CISSP Blog Post 19, Domain 4: Network: OSI Layers 5 (Session Link) & 6 (Presentation)

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

Layer 5 protocols coordinate the orderly exchange of information. They include:

The Remote Procedure Call (RPC) Protocol which is utilized in client-server environments and Secure RPC which uses mutual authentication for client & server to authenticate one another.

Remote Procedure Call (RPC) Protocol Process

Layer 6 protocols are responsible for giving applications access to the network services, i.e. they help applications talk to the network. An example is Microsoft Outlook using Layer 6 protocols such as SMTP, POP3, or IMAP to handle email transmission on the network. Other examples include:

The Domain Name System (DNS) protocol which is a translation service to resolve Fully Qualified Domain Names (FQDN) to IP addresses. The way this works is:

1. Browser sends domain to ISP for lookup
2. ISP DNS goes through recursive search, first to Root DNS, which will return local .ORG DNS address
3. .ORG DNS will return IP address of DNS server of actual website Website
4. DNS server will return IP address of actual website to ISP DNS
5. ISP DNS then returns actual website IP address to Browser

Domain Name Service (DNS) Lookup Process

DNS Security (DNS-SEC) is a protocol designed to combat DNS cache poisoning using digital signatures to verify that DNS data is coming from authentic sources.

Network Address Translation (NAT) is the translation between public internet IP addresses and local (private) IP addresses. Private IP ranges include:

• 10.0.0.0 – 10.255.255.255
• 172.16.0.0 – 172.31.255.255
• 192.168.0.0 – 192.168.255.255

Network Address Translation (NAT)

Editing Mozilla Firefox Container URLs

I really like Mozilla Firefox’s container system that’s been out for around a year now. There’s one issue though that’s bothered me on a daily basis and really annoyed me, I just never took the time until now to track down the fix for it. Hope this helps someone else!

I’m assuming that you use Mozilla’s Firefox browser and have already setup container groups and assigned specific websites to always open in container tabs. My issue was, I couldn’t figure out how to edit a URL once I set it up.

Well today I spent 10 minutes & figured out where Firefox stores the file that controls these URLs so you can manually edit them. The file is called storage.js and is stored in your Firefox profile which is typically in your user profile’s AppData folder (reachable at %AppData%). For me, this file is stored in:

%AppData%\Roaming\Mozilla\Firefox\Profiles\<PROFILE NAME>\browser-extension-data\@testpilot-containers

Before editing the file, close Firefox. You can open the file in any basic text editor (I personally use Notepad++ but regular Notepad works too) do a quick search for the offending URL and update it to the URL you want it to be, then restart Firefox and your URL should now redirect properly to the correct container group.

Note that the URL is only the top level domain. E.g. you can change outlook.login.com to live.login.com, however you don’t need to specify https://www before the domain name.

Personal Tips: How to keep your information secure

Disclaimer: Even the tips provided below cannot completely protect you. Work to develop your Security Mindset. Always remember, if you’re unsure if something is secure, ask!

In this post, I will highlight how a “Security Thinker” thinks, I’ll cover different avenues of attack including physical, personal, & digital attacks. Finally, I’ll spend a little time on how you can protect your data.

Becoming a “Security Thinker”

Ever picked up your car from the dealer after an oil change? The conversation probably went something like this…

Me: “Hi, I’m here to pick up my car…”
Customer Rep: “What’s your last name?”
Me: “Beck”
Customer Rep: “Got it, I see you in my list. I’ll have them pull your car right out front.”
Me: “Thanks!”

Great customer service? Or a massive breach in validating the real owner of the car?

How about this product?

SmartWater is a water-based, clear solution “paint” which is brushed or sprayed onto property, drying totally invisible. Each bottle contains the owner’s unique forensic formula (PIN) which is logged into a secure database so recovered property can be traced. The paint transfers to a thief’s clothing and skin, providing microscopic forensic evidence to prove the presence of the suspect at the time of the incident.

Let’s think about this for a second. Here’s a fun scenario…

I have a bottle of SmartWater and I’m over at your house. I really like your new TV… when you go out of the room to get me a beer, I brush a little on under the front corner. The next day, I call the cops to report that you stole my TV – and I have proof!

Good security product? Or easy way to legally steal?

Hopefully these stories highlight how a “Security Thinker” should think.

Avenues of Attack

Social Engineering refers to someone using psychological manipulation to get information from someone else. For example, you are working in a call center & someone calls and says “Hello, this is Yosef from IT, I’m working from home today and can’t log in, can you help me?” If you know Yosef, you may recognize that the person on the line isn’t him. Probably, you won’t know Yosef from Adam & if you are not careful, you may provide sensitive information without realizing it. To help protect yourself, here are a few tips:

• Take off your employee badge or put it in your pocket when you leave the office. Anyone eating lunch next to your table can potentially gain all sorts of valuable information by looking at it such as the company you work for, your name, & even potentially your employee number & your title.
• Do NOT share matters related to work, such as campaigns, products, services, complaints, or customers with people you don’t know.
• Do NOT let unknown individuals into your office or a client’s office. Piggybacking is not allowed!
• Double/triple check requests for confidential information – especially e-mail requests! A follow up phone call is good practice.

Another potential avenue of attack is your mobile devices. Now a days, your phone can potentially give someone access to your credit cards, your bank accounts, your social media accounts, and a variety of other information such as confidential documents, etc. Don’t forget your laptop or data thumb drive either! For all of these devices, follow these tips to be safe:

• Use a login password.
• Set password program to wipe your device if your password is improperly entered X number of times. Note – this may not be practical if you live with toddlers who like to press random buttons…
• Setup a program to remotely wipe your device in case it’s stolen.
• Encrypt your devices! Good encryption programs include Windows BitLocker, Apple LionVault, & GnuPG
• Try not to leave mobile devices in your car unattended – and NEVER leave them in plain sight!

With regards to your phone, another avenue of attack is through software:

• Only download apps that have been downloaded many times before (e.g. 1 Million+)
• Understand the permissions that an app is requesting – does your flashlight program really need access to the internet?
• Watch for battery to start draining quicker than normal – this may indicate that an unwanted app is running in the background.
• Turn off features you don’t need such as: NFC, Android Beam, Bluetooth, picture geo-location tagging, & automatic uploading of pictures to Social Media sites.

Here are some Social Media tips for staying safe:

• Be an adult. Don’t talk to strangers!
• Don’t post information you don’t want others to know
• Don’t friend strangers just to collect “friends”
• If you get a friend request & you think you’re already friends with them, check!
• Remember that you don’t know for sure who’s really on the other end of a chat

For any of your computing devices, always make sure that you are keeping up with the latest security updates – this is for both your operating system & any software / apps. This is especially true for any programs that access or interface with the internet!

• If you are on Windows, security patch updates include fixing vulnerabilities that Anti-Virus programs may not catch! Don’t postpone & if you have updates set to update automatically, shut your device down fully at least once a week to allow updates a chance to fully install.
• Updating software includes updating any plug-ins – these may not update at the same time as the main piece of software. For example, if you’re running the Mozilla Firefox browser, you need to keep your add-ons & plug-ins up to date yourself.
• Hopefully everyone already does this but don’t open e-mail attachments from people you don’t know! Always make sure your anti-virus program scans an attachment before you open it. Also, keep in mind that file extensions can be changed! A simple TXT file may actually be an executable file that will damage your computer!
• Do NOT rely on anti-virus to keep you safe! If you don’t know what your anti-virus is prompting you to do try Googling/Binging the message &/or ask a friend!
• Passwords: Do NOT share them! Do NOT use the same password for personal & work access. Make your passwords looooooong! Anything under 12 characters can be guessed by a computer program in just a couple of hours. If someone wants to get into your account they probably can but don’t make it any easier for them than you have to.

Protect your Data!

Data comes in all types & sizes, it can be your SSN, your phone number, address, contact list, work documents, financial information, etc. Tips for protecting your data include:

• Log out of websites & IM services when you leave your PC
• Instead of doing a simple delete of computer files that have sensitive information – use a shredding program (such as Eraser – http://eraser.heidi.ie/)
• Shred your physical papers, credit cards, CDs, envelopes, receipts, etc. Anything that has sensitive information should be destroyed before putting in the trash.
• Backup your data! Use hard backups such as making copies on an external hard drive, backup to the cloud (top rated backup program is https://www.code42.com/crashplan/)

Remember! Just because you’re paranoid… doesn’t mean they aren’t out to get you! 😉

What’s new in Windows 10? (And whatever happened to Windows 9?)

Last question first – according to a Reddit poster (a reputable source of news I know…) the name Windows 9 may have been skipped due to lazy developers.

Apparently a lot of 3rd party products (e.g. non-Microsoft) may have checked the Windows version they were running on by looking for “Windows 9” to figure out if they were on Windows 95, Windows 98, Windows 98SE, etc. An easy way around breaking a bunch of old software was to simply skip to Windows 10. Certainly makes the most sense out of anything else I’ve read. 🙂

Now – what’s new in Windows 10?

Here are the highlights:

1. Windows 10 is free to upgrade too for 1 year. After that, it’s a flat, up-front fee to buy the software – no annual fees (like Office 365).
2. Microsoft’s version of Siri or “Ok Google” is called Cortana and it’s coming to all devices including your laptop. This means built-in dictation as well as interactive search, etc. May be a bit difficult to use in an open-cube environment but otherwise has a lot of potential.
3. Universal Apps – the pipe dream of many end users is now a reality – developers will be able to build apps (aka “programs”) that run on any device including your phone, tablet, XBox, & PC. This means that regardless of what device you pick up, you theoretically can use the same app everywhere.
4. Microsoft Edge – with Windows 10, Microsoft gets rid of Internet Explorer. To replace it, they have built a brand new internet browser called Edge which brings Microsoft’s browser into the 21st century. Not a lot of new functionality over other modern browsers (such as Chrome or Firefox), however one major update is the ability to literally draw on a web page and add notations, then share your marked up page with anyone. In addition, Edge comes with handy Cortana integration built-in which means that Cortana is constantly scanning the websites you are on to try to help you. For example you go to a restaurant’s website – Cortana will ask you if you would like to make a reservation. If you say yes, Cortana can initiate the call over Skype right from your browser.
5. I don’t run in the hard-core gamer circles but for those of you with an XBox One, it can now send live gaming to your Windows 10 PC, allowing you to remotely play XBox One games anywhere provided you have your PC with you.
6. For those Command Line power users out there (myself included of course!) the good old DOS prompt has gotten a much-needed face-lift. Text will now wrap, the window is fully adjustable to your screen, & you now have the ability to Ctrl+C, Ctrl+V into & out of the console!
7. No longer limited to Microsoft applications, Windows Notifications are now accessible by 3rd party applications (such as DropBox, Google Drive, etc.) to let you know when events occur.
8. You can pin the recycle bin to the Start Menu & Taskbar & finally delete it off your desktop!
9. File Explorer now opens by default to a new “Home” screen that shows you any files & folders you’ve designated as favorites as well as your most frequently used files & folders.
10. Windows has had the ability to give you multiple “virtual” desktops for quite a while. With Windows 10, you now get two key shortcuts to make switching quicker & easier. Win + Tab brings up an interface showing thumbnails of each of your desktops, allowing you to select one. Ctrl+Win+Right/Left will switch desktops in either direction.
11. File History has been an on-again, off-again feature of Windows but is now standard in Windows 10. Basically it gives you a built-in time machine for accessing previous versions of files (provided you have it turned on).

All in all, I’m definitely looking forward to upgrading from Windows 8.1!

Heartbleed’ing – what do I do?

With the Heartbleed bug in the news recently, a lot of folks have asked me for advice on what to do.

First off, here’s a quick description of what Heartbleed is:

Wikipedia states: Heartbleed is a security bug in the open-source OpenSSL cryptography library, which is widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability, classified as a buffer over-read, results from a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension, the heartbeat being behind the bug’s name.

In plain(er) English – this means that websites that use a certain version of encryption (aka OpenSSL), are vulnerable to sharing encrypted information with anyone who queries the website in a certain way. A website’s address that starts with https:// (note the “s”) use SSL to encrypt the transaction of data back and forth between the website and your browser.

To find out if a website is affected, you can use a bunch of different tools to check the version of OpenSSL used by a website. The easiest one that I’ve come across is LastPass’s Heartbleed checker available here.

When you plug-in a website it will tell you if the website uses OpenSSL & if so, if it’s safe to use the website or not. Here’s a screenshot of what the checker tells you about yahoo.com:

As you can see, LastPass says that Yahoo used to use the problematic OpenSSL but has since fixed it on their website and that it’s now time to change any Yahoo passwords that you may have.

If a website hasn’t updated their OpenSSL to a fixed version, there’s really no point in changing your password – I would recommend minimizing or ideally not using the website until it has been fixed. If possible, contact the website & tell them that you are not using their website until they get it fixed.

Hope this information helps explain what Heartbleed is & what to do about it – stay safe!

~Yosef

Increase your Firefox Productivity using about:config settings

My browser of preference is Firefox for many different reasons: Security, add-ons and customizability. Today’s post will focus on one of the lesser known aspects of Firefox’s customizability – the “about:config” settings.

To get to these settings, open a new tab in Firefox, type “about:config” into the URL bar (also called the “Awesomebar” in Firefox lingo) and load the page (hit Enter).

At the “This might void your warranty!” page – click the “I’ll be careful, I promise!” button. This will take you to a humongous list of undocumented settings. In addition to the ones listed – you can even create & add your own!

Disclaimer: You can easily break Firefox by changing settings that you don’t understand. Please reference the comprehensive list of about:config options here: http://kb.mozillazine.org/About:config_entries

This list is the basic list of settings that I immediately change/create whenever I setup a new instance of Firefox. All of them help me browse the web faster and/or safer.

Faster tips:

1: Disable the Delay When Installing New Extensions

When you install a new extension in Firefox, there is a countdown of 5 seconds delay before you can install the add-on. To regain those 5 seconds of your life, in the “Search” field on the about:config screen, search for security.dialog_enable_delay and set the value to “0”.

2: Don’t Close Firefox after Last Tab is Closed

One of my pet peeves in Firefox is that by default, it will close the entire program if you close the last tab. To stop this behavior, set the browser.tabs.closeWindowWithLastTab setting to “False”.

3: Open Search Results in a New Tab

If you use the default search box in Firefox (I actually disable mine & just search from the Awesomebar), you can force Firefox to open search results in a new tab so that it does not override the page you’re currently viewing.

To do so, search for browser.search.openintab and double-click the setting to change it to “True”.

4: Force Spell Checking in all Text Boxes

By default, Firefox only spell checks words that are typed in multi-line text boxes. To force Firefox to spell check words in all text boxes, search for layout.spellcheckDefault and set the value to “2”.

5: Preview Tabs

In Windows you can cycle through open programs using the “Alt”+”Tab” keys. In Firefox you can do the same thing with “Ctrl”+”Tab”. To preview a tab before viewing, set the browser.ctrlTab.previews setting to “True”. (Note: This only seems to work if you have 3+ tabs open, 2 tabs just switches without previews.)

Safer tips:

1: Show “http” in the Awesomebar

By default, Firefox cleans up the URL displayed in the Awesomebar. This makes it difficult to ensure that you’re on a https (secured) vs. http (unsecured) website. To show the http(s) section of a URL, set the browser.urlbar.trimURLs setting to False.

2: Turn off Geo-Location

Firefox is pretty good about alerting you when a website wants to know your location – if you’re like me & don’t want ANY websites tracking your location, you can force Firefox to never report (or annoy you by asking to report) your location to a website by setting the geo.enabled setting to “False”.

3: Set encryption preferences

When you connect to an “https” secure website, the server has a list of different types of encryption protocols and ciphers that it can handle. The server also “prefers” certain ones over others.

These preferences are set by the server admin and may be set to “prefer” a lower form of encryption for many reasons. They may want less powerful encryption to lower processing overhead on the server, or they may not understand what they are doing when they set it up, etc.

You can force Firefox to only use certain protocols and ciphers, however certain websites may fail to load in which case you will need to determine what type of encryption they allow and then turn that type back on. (See my articles on HTTPS Protocols and Ciphers and HTTPS Protocols and Ciphers Continued for more information).

Search for each of the following settings & modify every setting that’s returned as follows:

• tls Set all Boolean lines to “True”
• ssl2 Set all Boolean lines to “False” (Note: Newer versions of Firefox will not even list any ssl2 options.)
• ssl3 Set all Boolean lines to “False” EXCEPT lines that contain “aes_128” or “aes_256”. The AES encryption algorithm is much stronger than the RSA or RC4 ciphers.
• EXCEPTION: “security.ssl3.rsa_des_ede3_sha” Initially set this setting to “False” – however, this is the weakest cipher and may be needed for some older SSL sites so if you find certain sites are not working, this is probably the culprit – try setting this back to “True”.

HTTPS Protocols and Ciphers Continued

Yesterday I introduced you to HTTPS protocols and ciphers. Today we will focus on:

Which protocols and ciphers are (currently) best to use?

There are two types of protocols, SSL & TLS (SSLLabs checks both types).

SSL

• SSL 1.0 was never publicly released
• SSL 2.0 is considered insecure at this point
• SSL 3.0 is considered generally secure but highly depends on which cipher it’s using as well as if the browser protects against what’s known as “BEAST” (Browser Exploit Against SSL/TLS) attacks.

TLS

• TLS 1.0, like SSL 3.0 is considered generally secure but highly depends on which cipher it’s using as well as if the browser protects against BEAST attacks. In addition, TLS 1.0 allows for interoperability between TLS 1.0 & SSL 3.0, however this weakens the protection provided by TLS 1.0 and is not advised.
• TLS 1.1 is generally considered secure depending on the cipher used.
• TLS 1.2 is considered an enhanced version of TLS 1.1 and is again, secure depending on the cipher used.

So which ciphers are best?

Unfortunately, this is dependent on which protocol you are using. In general, all ciphers used with TLS 1.2 are secure except for RC4 (which is never considered secure, regardless of protocol). The main ciphers are as follows:

• AES CBC – secure when used with TLS 1.1 & TLS 1.2. Secure with TLS 1.0 depending on the browser used.
• AES CCM – secure when used with TLS 1.2
• AES GCM – secure when used with TLS 1.2
• 3DES CBC – secure when used with TLS 1.1 & TLS 1.2. Secure with TLS 1.0 & SSL 3.0 depending on the browser used. Insecure when used with SSL 2.0
• Camellia CBC – secure when used with TLS 1.2
• Camellia GCM – secure when used with TLS 1.2
• IDEA CBC – Secure when used with TLS 1.1, Secure with TLS 1.0 & SSL 3.0 depending on the browser used. Insecure when used with SSL 2.0
• DES CBC – Insecure with all protocols
• RC4 – Insecure with all protocols
• RC2 CBC – Insecure with all protocols

Once you know what type of protocol and cipher you need in order to connect to a website:

How do you change your browser to allow/disallow certain types?

I will focus on Mozilla Firefox, my browser of choice. Google Chrome & Internet Explorer allow you to change which protocols they use but you can’t specify the exact cipher.

In Firefox, you can allow / disallow specific protocols and ciphers by going to “about:config” in your URL “Amazingbar” (hit Enter).

Click the “I’ll be careful, I promise!” button to access the settings.

In the Search field, search for “ssl3” to view all SSL 3.0 options. You can double-click on each one to turn it on (TRUE) or off (FALSE).

To set your TLS settings, search for “tls”.

You will see two available settings that allow a range of 0 to 3:

• security.tls.version.min – specifies the minimum required/supported protocol version
• security.tls.version.max – specifies the maximum required/supported protocol version

For example, a min/max of 0 means that the minimum/maximum supported encryption protocol is SSL 3.0. A 1 indicates TLS 1.0, etc.

For more information, see the following article as a starting place: Wikipedia: Transport Layer Security

Questions/feedback? let me know in the comments below. Thanks!

HTTPS Protocols and Ciphers

To give a bit of background on this post –

I was researching different Firefox about:config settings for another article (to be forthcoming) and had changed a bunch of security settings to try and force Firefox to use higher grade encryption when accessing encrypted (HTTPS) websites.

Later in the day, I tried to access a website I visit very frequently and found that it wouldn’t load. I eventually realized that it must be because I had changed my Firefox security settings. The question I was stuck with was, “How do I figure out what encryption protocol and cipher a website is using in order to allow that encryption in Firefox?”. After some more research I was left with the following:

What is HTTPS & how does it work?

When you access a website, you are typically communicating over one of two protocols: HyperText Transfer Protocol (HTTP) or HyperText Transfer Protocol Secure (HTTPS). When you connect using HTTPS, all the information sent back and forth between you and the website is encrypted.

There are of course exceptions to this – for example, on your bank’s website, it may have a secure component for logging into the website but it may also have a third party advertisement that is not delivered encrypted to your browser. Depending on your browser, it may alert you when there is “mixed” content being loaded.

At a high level, when you access an HTTPS website, the server has a list of approved protocols and ciphers that it will allow communications to be encrypted with. This list is either the default list that the server comes enabled with (i.e. no one really thought about it, they just turned it on), or it’s a customized list that (hopefully) only allows the latest and greatest encryption methods.

Just like the server, your browser has a list of approved protocols and ciphers that it can use. When your browser contacts the server to load the HTTPS page, the server gives it a list of the approved encryption methods – this list is prioritized by the server’s “preference”.

Assuming your browser allows connections using one of the approved server’s methods, the browser and server conduct a “handshake” where the encryption method and a key are agreed upon and exchanged, allowing both the server & the browser to encrypt and decrypt communications between them. When the “handshake” is conducted, it is the most dangerous part of the communications process because it is done without encryption and (if done improperly) can allow for “man in the middle” (MITM) attacks or other attacks by an outside party. (I hope to cover different types of attacks and how they work in a future article.)

So what’s the difference between a protocol and a cipher? Think of encryption protocols as the method by which information is encapsulated and sent whereas ciphers are the way which information inside the capsule is scrambled (encrypted) to prevent anyone from reading the information.

Determining a Server’s allowed Protocols and Ciphers

This leads us back to my original question – if your browser does not accept the encryption types allowed by the server, how do you figure out which ones you need?

I found that there is a very handy website called http://www.ssllabs.com that has a SSL Server Test tool (available here: SSL Server Test) that allows you to plug in any website and it will determine if there are any available HTTPS connections to that website as well as give you a high level score and a very detailed breakdown of the site’s security protocols and ciphers.

There is also a Firefox plug-in available (called CipherFox) to give you this information every time you visit a website.

Tomorrow I will cover which Protocols and Ciphers are best to use & how to implement them in your Firefox browser.

Got questions or feedback? let me know in the comments below. Thanks!

Internet Search Security

Here is a list of common sense rules to help keep you safe while surfing on the internet.

Have a tip that’s not covered that you want to share? Post it in a comment below!

• Check URL’s before clicking on them
• Use preview (if available)
• Don’t click/visit suspicious looking websites!
• Disable ads in your browser using an ad blocker (e.g. AdBlock Plus for Firefox)
• Use a browser security and internet privacy add-ons such as Web of Trust, FlashBlock, etc.

(click on picture to enlarge)

Credibility

• Understand search engine ranking — it’s not the same as credibility or authoritativeness
• Choose appropriate terms for your query — different terms have different implications
• Verify credibility by looking for fact-checking sites – sites that you know to be credible
• Do one more search to confirm
• Use date range searches to validate when a quote first appeared
• Identify & validate sources cited
• Don’t make an answer part of your query (e.g. “height of tallest man was 7.5 feet”)
• Use quotes when quoting

Browser Search Tools

In addition to the search engine tips I posted about yesterday, here are some browser specific tips for speeding up your searches on an individual page:

Finding Words on a Page
Suppose I want to find out if Jabian is in the S&P 100. I navigate to Wikipedia & look up the S&P 100 list of companies. Instead of scanning through the entire list (and possibly missing an entry) I can use the built in search (find) function in my browser. In Firefox & Internet Explorer, press the “Ctrl” button in conjunction with the “F” Button (Ctrl+F).

This will bring up a search box in the browser where you can search (see area highlighted in pink in the picture above). As you can see, Jabian is not (yet) in the S&P 100.

Searching from the Address Bar

Did you know that instead of navigating to Google (or Bing, or whatever your favorite search engine is) – you can type your search criteria directly into the address bar of your browser? Firefox & Chrome default to Google while Internet Explorer defaults to Bing. You can usually change the default search engine in your browser’s options menu.

Type your query into the address bar & hit enter to load.

Your results will be automatically sent & loaded in your default search engine.