Common Secure Server Setups For Your Web Application

I have been receiving many queries from my industry peers regarding the best practice recommendations to securely deploy a web server. In many places the common observation was deploying the web server (i.e. Apache) database server (i.e. MySQL) in a single server. Server could be a physical machine or a virtual machine, they have deployed them in DMZ and have granted access to Internet users.

As best practice guidelines to securely deploy the web server, I recommend below implementations:

• 3-Tier Architecture is the most secure and scalable solution. Using this architecture the software is divided into 3 different tiers: Presentation tier, Logic tier, and Data tier. Each tier shall be developed and maintained as an independent tier with adequate level of security measures including relevant firewall protections in place.
• The best placement is to put the database servers in a trusted zone of their own. 
• Inter-zone communication must be limited to the minimum required for service and monitoring purposes. Only inbound connection from web server to the database server shall be allowed and that shall be enforced at a firewall.
• Reverse-proxy accepts untrusted connections from the internet, can only connect to services on application servers. A reverse-proxy, Apache+mod_security/varnish/nginx/WAF/whatever, shall be run in the proxy zone and also load-balancing/failover shall be added here if needed too.
• Load balancers can be added to a server environment to improve performance and reliability by distributing the workload across multiple servers. If one of the servers that is load balanced fails, the other servers will handle the incoming traffic until the failed server becomes healthy again. It can also be used to serve multiple applications through the same domain and port, by using a layer 7 (application layer) reverse proxy.
• An HTTP accelerator, or caching HTTP reverse proxy, can be used to reduce the time it takes to serve content to a user through a variety of techniques. The main technique employed with an HTTP accelerator is caching responses from a web or application server in memory, so future requests for the same content can be served quickly, with less unnecessary interaction with the web or application servers.
• You shall configure public IP addressing only in the proxy zone, private addressing elsewhere. Server outside proxy zone shall not have a public IP, NAT, or a default route to the internet.
• As you will need to comply with PCI-DSS requirements also, you shall ensure that you have firewall at each internet connection and between DMZ, HSZ and other internal networks.
• To improve performance of a database system that performs many reads compared to writes, such as a CMS, is to use master-slave database replication. Master-slave replication requires a master and one or more slave nodes. In this setup, all updates are sent to the master node and reads can be distributed across all nodes.

Read More

Ransomware for Mobile Devices on the Rise

In year 2016 and 2017, malware researchers have spotted a rapid growth in mobile malware including ransomware. Most of the smart phones and other mobile devices either receive no or late operating system updates leaving the device vulnerable to malicious attacks such as advertising trojans that exploit super-user rights.

Mobile ransomware masquerades as a legitimate app in third party app stores, popular games, flash and video players or as a system update. They lurk in to app-stores and also spread by means of exploit kits using yet-unknown vulnerabilities. Further your device could get infected by visiting pornographic websites, forums or clicking on a spam link in text messages.

Blocker ransomware are currently the most popular means to infect mobile devices. On mobiles, they act simply by overlaying the interface of every app with their own, so a victim can’t use any application at all. Sometime these malware lock mobile devices by hijacking the PIN which is used to secure the device. It just uses the device’s own built-in security against you, until you pay the attackers.

How to Protect Your Devices:

1. Avoid any installation of untrusted applications. Install applications only from official app-stores such as Google Play. To enforce application installations only from trusted sources, go to Android settings, choose Security, and make sure that the “Unknown Sources” box is not checked.
    
2. Avoid clicking on in-app advertisements. Sometimes in-app ads will direct you to malicious website with exploit kits.
    
3. Avoid clicking on spam links in text messages.
    
4. Regularly update your device’s firmware and its installed apps.
    
5. Install a strong security solution which detects mobile malware.

Reference:

1. https://www.techrepublic.com/article/report-mobile-ransomware-attacks-soared-in-2017-up-250-in-q1/
2. https://securelist.com/ksn-report-mobile-ransomware-in-2014-2016/75183/
3. https://www.kaspersky.com/blog/mobile-ransomware-2016/12491/

Read More

Update (Offline) Ubuntu 16.04 Kernal to Latest Version

Recently I was experiencing Wifi connectivity issue on my Ubuntu 16.04. It was running on Ubuntu 16.04 kernal version 4.4.0.x. Even though #lspci command output showed the presence of WiFi Network card, it was not detected by the Ubuntu Network Manager. After couple of trial and error attempts, I decided to upgrade the Ubuntu Kernal to a latest stable version. However due to not having Internet connectivity, I decided to  do it offline. Below are the steps I followed.

To detect the presence of Wifi hardware, I used #lspci command. lspci is s utility for displaying information about PCI buses in the system and devices connected to them.

#lspci
..........
01:00.0 Network controller: Intel Corporation Wireless 3165 (rev 79)
..........

In order to start with offline kernal upgrade, first the required kernel version needs to be downloaded. It can be downloaded from Ubuntu website. To see what kernel versions are available for installations type this into your browser address bar:

http://kernel.ubuntu.com/~kernel-ppa/mainline/ 

After deciding the kernel version 4.10.0 to be installed, I downloaded the below listed .deb packages. I didn't want "low latency" just "generic" plus "all".


http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000_4.10.0-041000.201702191831_all.deb
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-image-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb

I wanted to install the 64bit edition. Therefore I downloaded above three packages. Depending on your requirement, you may also need to download three packages (two header packages and one image package).

Given that you have the internet connectivity, you can download them using #wget utility.
cd /tmp
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000_4.10.0-041000.201702191831_all.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-headers-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.10/linux-image-4.10.0-041000-generic_4.10.0-041000.201702191831_amd64.deb

After downloading the above three packages. I entered the below command to installed them. You need to be inside the folder which contain above three *.deb packages..
#sudo dpkg -i *.deb

Upon completion of the installtion process. I updated the Grub using below command.
#sudo update grub

Remember manually installed Kernels like I've just done, are not automatically deleted by Ubuntu. Ubuntu automatically deletes older kernel versions it installs only keeping the current version and the version previous to it. Therefore monitor the size of your /boot directory and periodically remove kernels you manually installed and no longer need. Don't use rm (remove) command, follow instructions found using google.

In addition to the above method, if you have the internet connectivity, Using Ukuu (which stands for ‘Ubuntu Kernel Update Utility’) is another way to do it. This straightforward desktop app help you install a new kernel in Ubuntu, Linux Mint, and other Ubuntu-based distributions, using the “mainline” kernels published by Canonical.

Read More

Ransomware Worm Attack - WannaCry

Ransomware attacks dubbed as “WannaCry” started to spread around the world on the 12th May 2017. In these attacks, data is encrypted with the extension “.WCRY” added to the file names. According to the reports, this attack initiated through an SMBv2 remote code execution vulnerability in Microsoft Windows code-named “EternalBlue”. The exploit “EternalBlue” has been made available on the internet through the Shadowbrokers dump on 14th April 2017. 

Microsoft released security patch updates for this vulnerability on 14th March 2017 in Microsoft Security Bulletin MS17-010.

Affected Versions

• Windows Vista (all editions)
• Windows Server 2008 (all editions)
• Windows 7 (all editions)
• Windows Server 2008 R2 (all editions)
• Windows 8.1 (all editions)
• Windows RT 8.1 (all editions)
• Windows Server 2012 and Windows Server 2012 R2 (all editions)
• Windows 10 (all editions)
• Windows Server 2016 (all editions)
• Some of the obsolete Microsoft Operating Systems are also vulnerable (Patches available through Microsoft Custom Support)

Recommended Course of Action

• MS-ISAC issued an advisory addressing the remote code execution vulnerabilities in SMB server that is currently being used to propagate the WannaCry ransomware. Vulnerable Operating Systems should be updated with relevant security patches (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).
• Microsoft has released a patch for obsolete operating system versions also. Please refer the URL http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598.
• If patching is not possible, make a business decision to disable SMB.
• Make sure that you are running proper up-to-date anti-virus software.
• Security devices such IDS/IPS, SIEMS, Firewalls should also be tuned to block suspicious inbound and outbound network traffic.

Additional Recommendation for Counter Ransomware Attacks

TechCERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:

• Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; critical backups should be isolated from the network for optimum protection.
• Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
• Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
• Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
• Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
• Do not follow unsolicited Web links in emails. Refer to the Security Tip on Avoiding Social Engineering and Phishing Attacks or the Security Publication on Ransomware for more information.

More Information

• https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Read More