Research & Consultancy

^ Research/Proof of Concept

 

  A safeguards web & email server, proof of concept


Background info:
Internet connected e-mail and web servers are commonly inherently insecure and 24/7 targeted by automated attack systems. While most organisations use them to get and stay in contact via the notorious Internet.
There are many product vendors which claim that their product or service 'is secure!', or.. add protection around the known to be insecure services. Add-on systems like proxies, filters, known attack types detection and prevention systems. *Extra protection systems not only add complexity but also can become a target itself.

Insecure: in·se·cure
adj.
1. Not sure or certain; doubtful: unemployed and facing an insecure future.
2. Inadequately guarded or protected; unsafe: A shortage of military police made the air base insecure.
3. Not firm or fixed; unsteady: an insecure foothold.
4.a. Lacking stability; troubled: an insecure relationship.
4.b. Lacking self-confidence; plagued by anxiety.


An elementary requirement for having a proven to be safe service is: to  Keep It Simple S....
With the Spartan approach as the foundation, plus a few safeguard techniques to prevent footholds, with a simple logic defensive structure to round it all of.

 

Project name: Citadel
Motto: K.I.S.S.

Server 1 [full safeguard setup]:   8 users
 Size: 15cm x 15cm x 2cm
 Power usage: avg. 3 Watt , max. 10W
 CPU: 1 core 32bit, 500 MHz.  |   avg. load 0,4%, uptime since last restart 1100+ days.
 Mem: 500 MB. |   avg. 13M Active, 27M Inact, 29M Wired, 24M Buf, 422M Free        
 Storage: 2 GB  allocated for OS + services software + system logs
                       50 GB for user data. 2 Websites and email storage
 Cooling: Passive
 Hardware Price: ± € 200
 Software price & Licence fees: 0,-
 Efficiency: very high, due to KISS configuration


 
 Last software functionality update: 2012
 Known vulnerabilities since initial build in 1998:  , only via fysical access to hardware locations.
 Known vulnerabilities since structure rebuild in 2003: 0

 Targeted attacks:
  - 53 on request to ethical and grey-hat hackers/researchers, also 4 governements security agencies.
  - 400+ unrequested, but noticed due to their exsessive noise in logs. 
  = total number of succesful unauthorised system access attempts: 1x , fysical acces before the rebuild in 2003.
  = total number of succesful unauthorised user account/data access attempts: 0 , access is only possible with trusted devices.
 Total number of automated scanner attacks:  unknown  ,have no impact.

 

Server 2 [reduced protection, due to 'guests' users]  ~50 users
 Size:  15 cm x 15 cm x 2 cm
 Power usage:  avg. 5 Watt , max. 10W
 CPU:  4 core 64bit, 1 GHz.  | avg. load 2%, uptime since last restart: 1300+ days.
 Mem: 2 GB. |  avg. 255M Active, 1009M Inact, 449M Wired, 33M Cache, 199M Buf, 44M Free
 Last software functionality update: 2019
 Known vulnerabilities since system build in 2004:  0
 Cooling: Passive
 Hardware Price: ± € 250
 Software price & Licence fees: 0,-
 Efficiency: very high, due to KISS configuration

Storage
 OS + services software, + system logs: 2 GB
 Web and email storage: about 10 years of users email+callendar+notes history
                                     12 websites
                                      using in total ~150 GByte storage space. 

Targeted attacks:
  - 53 on request
  - 1000+ noticed due to their exsessive noise in logs. 
  = total number of (ineffectual) attacks: unknown {who cares}
  = total number of succesful system access attempts:  0  known.
  = total number of succesful user email account attempts: 8 ,due to users sharing guest authentication details with public-cloud services :(

 

 

Industry standard setup
Motto: $$.$$$ !

Server
Size: 43 cm x 70 cm x 5 cm 
Power usage: avg. 250+ Watt,  max. 800W
CPU: 2..3 GHz, 4 or 8 Cores.  avg. load 5..20%, mainly due to OS en services own activities, without user requests.   
Mem: 16..64 GB.    avg. used 6..30 GB
Cooling: 2..5 Fans
Price: ± € 2000   (800 .. 3500)
Storage
OS, services software, system logs: min. 40 GB
Web and email storage:  Depends on organisation choices.
Software price & user licence fees: > € 1000 +  each year.
Efficiency: Extremely wasteful , due to IT industry greed.
Professional targeted attack attempts:
  - Some commercial and limited scope security testing.
  - Large amount of succesful access attempts are not noticed until some audit happens to spot it, and.. many that where noticed are preferably not reported by system owners to the users/clients/customers.
  = total number of succesful unauthorised system access attempts: The newsmedia and CVE reports tell a small portion of the whole story.

 


Attackers, be it  for fun or profit hackers  or very well equipped espionage organisations, all use the same basic technique. They try to get a foothold on a target infrastructure via any means possible.
Once they manage to get the foothold they try to get access to the desired functionalities.
 Some options are: Password guessing, Social Engineering, Phishing, Man in the Middle,  Detecting vulnerable systems with known bugs and flaws, back-doors,  trail & error testing for flaws, using fundamental design and logic flaws, etc..

What if the services simply don't provide any space for a foothold.
Don't provide access to other users stored data, and don't allow credential guessing, and a valid user simply can't give the info needed to gain access, and the systems don't reveal what's under the bonnet and how it functions, and the service can't be altered by anyone other than the owner, and ..
..the system simply has no means to do anything besides that what it is intended to do...

For the attackers it's like talking to a concrete wall...
For the service owner it's simply under control.