit failed session attempts via timing mechanism, not lockout

Layer 6 - Presentation Layer

Presentation Layer deals with encryption. When the data is received, what form will it take? Encryption techniques allow us to scramble the packet contents, requiring a special code to reveal them. The more sophisticated the encryption algorithm, the harder it is to gain access to the data. www.chmag.in

Layer 7 Application Layer

Application layer is the layer where services support user applications, that authentication takes place. The most common form of authentication is username and password which should have unique ID and confidential password. Therefore, it is essential to have an effective account policy. Aug 2013 | Page - 16

 Encryption of these two credentials, username and password, is also feasible at this level. Application layer encryption adds yet another element of protection. Application Layer Vulnerabilities Open design issues allow free use of application resources by unintended parties Backdoors and application design flaws bypass standard security controls Inadequate security controls force all-or-nothing approach, resulting in either excessive or insufficient access. Overly complex application security controls tend to be bypassed or poorly understood and implemented. Program logic flaws may be accidentally or purposely used to crash programs or cause undesired behaviour

Some host-based firewall systems can regulate traffic by application, preventing unauthorized or covert use of the network.

About the Author

Anagha Devale-Vartak
http://avsecurity.in Anagha is an Information Security professional with experience in Vulnerability Assessment, Web Application Audit, Database Audit, Antivirus Review, and Compliance Audit. She holds CCNA and CEH certification.

Application Layer Controls Application level access controls to define and enforce access to application resources. Controls must be detailed and flexible, but also straightforward to prevent complexity issues from masking policy and implementation weakness Standards, testing, and review of application code and functionality-A baseline is used to measure application implementation and recommend improvements IDS systems to monitor application inquiries and activity

www.chmag.in

Aug 2013 | Page - 17