QualysGuard Private Cloud Platform Security Architecture and Pen Test Review

The QualysGuard Private Cloud Platform (QG PCP) makes many promises, one of which is that  vulnerability scan data can be hosted by a private cloud platform in a client's data center and under the client's control.  If taken at their word, this may seen promising, but the reality is that Qualys still will have to manage this platform remotely.  By doing so, they will have access to this data remotely and can pull it down to their site as needed.  Needless to say, Qualys requires the client to provide a backdoor to the system.

The Qualys PCP equipment is leased and never sold to the customer.  There are many legal issues with this which allows them to access their equipment.  They require the customer to give them remote access in order for them to manage it remotely.  That is a requirement and not an option.  They keep it a big secret how it is managed.

Remote Access

What kind of remote access to the QG PCP do they require?

1. Persistent iVPN tunnel
2. VPN remote access account

Qualys still has the means to pull the data back to Qualys through SSH/SCP even though it is hosted on a customer site.  In fact, Qualys does not allow the customer to monitor the network traffic being sent back to Qualys.  Such requests were flat out refused during a security assessment.  What they pull back is their business and the customer has no right to know.

Network Sniffer

Network monitoring had to be done outside of the QG PCP as Qualys did not allow internal network sniffing.  This traffic analysis did show a few weaknesses.

1. Emails were being sent to email server UNENCRYPTED.  Yes, one could see the message being sent as well as who the recipients were.  Emails were being back to Qualys through the Internet.  A lot of sensitive information were sent unencrypted including server names, configuration, scripts, running jobs, listening ports, full internal DNS names.


2. Internet connections from Indonesia were seen accessing the QG PCP even though it was supposed to be in a controlled access network in a data center

3. A lot of failed DNS requests to www.qualys.com and other qualys subdomains, looks like the system has not been fined tuned to be hosted at a client site.  The interesting thing is that it tries to do windows updates on its own by accessing the Internet.

4. Undocumented protocols used by the Qualys PCP; namely AppleTalk, CMIP-Man, and Feixin

5. syslog messages sent across the network unencrypted.  

Firewall Rule Analysis

Firewall rule analysis shows that SSH is allowed into the platform through VPN firewall as well as HTTP(S) protocols.

Internet Access

The Qualys PCP itself does access network traffic in and out of the controlled access network environment as seen in the diagram below.

1.    The Qualys PCP Service Network requires outbound communication for

a.    NTP – Time Synchronization

b.    DNS – Name Resolution

c.    SMTP – Email

d.    WHOIS – External Internet

e.    Daily Vulnerability Updates - External Internet.

WHOIS pulls information from the Internet and Daily Signature Updates are pulled from Qualys through the Internet on port 443.  In effect, the PCP is pulling information from Qualys through the Internet to retrieve updates.  A man-in-the-middle attack could intercept the update and instead return a malware update to the Qualys PCP provided that a vulnerability exists in the platform.  

2.    The physical scanners communicate to the Qualys PCP.  This requires that inbound port 443 be opened on the PCP.  Physical scanners in the DMZ also need to communicate to the PCP on port 443.  Access to the PCP from the DMZ increases the risk.

3.    Qualys SOC accesses the PCP through iVPN and VPN connections from the Internet for maintenance and support.

Virtual Scanners

A sniffer placed on a virtual scanner showed that it chose to use SSLv3, which is deprecated, by default on some servers to communicate to the Qualys PCP.  In particular, it uses SSLv3 with RC4-MD5.  MD5 is obsolete.  Qualys documentation claims they use TLSv1 and the latest modern secure protocols.

Application Analysis

Perl API

Application analysis was done by running Perl scripts against the qualysapi server and testing for vulnerabilities.  The server itself was found to be vulnerable by accepting login credentials for API requests via base64 encoding and passed through plaintext HTTP.  This could result of loss and capture of Qualys Admin credentials which could result in access to vulnerability scan results.

Web Application 
The Qualys Web Application tests resulted in a number of vulnerabilities.

Qualys PCP Internal

Additional vulnerabilities were found inside the Qualys PCP infrastructure itself.  It was found to be very insecure.  

Yahoo's Downfall

I predicted Yahoo's downfall in 2008 and told my coworkers about it.  The prediction had nothing to do with looking at financials.  It was being displeased with how crappy the Yahoo service is.  I pretty much was using yahoo for more than 4 years and got fed up with it and switched to Google.  A bad service isn't going to last.  Now the question really is if Marissa Mayer can save them?

Yahoo in Turmoil

Having a Safe Online Shopping Experience

Online shopping can be quite fun but it can also be quite dangerous as the Internet is full of scam websites posing as legitimate websites.  Some of these fraudulent websites are so well done that it looks legit.

Here are some pointers on having a safe online shopping experience:

1. Stick with well known and trustworthy companies when giving them your credit card and personal information.  Such companies are Google, Amazon, Microsoft, and a few others.

2. If there is a site that is not on the trusted list, do a google search for the name of site plus the words scam fraud reviews.  For example, google this: badwebsite.com scam fraud reviews.  Look and see if there are any/many bad reviews.  Some good reviews could be fraud as well, so use best judgement and common sense.

3. Make sure you have anti-virus with Internet protection from malicious websites turned on.  This does *not* guarantee 100% protection from malicious websites nor from virus infection but it certainly increases your chances.  Firewall is turned on.

4. Be careful of malicious and suspicious websites.  Don't think you are invulnerable and click on any site you want.  There is such a thing as drive by downloads that some anti-virus will not detect.  Yes, just by visiting a bad website, you could be infected and compromised even with all anti-virus, anti-malware turned to the max.  Be careful of what websites you visit.  If you google illegal software and music downloads, then most of the sites that turn up are bad websites.  If you google buying illegal drugs, there's a 99.9% chance you will run into a scam site.

5. Use McAfee Secure Search which filters out malicious sites or sites that have been hacked from your search results.  This is a McAfee Site Advisor plugin for your browser.  Google Safe Browsing is a similar service.  Having used both McAfee Secure Search and Google Safe Browsing, they seem to block out only a portion of malicious sites.  So many scam websites were still shown in the search results.  Unfortunately, it does not screen out all bad websites so you must still exercise caution.

6. Verify the reliablility and trustworthiness of the website by entering the web site address into:

1. McAfee Site Advisor. http://www.siteadvisor.com
2. scamadvisor.com
3. scamvoid.com
4. scamanalyze.com
5. ripoffreport.com
6. complaintsboard.com

Verify there are no bad ratings.

7. How long has the website been up?  If it's been up for less than 3 years and has no bad ratings, there could be a cause for concern.  Usually bad ratings take a few years to show up.  Most bad websites change their domain names every 6 months to avoid being blacklisted and having bad reviews written about them.  It's like how companies involved in fraud constantly change their names to avoid known detection. lol.

8. Look for a few good ratings on the website that sound legit.  This step requires some common sense. :)  Beware that there are a lot of fraud review sites set up by scam companies.  Make sure that the reviews you are reading are from a well known and respected community boards with a variety of opinions.  If some web site claims or reviews sound too good to be true, then it probably is.  Be careful in those situations.

9. When in doubt, don't buy.

10. Assuming nothing bad shows up so far, see if the site allows paying through a safe payment system such as Amazon Payments.  See if the website has that option.  If it does not, it may not be worth doing business with.  This way you are not sending your credit card information to them but you are sending PII (personal identifiable information) to them and that should be done with caution when sending such information to unknown random website on the Internet.  By the way, you are not likely to get your money back if you use Paypal and got scammed.

Best of luck to you.  While this is no guarantee you will have a safe and enjoyable online shopping experience, it certainly improves your chances by a dramatic factor.  If this sounds like too much work, then  just stick with point #1 and stay with well known trusted sites.

Things to Consider Before Accepting a New Job

While the promise of significantly higher pay may be enticing to some, here are a couple of things to consider before taking a job offer.  Most people just take a new job and hope for the best without a clear strategy.

1. What are their expectations?  Are their expectations significantly greater than that of your current employer?  Are you willing to do that?

2. What is the corporate culture?  Is it a sweat shop culture or laid back culture?

3. Will you be able to balance life and work at this new job?  For those who have a lifestyle outside of work.

4. How is the manager and his managerial style?  How does he/she treat people?  Some people grow up being treated with contempt and disrespect from their parents and have not learned how to behave in any other way and now treat the people they manage the same way.   They have not grown up emotionally and still operating like a poorly behaved child in a professional environment managing others.  Does this person seem to have a temper problem and yell at people a lot?  Are they a slave driver with whip in hand?  Do you think you will be able to communicate issues to this manager?  Does this manager able to get things done?  Does the manager's personality mesh with yours?  It's good to talk to the boss face to face to get a gut instinct if this is a person you can trust or does he/she look like they lie a lot to promote themselves?  Does he/she seem sleazy and shifty-eyed?  Does this person seem ethical or underhanded?  Will they throw you under the bus when the going gets tough?  

5. Do the coworkers look like people you would want to spend time working with

6. Will you have to relocate?  Do you like the new city?  Does the new city have a lifestyle you could enjoy?  How will this affect your personal life?

7. Is it a company you can trust?  Does it have questionable HR practices that may affect you personally?
  
8. What is the turnover rate for the team?  Do they have a hair trigger for firing people?  How likely are you able to keep this job and still be happy?

9. Outside of money, does this job meet your career aspirations?  Will this take you where you want to go?  Will it advance your career or is it a dead end job?

10. Will you enjoy the job?  Do you think you can be happy with this job?

11. Are you taking this job, which you may not like, only for more money?  Consider adjusting your lifestyle so that your expenses are lowered.

12. Is this company's future stable?  Is it a startup?  Are you able to financially handle the risk that this startup may go out of business or be laid off if their profit expectations are not met?  Small companies sometimes go through a massive hiring frenzy followed shortly thereafter by a massive firing fiesta.  Long term contracts at large companies (Fortune 20) are often more stable than full time positions at small companies (not Fortune 1000).

Problems with Google Voice

It's amazing to see people write great reviews of products they never use.  One such product/service is Google Voice.  The concept of it seems like a good idea.  Keep your personal number private and give out only your public number, google voice number, which can change as you see fit.


Unfortunately, there are some problems with their implementation.

1. Google Voice cannot send nor receive picture nor multimedia SMS text messages, at least not on an iPhone.  This really sucks and people are not told upfront about this by Google but after using for a little bit who sees the message, "did you get my picture?" and realize pictures cannot be sent nor received through this service.  Digging through their support pages you will eventually find this.  Had I known this ahead of time, I may not have switched to Google Voice.  This takes out half the fun of sending SMS messages.

2. Text message are often lost.  I never had a single lost SMS message until I switched to Google Voice.  It seems a number of reliable people have told me sent me text messages which I never received.  And it never shows up on www.google.com/voice history either.  For those who send 1 text a week, it may not be obvious but I send/receive 400 texts a week easy.  Having heard complaints enough about missed texts on a consistent basis, I realized Google Voice is not a reliable service.  If you are looking for reliability, look elsewhere.

3. International text messaging does not work.  When I was using a regular cellphone, I was able to send International SMS text messages without problems.  Not with Google Voice.  The message you get when trying to send is "destination not supported".

4. Google Voice transcription is not exactly accurate but it is certainly helpful from having to listen to unnecessary voicemails.