| Managing Browser Cookies and Other Temporary Internet Files |
| The most misunderstood temporary Internet file is the browser cookie. Browser cookies are used to store information on client computers so that it can be retrieved in other pages or in other browser sessions. Cookies are commonly used to store sign-in information for protected Web sites, user preferences, and shopping cart items. |
|
| Secure Browsing and Local Machine Lockdown in Vista |
| To help make the operating system more secure, Internet Explorer security was revised greatly starting with Windows XP Service Pack 2, and these same changes are in Windows Vista. These security changes affect many areas of the browser and introduce several new features, including: |
|
| Managing Internet Explorer Security Zones |
| Internet Explorer security zones play an important role in ensuring the security of Windows Vista systems. You can use security zones to restrict or permit access to specific types of Web content, including ActiveX controls and plug-ins, file and font downloads, Java applets, and scripts. |
|
| Some Policies That Might Be Useful for Managing Internet Options |
| You'll find many policies for managing Internet Options under User Configuration\Administrative Templates\Windows Components\Internet Explorer. Key policies are summarized in Table 14-2. As you'll see when you examine the table, many of these policies are useful in preventing users from performing specific actions in Internet Explorer and for controlling Internet Explorer behavior. |
|
| Enhancing Computer Security in Vista |
| Security settings are critically important for maintaining the integrity of Windows Vista computers. Computers with weak or improperly configured security are open to a wide variety of attacks whenever they connect to a network. To make it easy to manage and determine the status of various security features, Windows Vista includes Windows Security Center. |
|
| Assembly vs. C |
| So far, the shellcode used in our exploits has been just a string of copied and pasted bytes. We have seen standard shell-spawning shellcode for local exploits and port-binding shellcode for remote ones. |
|
| The Path to Shellcode |
| Shellcode is literally injected into a running program, where it takes over like a biological virus inside a cell. Since shellcode isn't really an executable program, we don't have the luxury of declaring the layout of data in memory or even using other memory segments. |
|
| Shell-Spawning Shellcode |
| Now that you've learned how to make system calls and avoid null bytes, all sorts of shellcodes can be constructed. To spawn a shell, we just need to make a system call to execute the /bin/sh shell program. System call number 11, execve(), is similar to the C execute() function that we used in the previous articles |
|
| Port-Binding Shellcode |
| When exploiting a remote program, the shellcode we've designed so far won't work. The injected shellcode needs to communicate over the network to deliver an interactive root prompt. |
|
| Connect-Back Shellcode |
| Port-binding shellcode is easily foiled by firewalls. Most firewalls will block incoming connections, except for certain ports with known services. This limits the user's exposure and will prevent port-binding shellcode from receiving a connection. |
|
| Hacking :System Daemons |
| To have a realistic discussion of exploit countermeasures and bypass methods, we first need a realistic exploitation target. A remote target will be a server program that accepts incoming connections. |
|
| Hacking - Tools of the Trade |
| With a realistic target in place, let's jump back over to the attacker's side of the fence. For this kind of attack, exploit scripts are an essential tool of the trade. Like a set of lock picks in the hands of a professional, exploits open many doors for a hacker. |
|
| Hacking - Overlooking the Obvious |
| In a real-world scenario, the other obvious sign of intrusion is even more apparent than log files. However, when testing, this is something that is easily overlooked. If log files seem like the most obvious sign of intrusion to you, then you are forgetting about the loss of service. |
|
| Hacking - Advanced Camouflage |
| Our current stealth exploit only camouflages the web request; however, the IP address and timestamp are still written to the log file. This type of camouflage will make the attacks harder to find, but they are not invisible. |
|
| Hacking - The Whole Infrastructure |
| As always, details can be hidden in the bigger picture. A single host usually exists within some sort of infrastructure. Countermeasures such as intrusion detection systems (IDS) and intrusion prevention systems (IPS) can detect abnormal network traffic. |
|
| Payload Smuggling |
| The aforementioned network IDS or IPS systems can do more than just track connections—they can also inspect the packets themselves. Usually, these systems are looking for patterns that would signify an attack. |
|
| Buffer Restrictions |
| Sometimes a program will place certain restrictions on buffers. This type of data sanity-checking can prevent many vulnerabilities. Consider the following example program, which is used to update product descriptions in a fictitious database. |
|
| Hacking - Nonexecutable Stack |
| Most applications never need to execute anything on the stack, so an obvious defense against buffer overflow exploits is to make the stack nonexecutable. When this is done, shellcode inserted anywhere on the stack is basically useless. |
|
| Randomized Stack Space |
| Another protective countermeasure tries a slightly different approach. Instead of preventing execution on the stack, this countermeasure randomizes the stack memory layout. When the memory layout is randomized, the attacker won't be able to return execution into waiting shellcode, since he won't know where it is. |
|
| Information Theory |
| Cryptology is defined as the study of cryptography or cryptanalysis. Cryptography is simply the process of communicating secretly through the use of ciphers, and cryptanalysis is the process of cracking or deciphering such secret communications. |
|
| Algorithmic Run Time |
| Algorithmic run time is a bit different from the run time of a program. Since an algorithm is simply an idea, there's no limit to the processing speed for evaluating the algorithm. This means that an expression of algorithmic run time in minutes or seconds is meaningless. |
|
| Symmetric Encryption |
| Symmetric ciphers are cryptosystems that use the same key to encrypt and decrypt messages. The encryption and decryption process is generally faster than with asymmetric encryption, but key distribution can be difficult. |
|
| Asymmetric Encryption |
| Asymmetric ciphers use two keys: a public key and a private key. The public key is made public, while the private key is kept private; hence the clever names. Any message that is encrypted with the public key can only be decrypted with the private key. |
|
| Hybrid Ciphers |
| A hybrid cryptosystem gets the best of both worlds. An asymmetric cipher is used to exchange a randomly generated key that is used to encrypt the remaining communications with a symmetric cipher. |
|
| Password Cracking |
| Passwords aren't generally stored in plaintext form. A file containing all the passwords in plaintext form would be far too attractive a target, so instead, a one-way hash function is used. |
|
| Wireless 802.11b Encryption |
| Wireless 802.11b security has been a big issue, primarily due to the absence of it. Weaknesses in Wired Equivalent Privacy (WEP), the encryption method used for wireless, contribute greatly to the overall insecurity. |
|
| Host-Based Security in Windows Vista |
| Most of the new security changes directly affect the Windows Vista computer-the host. This section starts with the boot and startup changes, and then discusses the operational aspects. |
|
| Where Windows Malware Hides |
| When hackers or malware accomplish the initial exploit into a computer, the next thing the hacker or malware does is to modify the system so that the maliciousness is hidden and so that they can always re-access the system at will. |
|
| Post-Boot Startup in Windows Vista |
| After Windows Vista boots, additional drivers, services, registry entries, and other "autorun" programs are loaded. The networking components are loaded. Initially, a smaller, temporary, network stack is loaded, enough so that Windows can initiate a DHCP request (if enabled), and use a few other basic services (such as DNS to locate other core network services and hosts). |
|
| Windows Vista Services that You Need Understand |
| While it is important that a Windows administrator understand every service that is running on the computers they manage, the following services are essential to Windows, and at the same time often inadequately understood. |
|
| Registry in Windows Vista |
| The Windows Registry (i.e., the Registry) is a hierarchical local database for storing system and application settings and parameters. If you are used to Unix/Linux, you can think of it as a central, gigantic place to logically store all the data normally contained in all the .conf files related to each application or daemon. |
|
| Logon Authentication in Windows Vista |
| The process of a user logging on to a computer and accessing local or network resources is made up of many individual components, including an identity, authentication, access control, authorization, and auditing. |
|
| Access Control in Windows Vista |
| Once the user (or computer) is successfully authenticated, an access token is created containing the user's security identifier (or SID), the groups they belong to, and the privileges they possess, among other security related items. You can see a particular listing of your access token by typing Whoami /all at a command prompt (see Figure 3-23). |
|
| User Account Control in Windows Vista: Basic |
| UAC is part of a long-term strategy to change the way application developers write code and the way we as end users use the software they write. The idea is to reduce the inherent exposure in having the majority of Windows users running as an administrator all of the time. |
|
| User Account Control Is More Than You Think |
| Only one of those goals deals with the actual elevation task. Yet, the elevation, when an application asks for additional privileges, is what people complain about. The first, overarching, goal has nothing to do with elevation. It is only to enable more people to run as non-admins more of the time. |
|
| UAC and Remote Access |
| UAC also impacts certain types of remote access to a computer running Windows Vista. Exactly how differs between access methods and account types. |
|
| UAC Policy Configuration |
| UAC can be configured with nine different group policy settings (ten if you add the one we discussed previously). This section covers each setting and our recommendation for how to use it. |
|
| Frequently Asked Questions About UAC |
| Having worked with Windows Vista for quite some time now, and monitoring the forums where people ask questions, we find that the same set of questions are asked over and over again about UAC. To streamline this process a little we thought we would answer most of them here as many readers will probably have the same questions. |
|
| Leveraging User Account Control in Applications |
| Programmers no doubt will wish to leverage UAC in applications, and even system administrators often do some programming in their daily jobs. This section is not meant as a complete introduction to how to use UAC in your applications but rather to give some ideas to system administrators to help them perform their tasks more easily. |
|
| Major Access Control List Changes in Vista |
| The fundamental structure of ACLs in Windows Vista is relatively unchanged from Windows XP. Nevertheless, there are a large number of changes that you need to be aware of. ACLs in Windows XP played a large part in several problems: |
|
