Secure your Mac computer

Securing your Mac computer is not overly difficult and there are a number of actions you can take to protect yourself from others seeking harm. Face it, if you do not take security seriously with your own system then who will? I have heard of the tooth fairy, but I have not heard of the security fairy. The fact is Apple has provided a number of features core to the operating system to help secure your system and prevent the tampering or stealing of your personal data. Securing your computer may sound intimidating at first and you may worry that you do not have the necessary skills to address this activity, but the truth is the features of the OS X operating system and third party tools range from simple to complex. Like with all things in life, all it takes is time and effort to succeed.

The Operating System

The fact is the tools afforded to you within the operating system come at no additional cost. For example, open up System Preferences and you will find a number of areas that will further advance you security efforts.  These area include Desktop & Screen Saver, Security & Privacy, Sharing, and Users & Group. While these areas are not all inclusive of security options, they are a great starting point.

System Preferences Dialog

Desktop & Screen Saver

Enabling the screen saver provides a number of benefits and one is security. One aspect of social engineering is known as shoulder surfing. This is when another person either passes by your monitor or stands around your workstation in order to see what you may be doing. Another benefit is to simply reduce power consumption and burn in with the monitor. So go ahead and select what screen saver you fancy and set the associated options. For example set the start after option to the number of minutes that you want the screen saver to activate.

Security & Privacy

These options contains a number of options that you will want to spend time on and look closely at the general, firevault, firewall, and privacy sections.

General

The general section allows you to set set passwords, manage passwords, handle automatic logins, and determine how you will handle application downloads.

Security & Privacy General Section

To change the password of the current user click the change password button. Upon doing so you will be prompted for the current password, enter a new password, verify the new password, and finally enter a hint for the password.

Select the Require password after sleep or screensaver begins checkbox. Set a time interval for when the password is required – the immediately option is recommended. This will require the user to authenticate when exiting the screensaver or waking the computer from sleep.

I highly recommend checking the box disable automatic login. If you go through the trouble of establishing a password then why in the world would you want to login without be prompted for a password? Also it makes it more difficult for the men in black.

The last section you will want to address is how you will handle the downloading and installation of applications. Know that the threat of malware and viruses is real no matter what anyone tells you. For example, when I purchased mu first MacBook Pro I inquired about antivirus software and the sales person told me that Macs never suffer from viruses. Speaking of antivirus software, I prefer Kaspersky Internet Security for my Mac, PC, and mobile devices.

FireVault

With FileVault, your data is safe and secure — even if your Mac falls into the wrong hands (remember those men in black). FileVault encrypts the entire drive on your Mac, protecting your data with XTS-AES 128 encryption. Initial encryption is fast and unobtrusive. It can also encrypt any removable drive, helping you secure Time Machine backups or other external drives with ease. Encryption slows hard drive access somewhat and may affect tasks that involve a lot of data, such as movie editing.

Depending on how much data is in your home directory, the initial encryption process could take a while. If you’re working on your laptop, plug in the charger.

Firewall

What else is there to say here except make sure you have turned on the firewall. Of course, it is likely that you have a firewall on your router to protect you from outside threats, but if you are on a local network such as a coffee shop WiFi this firewall will go a long way in providing you a layer of security that you did not have with the firewall disabled.

Privacy

This section allows you to control location services, applications, and diagnostics. There is no right or wrong configuration here for the typical individual because if all comes down to personal needs.

Maintenance

For the most part maintaining you Mac is painless, but depending upon your use and configuration you may have to take additional steps. The following are core activities eveyone should follow.

  • Keep your Mac OS updated to take advantage of security updates and other improvements.
  • Keep your applications updated to take advantage of security updates and other improvements.
  • Do not root, jailbreak, or otherwise unlock your device.
  • Only install trusted applications.
  • Before you sell or give away your computer, erase the hard drive securely.

Additional Best Practices

Consider these additional options for enhanced security for your computer and the data maintained on or accessed from it.

  • Back up your data. Always keep a backup copy of files you do not wish to lose
  • Choose web browser security settings that protect your privacy and enhance security
  • Protect yourself online. Learn about strong passwords, how to protect your identity, how to avoid phishing scams, and more
  • Put a sticker on your computer with your name and contact information. This low-tech, step enables somebody to contact you if they find your lost computer
  • Encrypt external hard drives

Malware and the risk to cybersecurity

Malware is widespread and continues to grow with each passing day. There are even recent reports that adware vendors are actively purchasing Chrome extensions to peddle their adware and malware. If you are not familiar with what malware really is the jest of it is essentially malicious software. It many ways malware is a lucrative business but it is also very damaging and illegal. You need to understand that the delivery method of malware can include websites, email, electronic documents, and so much more. Think of it this way, the black hat finds a vulnerability which is a weakness in you defensive measures then the blackhat launches an exploit which is a way to take advantage of the vulnerability.

Ask yourself the following question. Do you patch all software on your computer to include the operating system? If not, you are likely a prime target because known vulnerabilities are simpler to exploit rather than determining if a new vulnerability exist. While some may debate that antivirus software is essentially useless because it fails to protect 100% of the time is a poor argument. In my mind this argument is no different than someone saying you do not need to place locks on your doors because the windows can be broken. The fact is you need a defense in depth approach and antivirus software is one measure of defense. In fact, I prefer Kaspersky Labs and they were awarded product of the year for 2013 from AV-Comparatives.

The Kaspersky Security Bulletin 2013 paints a harsh picture of just how prevalent malware was during 2013 as related to the mobile landscape.

2013 Malware Mobile Operating System Stats

2013 Malware Mobile Operating System Types Stats

It is important to understand while I highlighted the mobile technology stack malware is in no way restricted to mobile technology. I decided to point out mobile devices because they are so prevalent today. For example, every time I walk into Starbucks for a coffee I see customers paying with their mobile device. I understand the convenience but the risk outweighs the convenience and I choose not to use my iPhone for payment. However, maybe I am still at risk due to malware, improper security, and the fact that a credit card can easily be stolen. If you have any doubt that credit cards are at risk just look to Target.

Of course malware is also used for National Security and it seems the NSA may have been intercepting hardware orders to install spy malware.

Point of Sale

PC World recently published an article titled Six more US retailers attacked like Target, security firm says in which malware is front and center. The malware in question is BlackPOS and according to reports, a 17-year old from Russia created the software. The language behind BlackPOS is identified as VBScript and essentially accesses the Point of Sale (POS) device’s Random Access Memory (RAM) before credit card data is encrypted. Reports and indicate that BlackPOS is sold for just around $2,000.00 which can be lucrative for the developer especially seeing that the malware has been proven both efficient and viable.

If you are interested in reviewing Decebal, which is also a POS Malware package, jump over to IntelCrawler.

From my point of view the fact that security research surrounding POS devices are finding that more often than not the default password assigned to the device had not been changed. For example, the default password for the Corner Store POS is “admin123″ which in itself is simple to crack. Personally I am not a fan of a default password on any device. Rather I believe a better approach is to have the owner of the device establish a password as soon as the device has been powered up. If you are interested in default passwords check out Security Override or RouterPasswords. There are many more sites available, but these two should demonstrate just how quick and easy it is to obtain a default password.

I must say it makes one wonder just how exactly audits are conducted with those vendors who accept credit cards because I am sure the PCI Security Standards Council covers passwords. Maybe those entities who are conducting the audit are the problem. Who really knows and while cybersecurity is a complex and ever-changing effort, the fact remains that it is obvious that organizations either do not understand security requirements or worse, maybe they choose to cut cost by not addressing cybersecurity.

Just as a side note, it amazes me that people will freely post pictures of their credit or debit cards on Twitter. Just check out the Twitter account @NeedADebitCard.

 

Malware Research

If you are really interested in a closer look at malware there are many sites that will lead you to a variety of malware offerings. I will list a handful of such sites, but you must understand that these sites are considered to be malicious and you accept all responsibility should you decided to take the red pill.

  1. MalewareBlacklist
  2. Open Malware
  3. VirusShare
  4. Syrian Malware Samples

Conclusion

Protecting yourself from malware is not overly difficult and there are a few steps you should take. Those steps are:

  1. Up-to-date security software is the best way to help protect your computer.
  2. New malware is written every day. Many of these threats target vulnerabilities in your software. Software companies regularly release updates that fix these vulnerabilities. To help stay protected you should regularly update all your software. This includes programs like Java, Adobe and Flash.
  3. Understand how malware works! Malware authors use several common tricks to install their malicious software on your computer. Understanding the most common ways they do this can help you stay protected.
  4. Use a firewall.
  5. Limit user privileges.

What can we learn from the 2013 Adobe database breach

Early October 2013, Adobe announced that they fell victim to a cyberattack and their database was breached to the degree that 2.9 million customers are impacted in one way or another. From my point of view it is great that Adobe regrets the incident and apologizes for the inconvenience, but I believe that we as consumers should and must demand so much more than a simple “we are sorry”.

In the event this breach is new to you, then I urge you to visit Troy Hunt’s new site ‘;–have i been pwned? Troy has done an exceptional job at bringing vendors in a single location where in one way or other were compromised. At the time of this article, Troy offers eight vendors that you can search by email address to determine if you may be at risk.

';--have i been pwned?

How easy is that?

Preparing the Database

I set out to find the database myself and give it a look firsthand.  I am not going to point you to users.tar.gz (3.8GB compressed) and just under 9GB uncompressed. If you set out to find the database it is useful to know that the format is:

<some uid> -|–|- <email address> -|- <encrypted password>-|- <password hint>|–

At this point, I fired up my Windows Server 2012 VM and installed MySQL. Next, I created a database named Adobe and established a table named creds that I would import the Adobe data into.

CREATE TABLE `creds` (
'customer_id' varchar(300) DEFAULT NULL,
'username' varchar(300) DEFAULT NULL,
'email' varchar(300) DEFAULT NULL,
'password' varchar(200) DEFAULT NULL,
'hint' varchar(200) DEFAULT NULL
)

To import the data go ahead and drop out to a command prompt and connect to the MySQL database instance. Once connected, execute the following command (note: I renamed cred to cred.csv and it took about 30 minutes for the import to run):

load data local infile 'c:\\cred.csv' into table adobe.creds fields terminated by '-|-' lines terminated by '|--';

mysql command prompt

Success! I now have 152,988,937 record ready for analysis.

Analyzing the Database

If there is one think that holds true it is the fact that the individual is very often the weakest point of security. For example, just take a look at the hints individuals selected. For the most part what I saw was very basic one word hints. Now to be fair, I am not sure if Adobe limited hints to a single word.  Also, I am not a fan of password hints because it has been my experience that individuals often use a hint that easily compromises the password itself. If you are interested in gaining insight into the topic of password and this breach then you should check out the article from Sophos.

mysql query result

Tip: In the event you are receiving error code 2013 while executing a query then here is the fix. Just change 600 to whatever works for you within MySql Workbench preferences.

Edit → Preferences → SQL Editor → DBMS connection read time out (in seconds): 600

Number of Hints where the value is Password

Number of hints with the value of password

Number of Hints where the value is 123456

Number of Hints where the value is Password

Top 10 Hints

Top 10 Hints

Number of Common Passwords

Number of Common Passwords

The ultimate point of failure is always the individual. Your average individual doesn’t even begin to understand the need for a strong password much less security in general, so individuals select passwords that are easy to remember. At the end of the day, the key take away from all of this is the fact that individuals will choose poor passwords. According to Google the top ten common passwords are:

  1. Pet’s name
  2. Significant dates (like a wedding anniversary)
  3. Date of birth of close relation
  4. Child’s name
  5. Other family member’s name
  6. Place of birth
  7. Favourite holiday
  8. Something related to favourite football team
  9. Current partner’s name
  10. The word “password”

To this end the Stricture Consulting Group has analyzed the Adobe breach and outlined the top 100 passwords. Just take a look at the top ten and you will clearly see the weakness.

  1. 123456
  2. 123456789
  3. password
  4. adobe123
  5. 12345678
  6. qwerty
  7. 1234567
  8. 111111
  9. photoshop
  10. 123123

End Users and Passwords

Apart from hashing you should also force your users to choose a password which is built upon the defined password policy. Unfortunately our memories aren’t designed to remember and generate random sequences of characters and this is the reason we continue to see weak passwords or even reuse of passwords. To attack hashed passwords there are different strategies:

  • Dictionary Attacks
  • Bruteforce
  • Rainbow Tables

Password Hashing

Too many organizations simply hash a password and unfortunately this is not enough.

A common hash is MD5 and this is created by taking a string of an any length and encoding it into a 128-bit fingerprint. Encoding the same string using the MD5 algorithm will always result in the same 128-bit hash output. MD5 hashes are commonly used with smaller strings when storing passwords or other sensitive data in databases.

Assume for a moment that an individual selects their desired password and it is hashed by using MD5 and stored in the database as 5f4dcc3b5aa765d61d8327deb882cf99. On the surface this has looks to be unusable, however the truth is this MD5 hash is easily reversed engineered by using hash.org’s search feature. A quick search yields the MD5 hash is the word password.

5f4dcc3b5aa765d61d8327deb882cf99:password

MD5 hashes are also used to ensure the data integrity of files. Because the MD5 hash algorithm always produces the same output for the same given input, users can compare a hash of the source file with a newly created hash of the destination file to check that it is intact and unmodified. To demonstrate this point I will use WinMD5 which is a free tool that runs on a Windows operating system. The vendor provides the following hash to verify the file has not been tampered with.

WinMD5Free.zip MD5: 73f48840b60ab6da68b03acd322445ee

If you are running OSX, open a terminal session and verify the hash by entering md5 winmd5free.zip

Terminal command to verify MD5 hash

Using WinMD5 is just as simple:

WinMD5 dialog

WinMD5 dialog

An MD5 hash is NOT encryption. It is simply a fingerprint of the given input. However, it is a one-way transaction and as such it is almost impossible to reverse engineer an MD5 hash to retrieve the original string. I realize that I have deviated from the topic of the Adobe breach, but I felt it was important to talk about how MD5 can be used when it comes to file integrity.

We hash passwords in the event an attacker gains access. An organization can implement and educate users about security, but at the end of the day users need to be protected from themselves. More often than not security is a subject that end users either do not understand or choose to ignore. There are end users who use the same password across a number of sites and because of this fact a single breach in security may lead to an attacker gaining access to other sites.  For example, if a end user uses the same password on Facebook, Gmail, and Linkedin then the attacker may also gain access to those accounts.

Hashing passwords helps to deter an attacker. The idea is it make it as difficult as possible to retrieve those passwords using a brute-force attack. Hashing passwords will not make your site any more secure, but it will provide a level of deterrence.

Pass the Salt

We can randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing. The salt needs to be unique per-user and per-password. Every time a user creates an account or changes a password, this password should be hashed using a new random salt. Never reuse a salt!

The main purpose behind a salt is to make the hashed password (if retrieved) stronger against dictionary look-up attacks. Those of you who are writing software I urge you to check out the article Storing User Passwords Securely: hashing, salting, and Bcrypt. In short, computing a hash with salt makes it more difficult for would-be hackers. For example, using the following two methods you can secure a password.

/// <summary>
/// Generates the salt.
/// </summary>
/// <returns>random salt of type string</returns>
public static string GenerateSalt()
{
const int minSaltSize = 12;
const int maxSaltSize = 25;

var random = new Random();
int saltSize = random.Next(minSaltSize, maxSaltSize);

var rng = new RNGCryptoServiceProvider();
var buffer = new byte[saltSize];
rng.GetBytes(buffer);
return Convert.ToBase64String(buffer);
}

/// <summary>
/// Gets the MD5 hash.
/// </summary>
/// <param name="input">The input.</param>
/// <returns>hexadecimal string</returns>
public static string GetMd5Hash(string input)
{
MD5 md5Hash = new MD5CryptoServiceProvider();

// Convert the input string to a byte array and compute the hash.
byte[] data = md5Hash.ComputeHash(Encoding.UTF8.GetBytes(input));

StringBuilder sBuilder = new StringBuilder();

// Loop through each byte of the hashed data
// and format each one as a hexadecimal string.
foreach (byte t in data)
{
sBuilder.Append(t.ToString("x2"));
}

// Return the hexadecimal string.
return sBuilder.ToString();
}

The result is:

Database Table

Console Window

Console Window

Console Window

Download example ConsoleApplicationHashSalt (MD5 Checksum: 64160c7f5cc8841eeab66f441404eed1)

National Institute of Standards and Technology (NIST)

NIST has issued Special Publication SP 800-132 on the subject of storing hashed passwords. This Recommendation specifies a family of password-based key derivation functions (PBKDFs) for deriving cryptographic keys from passwords or passphrases for the protection of electronically-stored data or for the protection of data protection keys.

NIST states that a crypto key must be random if the security of cryptography is to be successful. Now it makes one stop and think if the key must be random then why was there a $10m NSA contract with security firm RSA led to encryption ‘back door’? If the article is accurate, any formula that allows anyone to bypass crypto for any reason what so ever defeats the purpose of crypto in the first place.

Conclusion

Adobe is not the only company to fall victim to a breach and they certainly will not be the last. In fact, Target, Snapchat, and Neiman Marcus have all fell victim in recent weeks. Check out this infographic from Information is Beautiful.

World's Biggest Data Breaches

It seems organizations are doomed to fall victim to a security breach. Do you have any concerns as related to your personal information?

Life in a digital world means little or no privacy

I want to start 2014 off by looking at security and privacy. One can argue that we are more secure today than we were just a few short years ago, but security comes at a cost and that cost is privacy. During discussions with others that I come into contact with, I am disturbed when I hear the response “if you are doing nothing illegal then you have nothing to worry about”. Obviously these individuals have not idea what privacy means. For those individuals, the Webster Dictionary defines privacy as the state of being alone. For those of you who subscribe to the idea of “if you are doing nothing illegal then you have nothing to worry about” may I have you WiFi and interest account credentials? I bet you then are not so willing to share this private information.

George Orwell’s 1984The book 1984 was George Orwell’s chilling prophecy about the future and while 1984 has come and gone, Orwell’s narrative is timelier than ever. 1984 presents a startling and haunting vision of the world, so powerful that it is completely convincing from start to finish. No one can deny the power of this novel, its hold on the imaginations of multiple generations of readers, or the resiliency of its warnings. The point in this book is a legacy that seems only to grow with each passing day. In many ways I believe we are living out George Orwell’s prophecy.

For many individuals the answer to privacy is encryption, but there have been a number of stories during 2013 that point to the fact the government may have back door access which essentially renders encryption useless. There are also laws known as key disclosure that requires an individual to turn over crypto keys to law enforcement. The United States does not have such a law, but this has not prevented judges from requiring individuals to turn over passwords. Now I am not a legal scholar, but turning over a password to decrypt data is no different that say turning over a key to a lock box.

If you do not think Big Brother is involved in every day aspects of your life, stop for a moment and consider your physical and digital footprint. We carry a GPS on us at all times with modern day smartphones, we use customer reward cards at our favorite grocery store, we have WiFi in our cars, and there are cameras all over public places that capture photos or video on a daily basis. To this end, I will present a number of topics that everyone likely engages in on a daily basis that essentially puts an end to privacy.

Radio-frequency Identification (RFID)

You will find RFID chips jut about every aspect of life. For example, credit cards, driver’s licenses, supply chains, easy passes, and even your car. As I researched RFID technology both from academic and free market resources. they often make is sound as though the technology is for our protection. In other words, this is all done in the name of the greater good.

In 2012 Goodyear began placing RFID chips into tires and these chips are programmed with a unique code that identifies the tire, enabling automatic reading to see the type and size of the tire as well as its unique identity number. In the case of Goodyear, these RFID chips were initially used in racing vehicles. However, a Korean company called Kumho Tires will start placing RFID chips in tires it produces beginning 2014.

Just a few short years ago many begin predicting that RFID chips will be implanted into individuals. The idea is the use of biometrics along with RFID to protect us as well as make our everyday life events that much easier. The thing that they do not tell you is that anyone can track your activates both physically and digitally with the proper technology. In fact, you then become a talking, walking, and breathing target for hackers.

Photos

Many of us love taking pictures of or travels, friends, and family. The problem is these pictures very often tell a story that you may not want told to others. The idea is a picture contains what is known as Metadata and this essentially means there is data about the data and you would never know this data exists unless you know how to find it.

For example, consider the following photo of Kirsten Dunst that I found via Google.

Kirsten Dunst photo metadata

By taking the GPS coordinates from the photo, I now know that the address is China, Jiangsu, Suqian, Suyu, 006.

Map depicting specified GPS coordinates to yield an address

If you are interested in removing the metadata from your own pictures be sure to read 3 Ways To Remove EXIF MetaData From Photos (And Why You Might Want To).

Technology

2013 is a year that I believe we will not soon forget and much of the news was centered on the National Security Agency (NSA). It seems each week another story breaks where the NSA may or may not be overstepping authority with National Security here in the United States.

I am not going to get into the debate whether if Edward Snowden is a traitor or a hero. We all have our own opinions and we are entitled to those opinions. All I will say is there is a need for whistle blowers, but breaking the law is not right under any circumstance. People, companies, and Government must be held accountable and it is up to us as citizens to ensure this is the case.

When it comes to technology, many individuals think about computers and smartphones, but the truth is there are many devices on the market that make use of the same technology found in computers and smartphones. Recently I saw a report of a baby monitors being broken into where individuals either were watching via the camera or speaking obscene words via the speaker. I picked a random baby monitor to see what the vendor stated about security. I found a vendor that claims by using FHSS technology, each camera securely transmits encrypted video and audio data to your monitor unit. You can rest assured that no one else is viewing your video or audio feed. This is a bold statement and I would ask the vendor what guarantee they provide. I am sure the vendor in question would never make such a guarantee and this is because technology cannot be 100% secure. In fact, I ran across a research paper where the authors stated “It should be pointed out that systems like HomeRF use FHSS modulation in order to comply with FCC regulations governing operation in the 2.4 GHz ISM band. These techniques are aimed at regulatory compliance, not security enhancement.”

We all love our tech and I am no different. The problem resides in not understanding the technology and what data is collected, stored, and shared. Consider for a moment Google Maps. This is a wonderful and extremely useful application and for the average person, you may not realize just how much information others can find out about you.

For example, Christmas of 2013 I went to my mother’s house which is in Eastern Tennessee for a visit. Being that I carry my trusted iPhone Google knew exactly where I was, how I traveled, and the time frames from city to city. Don’t believe this is true? Give the following image a view and you can clearly see my travel route as well as the fact that I entered Chattanooga, Tennessee at 4:39 PM. Dangerous information in the wrong hands and I submit to you that the government likely can gain access to this information with all the news coming out of the NSA in 2013.

Google Maps location history

To disable your location history, jump over to Google Maps location history and disable this feature.

Spy Gadgets

There are a number of products on the market that you may find of interest. These type of gadgets may sound a little off the wall, but many of these gadgets may prove useful and if nothing less they are likely to be informational.

Sonic Technology Products ElectroSensor is a simple, accurate affordable Gaussmeter measures Electro Magnetic Fields with the push of a button on the hand-held meter. You can quickly and accurately measure the level of EMFs emitted by all common electrical appliances and equipment. The LED light bar scale measures from 1.5 to 30 milliGauss. The pick-up coil is located in the tip of the unit which can be rotated for increased directionality. Ghost Hunters and Paranormal Investigators also use the ElectroSensor to measure changes in electro magnetic fields.

How about a Biometric Portable Acquisition Center (BPAC)? This device is a Handheld Rugged Computer with Built in Biometrics – Ultra Mobile Personal Computer (UMPC) for every industry. A BPAC can collect and process biometric and other relevant in-the-field information. Many BPAC’s include a touch readable LCD, FIPS 201.1 compliant fingerprint scanner, Iris camera with IR illuminator, facial recognition through a integrated video camera, GPS, IEEE 802.11 b & g, digital voice recorder, optical barcode reader, easy-to-use biometric software or even SDK support.

Need to protect you face at night from all those cameras on the street? Consider purchasing a ball cap with LED lights or make your very own. A hat with LED lights at night will essentially make it impossible for a camera to pick out your face.

How about portable RFID readers? These are easily found and purchased for a nominal fee. Also you may want to consider secure sleeves for any cards that you have with RFID chips. If you are in a pinch, you can grab aluminum foil and wrap your card as a temporary measure.

Conclusion

At the end of the day we are going to have to decide between convenience and privacy. Companies with the cloud computing and “free services” are very likely losing money on the service offering to the individual. Encryption is quickly becoming meaningless due to the fact it is not used, misused, or the crypto keys are not protected. I believe that fewer and fewer companies will continue to provide cloud services as consumers begin to understand that these providers have lost control of the data. These companies, while publicly traded, are increasingly viewed as merely government owned and operated NSA subsidiaries.

The use of technology and the information contained within serve a need, but consumers must both know and understand exactly what information is collected and stored. I even go as far as saying that consumers must be knowledgeable in how to sanitize information that you may not want others having.

Government checks and balances are not effective for a number of reasons. For example, the idea of collecting cell phone communications in the name of protecting the country against possible terrorist attacks plays on the fear of citizens. Thinks about this for a moment, I am not saying that we should not protect our country, but at what cost are we willing to pay?

I’m not promoting Jacob Appelbaum’s personal views, but he makes a number of interesting points that leave plenty of room for thought and debate. He provides a great deal of information about troubling aspects of security programs that are being run today.

I try to do what I can to protect myself and my privacy, but it becomes harder to do so as technology advances, lack of privacy protection from companies, and overreach from government agencies. As an individual who is a heavy consumer of technology and working in the field of technology for twenty years, I have seen first hand the changes and they are scary. In many ways, I believe to have privacy we may have to walk away from the same technology that makes our daily lives convenient.

Fingerprinting a web server with httprecon

Web applications unfortunately are vulnerable and for this reason they are often the gateway for attacks. An attacker is going to perform reconnaissance to understand where a weakness may reside. Of course understand what web server platform is running is critical to understand what type attack may or may not be successful. In other word, knowing the application server one can then begin investigation into what vulnerabilities may exist.

There are a variety of tools and mechanisms you may employ to fingerprint your target. One such tool is httprecon and the user interface is very simple and provides a wealth of information. If you are not interested in installing software then Port80 Software has a number of tools that can be used all from a browser and one such tool is ServerMask. There are other online options to include NetCraft and Shodan. Finally is the tried and true Nmap.

nmap -sV www.somewhere.com

If you are running a Windows machine you can drop out to a command prompt and use telnet to perform banner grabbing. Be sure to enter the desired IP address and the appropriate port number.

telnet 127.0.0.1 80

At this stage you should see an empty command prompt with a flashing cursor. Go ahead and enter the following command and press enter twice.

HEAD / HTTP/1.0

The result is:

Telnet Banner Grabbing

When it comes httprecon it works by sending out nine legitimate and not so legitimate requests.

httpecon gui

Here I ran a request against a target of 127.0.0.1 which I will tell you now is a Windows Server 2012 instance.

List of Matches

Name Hits Match
1. Microsoft IIS 7.0 82 100%
2. Microsoft IIS 6.0 74 90.24%
3. Apache 1.3.37 67 81.71%
4. Apache 2.2.3 65 79.27%
5. Apache 2.2.4 65 79.27%
6. Microsoft IIS 5.0 64 78.05%
7. Apache 1.3.33 64 78.05%
8. Apache 1.3.26 63 76.83%
9. Apache 1.3.27 63 76.83%
10. Apache 1.3.34 63 76.83%
11. Apache 1.3.39 63 76.83%
12. Apache 2.2.6 63 76.83%
13. and-httpd 0.99.11 62 75.61%
14. Apache 1.3.31 62 75.61%
15. Apache 2.2.8 62 75.61%
16. Oracle Application Server 9i 9.0.2 62 75.61%
17. Apache 2.0.46 61 74.39%
18. Apache 1.2.6 60 73.17%
19. Apache 1.3.17 60 73.17%
20. Apache 1.3.35 60 73.17%

HTTP Response Header

Timing Minimum: 0.082 seconds
Timing Maximum: 0.113 seconds
Timing Average: 0.091 seconds

get_existing
HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Mon, 16 Dec 2013 18:20:46 GMT
Accept-Ranges: bytes
ETag: “1e94b8a8bface1:0″
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 17 Dec 2013 00:31:41 GMT
Content-Length: 701
get_long
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 17 Dec 2013 00:31:41 GMT
Connection: close
Content-Length: 324
get_nonexisting
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 17 Dec 2013 00:31:41 GMT
Content-Length: 4839
head_existing
HTTP/1.1 200 OK
Content-Length: 701
Content-Type: text/html
Last-Modified: Mon, 16 Dec 2013 18:20:46 GMT
Accept-Ranges: bytes
ETag: “1e94b8a8bface1:0″
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 17 Dec 2013 00:31:41 GMT
options
HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/8.5
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Tue, 17 Dec 2013 00:31:41 GMT
Content-Length: 0
delete_existing
HTTP/1.1 405 Method Not Allowed
Cache-Control: private
Allow: GET, HEAD, OPTIONS, TRACE
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 17 Dec 2013 00:31:41 GMT
Content-Length: 5269
wrong_method
HTTP/1.1 405 Method Not Allowed
Cache-Control: private
Allow: GET, HEAD, OPTIONS, TRACE
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 17 Dec 2013 00:31:41 GMT
Content-Length: 5269
wrong_version
HTTP/1.1 505 HTTP Version Not Supported
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 17 Dec 2013 00:31:41 GMT
Connection: close
Content-Length: 350
attack_request
HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Tue, 17 Dec 2013 00:31:41 GMT
Content-Length: 4950

Fingerprint Details

get_existing
Protocol Name HTTP
Protocol Version 1.1
Statuscode 200
Statustext
Banner Microsoft-IIS/8.5
X-Powered-By ASP.NET
Header Spaces 1
Capital after Dash 1
Header-Order Full Content-Type,Last-Modified,Accept-Ranges,ETag,Server,X-Powered-By,Date,Content-Length
Header-Order Limit Content-Type,Last-Modified,Accept-Ranges,ETag,Server,Date,Content-Length
Options-Allowed
Options-Public
Options-Delimiter
ETag “1e94b8a8bface1:0″
ETag-Length 18
ETag-Quotes ”
Content-Type text/html
Accept-Range bytes
Connection
Cache-Control
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
get_long
Protocol Name HTTP
Protocol Version 1.1
Statuscode 400
Statustext
Banner Microsoft-HTTPAPI/2.0
X-Powered-By
Header Spaces 1
Capital after Dash 1
Header-Order Full Content-Type,Server,Date,Connection,Content-Length
Header-Order Limit Content-Type,Server,Date,Connection,Content-Length
Options-Allowed
Options-Public
Options-Delimiter
ETag
ETag-Length 0
ETag-Quotes
Content-Type text/html; charset=us-ascii
Accept-Range
Connection close
Cache-Control
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
get_nonexisting
Protocol Name HTTP
Protocol Version 1.1
Statuscode 404
Statustext
Banner Microsoft-IIS/8.5
X-Powered-By ASP.NET
Header Spaces 1
Capital after Dash 1
Header-Order Full Cache-Control,Content-Type,Server,X-Powered-By,Date,Content-Length
Header-Order Limit Cache-Control,Content-Type,Server,Date,Content-Length
Options-Allowed
Options-Public
Options-Delimiter
ETag
ETag-Length 0
ETag-Quotes
Content-Type text/html; charset=utf-8
Accept-Range
Connection
Cache-Control private
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
head_existing
Protocol Name HTTP
Protocol Version 1.1
Statuscode 200
Statustext
Banner Microsoft-IIS/8.5
X-Powered-By ASP.NET
Header Spaces 1
Capital after Dash 1
Header-Order Full Content-Length,Content-Type,Last-Modified,Accept-Ranges,ETag,Server,X-Powered-By,Date
Header-Order Limit Content-Length,Content-Type,Last-Modified,Accept-Ranges,ETag,Server,Date
Options-Allowed
Options-Public
Options-Delimiter
ETag “1e94b8a8bface1:0″
ETag-Length 18
ETag-Quotes ”
Content-Type text/html
Accept-Range bytes
Connection
Cache-Control
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
options
Protocol Name HTTP
Protocol Version 1.1
Statuscode 200
Statustext
Banner Microsoft-IIS/8.5
X-Powered-By ASP.NET
Header Spaces 1
Capital after Dash 1
Header-Order Full Allow,Server,Public,X-Powered-By,Date,Content-Length
Header-Order Limit Allow,Server,Public,Date,Content-Length
Options-Allowed OPTIONS,TRACE,GET,HEAD,POST
Options-Public OPTIONS,TRACE,GET,HEAD,POST
Options-Delimiter ,
ETag
ETag-Length 0
ETag-Quotes
Content-Type
Accept-Range
Connection
Cache-Control
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
delete_existing
Protocol Name HTTP
Protocol Version 1.1
Statuscode 405
Statustext Method Not Allowed
Banner Microsoft-IIS/8.5
X-Powered-By ASP.NET
Header Spaces 1
Capital after Dash 1
Header-Order Full Cache-Control,Allow,Content-Type,Server,X-Powered-By,Date,Content-Length
Header-Order Limit Cache-Control,Allow,Content-Type,Server,Date,Content-Length
Options-Allowed GET,HEAD,OPTIONS,TRACE
Options-Public
Options-Delimiter ,
ETag
ETag-Length 0
ETag-Quotes
Content-Type text/html; charset=utf-8
Accept-Range
Connection
Cache-Control private
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
wrong_method
Protocol Name HTTP
Protocol Version 1.1
Statuscode 405
Statustext Method Not Allowed
Banner Microsoft-IIS/8.5
X-Powered-By ASP.NET
Header Spaces 1
Capital after Dash 1
Header-Order Full Cache-Control,Allow,Content-Type,Server,X-Powered-By,Date,Content-Length
Header-Order Limit Cache-Control,Allow,Content-Type,Server,Date,Content-Length
Options-Allowed GET,HEAD,OPTIONS,TRACE
Options-Public
Options-Delimiter ,
ETag
ETag-Length 0
ETag-Quotes
Content-Type text/html; charset=utf-8
Accept-Range
Connection
Cache-Control private
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
wrong_version
Protocol Name HTTP
Protocol Version 1.1
Statuscode 505
Statustext HTTP Version Not Supported
Banner Microsoft-HTTPAPI/2.0
X-Powered-By
Header Spaces 1
Capital after Dash 1
Header-Order Full Content-Type,Server,Date,Connection,Content-Length
Header-Order Limit Content-Type,Server,Date,Connection,Content-Length
Options-Allowed
Options-Public
Options-Delimiter
ETag
ETag-Length 0
ETag-Quotes
Content-Type text/html; charset=us-ascii
Accept-Range
Connection close
Cache-Control
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm
attack_request
Protocol Name HTTP
Protocol Version 1.1
Statuscode 404
Statustext
Banner Microsoft-IIS/8.5
X-Powered-By ASP.NET
Header Spaces 1
Capital after Dash 1
Header-Order Full Cache-Control,Content-Type,Server,X-Powered-By,Date,Content-Length
Header-Order Limit Cache-Control,Content-Type,Server,Date,Content-Length
Options-Allowed
Options-Public
Options-Delimiter
ETag
ETag-Length 0
ETag-Quotes
Content-Type text/html; charset=utf-8
Accept-Range
Connection
Cache-Control private
Pragma
Vary-Order
Vary-Capitalized
Vary-Delimiter
htaccess-Realm

I realize that I stated early on that the server was Windows Server 2012 and because of that bit of information it is true that the application server is Internet Information Services (IIS) 8.5, which can clearly be seen from the responses gathered by httprecon.

Obfuscate the HTTP Response

There are a number of ways to tackle the HTTP response and if you have an administrator that is unwilling or incapable, then the following example may be of use.

namespace ObfuscateHttpResponse {
public class ObfuscateHttpResponseModule : IHttpModule
 {
 public void Dispose() { }
 public void Init(HttpApplication context)
 {
 context.PreSendRequestHeaders += EditResponse;
 }
 void EditResponse(object sender, EventArgs e)
 {
 HttpContext.Current.Response.Headers.Set("Server", "Fingerprinting is not allowed!");
 }
 }
 }

Now all you need to do is jump over into the web.config and add this module.

<system.webServer>
 <modules>
 <addname="ObfuscateHttpResponseModule"type="ObfuscateHttpResponse.ObfuscateHttpResponseModule" />
 </modules>
</system.webServer>