Tuesday, November 4, 2014

Creating Scheduled Backup in CheckPoint Smart Center on Windows

If your CheckPoint Smart Center environment is not high available, you might be sure that you have a running backup of the Smart Center server. Meanwhile, I think it is still important even if you have a high available setup.

 It is very easy to schedule daily backup in Check Point Splat and it can easily send the backup to an ftp server to keep. However, Windows Smart Center environment does not have this backup scheduling option. Backup command also does not work in Windoes solutions. So you have to keep using upgrade/export.exe to get backup. In Windows Smart Center, upgrade/export.exe is placed in the installation folder of Check Point. You can manually start this exe and create the backup file but here I explain how to schedule this upgrade/export tool and how to send the backup file to an ftp server.

 The script I share below starts with deleting the existing *.tgz files in the "E:/daily_backup" directory. I delete these file at the beginning because as you can see in the code, the created backup file is a .tgz file and named with the day that it created in, and the code is sending all .tgz files to the ftp server after creating. If we do not delete the existing files, the same files are being sent to the ftp again and again.

del "E:\daily_backup\*.tgz"
set dd = %date%
E:\FW1\R70\fw1\bin\upgrade_tools\upgrade_export.exe E:\daily_backup\fw_backup%date%.tgz <E:\daily_backup\line.txt
ftp -i -s:ftp.txt <ftp_server_IP_address>

ftp.txt file is holding the authentication information for the ftp server.

mput *.tgz

The last thing to do here is to create a scheduled task for this batch file.

Tuesday, March 11, 2014

Phishing Technique and Its Success

Phishing is a social engineering technique that manipulating people to perform some actions as the attacker wants. The attacker prepares an e-mail as if it was sent from a known individual or organization, and leads the victim to click on a link that will take the user to a malicious website or download some malicious file, or to a fraudulent website that appears legitimate so the victim enters his username and password or some more individual information about himself.
Phishing is a very successful technique because people do not visit websites carefully or they do not have much time to be more careful, to investigate about the website or e-mail. One of the reasons may be that they did not become a victim before, or maybe they do not know even if they were. People easily trust brands and/or logos and influential texts. There is a lack of information assurance knowledge.

How Phishing Works

Phishing Examples
As I explained before, phishing is a very successful attack technique. These lines will prove this assertion.
In 2011, RSA, one of the biggest security firms was hacked. It was an attack against SecureID two factor authentication product of RSA. In this case, the attackers sent some phishing e-mails that has a subject as “2011 Recruitment Plan” and after an employee opened the attached excel file, they used a zero-day exploit of Adobe Flash.
As a newer story, just a few days ago, Forbes Magazine was hacked by Syrian Electronic Army with a phishing mail. You can read all the story minute by minute directly from Forbes;
Another story is from Turkey. Attackers send an e-mail  that has an attachment of electronic billing of a telco company. When the victim opens the attached file, the malicious code encrypts all usable files in the PC and pops up a warning that he has to pay money for decrypting the files. This malicious software is called FatMal.
The most effective defense against phishing is creating user awareness. I will not touch the things how users beware of phishing on here but all companies should improve the awareness. RSA and Forbes are very good examples about that. One employee that you do not improve his awareness can cause to be hacked.
“You are as strong as the weakest link in your defense system” Sun Tzu
As a security admin, there are also some precautions that you can do. A proxy that has a dynamic scanning feature can decrease the possibility to be hacked by phishing. Even if the user opens the link in the e-mail, the proxy would not let him to enter the website.
Even if it is not enough for your security, ensure that all employee’s PCs, and antivirus agents are up to date. It is not enough because in the case lived in Turkey – I defined above, antivirus vendors did not have the signature of the malicious software and Trend Micro two, and Symantec five days later released the signature. 

Tuesday, January 28, 2014

"Additional forensics data is not available" error in Websense DLP

Sometimes, while DLP is working fine, you can encounter "Additional forensics data is not available" error in the "Forensics" tab of the incident. This means you cannot see the details of the incident.

It has a very simple solution;

1-  Stop the DSSManager service and rename the following folders:
  1. %DSS_HOME%\tomcat\work > work.old
  2. %DSS_HOME%\tomcat\logs > logs.old
  3. %DSS_HOME%\tomcat\temp > temp.old
2- Create a new %DSS_HOME%\tomcat\temp folder and restart the DSSManager service.

Websense says that you should not lose any incident in this scenario, and I have tried a few times, I really did not lose any incident. 

Monday, January 27, 2014

Advantages and Disadvantages of Reputation-Based Anti-Spam Services

One of the most efficient anti-spam techniques is IP reputation filtering. It is also the least costly technique for the anti-spam gateway and can block around %80 (or more) of spam before they reach your server. Firstly, I want to explain what “Reputation Service” is for those who don’t know, and the positive and negative effects of it.

IP reputation services based on gathering information about IP addresses. When someone is trying to send you an e-mail, during the first connection, your reputation service that already installed on the e-mail security server checks blacklists around the world and gathers information about the sender’s IP address. If the sender’s IP address is in the blacklist – it means “this IP address sends mostly spam”, it directly blocks the message. So the message is blocked before it reaches to your server, and this provides a better system usage over this server.

In most situations, IP reputation service can block around %80 of spam as I explained before. What it means that if you do not use IP reputation service, %80 more messages come to your server and use CPU and memory. So, according to the calculation, you may have to use two times more servers to process all these e-mails. Additionally, the tests say that when an IP reputations service is used properly, false positives amount is very little compared to typical content filtering.

Although IP reputations service provides such advantages as explained, there can be also negative effects on messaging in company. Assume that you have contacts that usually e-mailing to hundreds of their customers or using their ISP’s smtp service to send e-mail. It is very normal that the IP address they use is signed as spammer and gets in a blacklist. At this situation, you can do nothing to get e-mail from this contact. You cannot add it to a white list because filtering is happening during the first connection, so the reputation service does not know the domain of the sender. It just knows the IP address. It also will not work that you add its IP address to the white list because it is blocked before the message reaching to your content filtering rules. The only thing to do is the sender must remove its domain or IP address from the blacklists. You can think that it is not your problem. If they cannot send e-mail to you, they cannot send to someone else too. Yes, that is true but in the business, sometimes it does not work that way. At this point, it becomes a very critical decision to activate the IP reputation service.

As the result, it is very critical to try the critical business processes during the PoC. As I state before, if you do not test the critical business that has to get e-mail messages even if the sender is in the blacklist, you have to try it before you buy or enable the service. 

Monday, January 13, 2014

Non-repudiation Problem and Digital Signature

A digital signature is a hash value that has been encrypted with the sender’s private key. Non-repudiation is the reason why we need digital signatures. So at this point, I want to explain non-repudiation problem a little.

Soft documents are ubiquitous. So it is important to make sure that the sender is the real sender of the document, and it has not been modified while you are receiving it. According to Wikipedia, Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract.

Asymmetric Cryptography
Because digital signatures use private key of the sender, it is important to know the asymmetric cryptography. The public key is available to everyone, and the private key is known only by the owner. When a message is encrypted with the public key, only the corresponding private key can decrypt it. Meanwhile, when a message is encrypted with a private key, only the corresponding public key can decrypt this message. This is what we need for non-repudiation.

Digital Signature
Assume that UserA encrypted the hash of the document with his private key. This encrypted hash is called a digital signature. UserA sends this document to UserB and UserB decrypts this message with the public key of UserA. UserB calculates the hash of the document after decrypting and compares it to the decrypted hash value. If these two hashes match, UserB then will be sure that this document was sent by UserA.

Smart Card

Once the private key of UserA is stolen, then because someone else knows UserA’s private key, the non-repudiation is broken. The attacker can send messages someone else like he is UserA. That is why we store the private key securely. It is recommended to store private keys on smart cards. Private key does not leave smart card while being created.