With IT security threats ever more prevalent, and the constant stream of information from the media about “Heartbleed” and “GoZ”, how do you know if you, or your Company, are truly safe online?
VIEWING ATTACKERS UP CLOSE – By Mike Sheward
The Internet is the great equaliser. Today, it’s technically possible for a sixteen year old to declare war on a developed country. Using only a keyboard, mouse, the correct mixtures of skill, research and that little bit of luck, they could find themselves in a position to cause considerable damage.
One only has to think back to the revelations about SCADA industrial control security to remember just how fragile some seriously important kit is.
As you sit back in your chair, viewing your firewall and IDS logs. Seeing the lines upon lines of scans, probes and intrusion attempts. Do you ever think – who exactly is behind all of this? What do they want from my company?
The answer to that of course is that there are lots of people with a vested interest in breaking into your network. Motivations will differ. Some will want computing resources to add to their already vast botnets. Others will want to steal from you and your customers, money or data – it doesn’t really matter; it all has a certain value.
The thing is, if you are seeing those scans, probes and intrusion attempts in firewall logs, that usually means that the firewall has taken care of them. “Hey, I torn down this connection, you’re welcome, we’re done here”.
One thing is for sure, even if the scan, probe or intrusion attempt came from an automated source, at some point a real life human being directed that source to perform the scan. Who are they? Does it matter?
I think it matters.
Imagine being told you’re about to get into a physical fight with someone and you have no way to get out of it, yet you don’t know anything about them. How big they are, what weapons they’ll have. Surely, that’d be pertinent intelligence to help you prepare?
In the world of information security, one of the quickest ways to collect Intel about exactly who has got it in for you is to deploy a Honeypot.
The concept of a Honeypot is not a new one, however more and more organisations are now adopting them into an information security program.
The basic concept of a honeypot is that it is a decoy system, designed to be broken into so that you can discover; who exactly is doing the breaking in, how they did it, what they are looking for when they are in there.
Compared to firewalls and IDS systems, honeypots only record attacks. Not thousands of possible events every few minutes. Just the attacks that made it through. They capture everything that is thrown at them, including encrypted connections.
There are few ways to convey to an executive just how serious the threat is than showing an actual attacker compromising a honeypot, and how quickly it happens.
Of course there are risks to the honeypot approach. You have to know exactly what you are doing, to ensure that your honeypot does not actually just become a vulnerable system that can be used to perform further network compromise.
You also risk annoying the wrong person, if they discover your honeypot. A well-connected attacker might decide to take things personally and order up a DDoS attack.
Some may fear the legal repercussions’ of a honeypot deployment, but in many ways it is just the same as deploying any other security control.
The most common murmur on the legal front is that the honeypot is considered entrapment. ‘We are luring an attacker in’. Well, no one is really luring anyone anywhere. Attackers will locate and chose to break into your honeypot of there own free will. There actions will be captured, just as they could be by an IDS.
There are many different honeypot configurations out there, waiting to be customised and deployed. My advice is to take some that mimic what you do in your environment and go play – you will find out more about your adversaries, and how to protect yourself from them.
Two Powerful and Free Tools for Volatile Data Forensics
By Mike Sheward
When responding to a potential computer security incident, one of the most common tasks for the first responder is to determine if a host has been compromised. We always respond to incidents by assuming that the host has been compromised, and we’ll be taking the attacker to court. It doesn’t always happen of course, but if we take this approach we’ll be prepared for that scenario.
If the host is powered on, we are faced with something of a catch 22. Consider the first principle of the Association of Chief Police offices forensic guidelines:
No action taken by Police or their agents should change data held on a computer or other media, which may subsequently be relied upon in Court.
This principle is designed to protect the integrity of digital evidence, and enforces the need for a forensic first responder to collect an unaltered copy of data from a machine.
When a machine is powered on, things are constantly changing. The contents of RAM, temp files, network traffic, running processes and cache are all prime examples of things that are always changing – or to use the proper term, volatile data.
Often, the only evidence of compromise will be found in volatile data, which means we have to intervene before it is lost forever – either if a process is killed, or the machine is powered off. In doing so, we ourselves have to inject a process and make changes to the state of the machine in order the capture the volatile data. Herein lies the catch 22.
Thankfully the second principle of the ACPO guidelines has got us covered in this scenario.
In exceptional circumstances where a person finds it necessary to access original data held on a target computer that person must be competent to do so and to give evidence explaining the relevance and the implications of their actions.
So get your notebook out, and document everything you do when collecting volatile data. Get to know your tools ahead of time, so you know exactly the impact they will have on the live system, and how you should use them.
Here are a couple of free tools that can provide great insight into volatile data.
Process Explorer is a part of the SysInternals Suite for Microsoft Windows. No installation is required, and the tool allows you see all running processes, which DLL’s, handles and network connections are open.
Download Process Explorer here:
The main view is shown here, you can see an overview of all running processes in the top pane. The bottom pane will show you DLL’s or handles in use by that process depending on the view that is selected.
By right clicking on a process and selecting properties, then choosing the TCP/IP tab you can discover network connections the process has open.
Virtual Machines are an extremely useful and cost effective tool for a variety of security tasks.
One of my favourite uses for a virtual machine is performing analysis of malicious code, in the form of a classic executable or browser based threats. Not only is this an interesting use of your time, it can answer questions about who launched a particular attack, what they were trying to obtain and whether or not they were specifically targeting you or your organisation.
If you’ve never worked with a virtual machine before, I suggest you head over to virtualbox.org and download a copy of Oracle Virtualbox.
This open source tool is a feature rich platform for creating multiple virtual machines on your physical hardware. I just checked my Virtualbox installation and found that my list currently contains 14 virtual machines in various states of configuration and distress!
A virtual machine creates a sandbox for you to perform analysis work that would be too risky to perform on the same machine you use for day-to-day work. That said, it is important to ensure that your virtual machine software is at the latest version, to prevent any advanced malicious code from breaking out and affecting the host machine.
Snapshot functionality allows you to quickly restore a virtual machine to its pervious state.
It is also worth noting that sometimes malware will behave differently, if it detects that it is running in a virtual machine. Malware writers are not naïve; they know that people like us use virtual machines to find out what their products are up to.
The next safety tip is to be aware of your network configuration. If you have extremely sensitive systems, you should not connect an analysis virtual machine to the same network as them. You might even consider disabling networking and going for complete isolation. Things can spread quickly!
Once you have the base operating system installed in your virtual machine, it’s time to add some tools into the mix. These tools will vary depending on the platform you are working with, but one that’ll probably always be involved is Wireshark.
Wireshark (http://www.wireshark.org/) is the most popular packet capture tool around. It runs on all platforms and allows you to record raw data transmitted over a network, so you can see who a piece of malware is talking too and what they are saying.
If you are analyzing the impact of malware on a windows system, the Windows Registry is usually an interesting place to look. Regshot (http://sourceforge.net/projects/regshot/) allows you to snapshot the registry before and after the malware has executed so you can easily compare and view the changes.
Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) will allow you to view running processes, which DLL’s they’ve loaded and any open network sockets
OllyDbg (http://www.ollydbg.de/) is a disassembler that allows view the ‘under-the-hood’ activities of binary applications. Or to put it another way, reverse engineer the application.
The use of virtual machines for malware analysis is now so widely adopted that some inline IDS/IPS systems now come with their own on board virtual machine images, which they use to perform analysis of detected threats on the fly.
As with anything – take time to experiment with the available tools and resources for malware analysis. Be safe, and you’ll be rewarded with a new perspective on the variety of threats out there and the best way to tackle them head on.
Preaching After a Breach
By Mike Sheward
One recent incident that has become the most up to date case study of a serious breach; is the compromise of millions of user account records from software company Adobe.
Following the breach, the attackers posted the looted data online for all to see. Four fields were present in the data, email address, user name, the encrypted password, and then the clear text password hint.
In all, it appears 150 million records were taken in the breach. That’s about 10 gigabytes of data uncompressed.
One mistake that made this breach even more damning, was that the passwords were encrypted rather than hashed. A hash function will take a clear text password, perform some mathematical function on it and produce a fixed length string that cannot be reversed, hence why you’ll hear a hash referred to as a ‘one-way hash’. Because the same hash is produced every time the password is entered, the application storing the hashed password has no business knowing what the clear text password is, all that matters is the hashed version of the password matches when compared to the stored one.
On the other hand, encrypted passwords are stored with the use of some sort of key. This means the encryption can be reversed and the clear text password discovered should the encryption key be revealed. There is no good reason to store a password in this manner.
Remember how we mentioned the password hint earlier? That field makes password guessing a pretty reliable attack vector, or as online comic XKCD reported, the best crossword competition ever made – http://xkcd.com/1286/.
In the case of the Adobe breach, after guessing a couple of passwords using the hint, it became obvious that the same encryption key was used for every password.
That means, that there is a potential time bomb out there. If someone works out that key, and you can guarantee that someone is working on it right now, they’ll have access to all of those passwords. This will also ruin the crossword fun.
Oh, and in case you didn’t know, people like to reuse the same password on many accounts. I know, shocking, right?
With that inconvenient truth in mind, various other sites have started to use the data from the Adobe breach to better protect their own customers. Facebook, for example, have prompted users whose stolen Adobe passwords have already been worked out that they are at risk because they used the same password on their Facebook account. To make this connection, Facebook would have run the ‘worked-out’ Adobe password through their own password-hashing technique and would have then compared the hashes.
This is just one innovative way to protect people who may have had their encrypted account information stolen in a breach, and to reinforce that password reuse can lead to problems.
So were you caught up in the Adobe breach? You can find out by ‘grepping’ the data for your email address, or if that seems a bit long-winded, check out this free tool from LastPass. It’ll check the list for you and mail you your Adobe password hint.
Social media is a relatively new, extremely powerful and fairly cheap weapon in an organization’s marketing toolkit.
This combination is why, if used properly, social media is a great way to engage customers and promote your business. However, as you’ve probably seen in the press over the last few months, when it goes wrong, it can lead to an embarrassing episode. Or worse.
The restaurant chain Burger King became victims earlier this year when their twitter account was compromised. Their logo was changed to that of rivals McDonald’s, and a series of questionable tweets (with images) followed.
It didn’t take long for BK to recover the account and restore order to the kingdom, performing damage limitation, while at the same time enjoying 5,000 new followers!
In this case, aside from some embarrassing moments, the impact wasn’t too significant. However, that might not have been the case if the victim organisation was subjected to a more vicious attack, and were less able to recover. Reputations are hard to earn, easy to lose.
Look no further than US President Barack Obama for a victim of an indirect social media attack. A few weeks ago, the US media began to run reports that his campaign twitter account had been compromised. It hadn’t. Instead, one of the link shorting services used by the social media team were compromised, and links in tweets were redirected.
Your social media footprint is an incredibly valuable asset, so you should take steps to protect it.
Enable multifactor authentication on your social media accounts. All of the major players, Facebook, LinkedIn, Twitter all offer some kind of multifactor offering. This typically includes the device being used to access the account as a factor. Any attempt to login from an unrecognized device will result in an SMS message being sent to a mobile device.
Control how your accounts are accessed. Tell social media administrators to only login from approved devices, – this could include devices that are known to conform to your organisation’s technical security policy.
Know who has access to your social media accounts. Review access history to make sure that someone unknown isn’t secretly lurking in your accounts. Every time someone leaves your company that may have had access to such accounts, change the password. Even when no one leaves, change the passwords every month.
Don’t share passwords at all if you can help it. Social media management platforms enable you to have a single gateway for all social media management tasks. This means you can allow people to make posts on your social media pages, without having to provide passwords. They also allow workflow like configurations, to ensure that posts go through the proper approval process.
Regularly Review Cross App Permissions. Discover which third party applications have access to your social media profiles, and what they are permitted to do. Revoke permissions if they are not required by the business.
Make Social Media Users Aware of Incident Response Plans. Incidents involving social media systems should be subjected to the same response procedures as other enterprise systems.
A social media presence is a key element in an organisations ‘brand’. The idea of brand protection is not a new one. However, if your company is using social media to promote itself, then consider social media security an extension of your brand protection activities. Protect yourself and your customers, and keep your reputation intact.
The Harvest Festival
By Mike Sheward
In case you hadn’t noticed, we are now in the midst of autumn. So what better time to go out harvesting?
Wait a second, put down your scythe, and leave your boots off! The crop that we are interested in cannot be found in the muddy fields of England, instead we’ll be digging through search engines – or rather, we’ll be using a tool to do the digging for us.
Internet search engines are treasure troves of extremely valuable information, and a frequent starting point for a penetration tester seeking to find a way into an organisation.
We turn to search engines to find details such as employee email addresses, IP addresses and virtual hosts. Because this information is ‘out there’, on the public Internet, we tend to call it ‘open source’ enumeration.
My favourite search engine enumeration tool has been, for some time, a python script called the Harvester. Written by Christian Martorella, the purpose of the harvester, is to automate the harvesting of the information we discussed above.
So let’s take the John Deere of the open source enumeration world out for a test drive and take a look at what it can do.
Installing the Harvester
The harvester can be downloaded from its Google code project page – http://code.google.com/p/theharvester/downloads/list
The entire program is a collection of Python scripts. Download the archive and extract all the files. Keep the directory structure in place and should have no problems running the application by calling the main python script – theHarvester.py.
The harvester also comes bundled with popular penetration testing distributions such as Backtrack and Kali, you’ll find it under enumeration.
Let’s say for example, that you’ve been engaged as a penetration tester to take a look at Encription. You decide to start off by taking a look at the encription.co.uk domain for email addresses and virtual hosts.
A basic harvester session using Google would be run as:
./theHarvester.py –d encription.co.uk –l 500 –b google
Where ‘-d’ tells the script the domain to search, ‘-l’ provides a limit to the number of search engines results to look through, and ‘-b’ specifies which search engine to use.
We actually have a fairly small footprint, hence you’ll see only a couple of hosts and a handful of email addresses, most of which are generic, rather than associated with any specific employee.
Try this with your own domain name and see what the harvester comes back with. You might be surprised. This tool always provides a great illustration for those folks who receive spam emails and then ask ‘where on earth did they find my email address?’.
There are plenty of other options in the Harvester.
When used with the ‘-v’ switch, the Harvester will verify the hostname via DNS resolution and do a search for virtual hosts. With this option selected the harvester will run a DNS query against any discovered hostname, this is useful in confirming that the host is still live. The virtual host search is run using Bing’s virtual host search feature.
If it can, the harvester will highlight IP address ranges it discovers which may be associated with your target domain. If you set the ‘-n’ option, the Harvester will run a reverse DNS query against those discovered IP’s, in the hope of further enumerating hostnames.
Sticking with DNS, ‘-t’ performs a top level DNS expansion. So in our example, with this option set, the harvester also discovers our encription.ie domain.
The ‘-c’ switch will perform a good ol’ fashioned DNS brute force against the domain name, looking for commonly used host names (things like mail., vpn. Etc0.
The ‘-e’ switch allows you to specify a DNS server to be used with the above searches.
A couple of other useful features, ‘-f’ will allow you to save your results to an HTML and XML file for later perusal. You can also take advantage of the Shodan database by using the ‘-h’ switch, (a very cool and useful search engine for internet connected hosts – shodanhq.com).
Assuming your target host is in Shodan, this can be a great way to gather information about what the host may be running.
We’ve just discussed the Harvester, a simple yet powerful tool for enumerating hostnames, email addresses and IP ranges during the intelligence-gathering phase of a security assessment.
Use this tool to discover what a search engine reveals about your organisation.
Aviator: Will it Fly?
Even though you might not think it, given the never-ending press coverage of big security breaches, but the majority of organisations are starting to get better at improving perimeter security.
I’d liken it to locking the front door, and the ground floor windows. More and more network administrators; systems engineers and security teams are getting better at remembering to do this.
This doesn’t mean that it is suddenly impossible to get in. It’s just more difficult. Malicious actors have to think of new and creative ways to gain access to their targets. In other words, how can they trick someone into opening the front door?
The answer, have them open the front door without even realising they are doing it, using a client-side-attack.
This type of attack targets the client machines that are accessing resources stored on web servers and then exploiting the access and data afforded by that machine. Frequently this is an easier option than going directly after a target.
Everyone who uses the Internet does so using a browser, making the browser a highly attractive vector for a client side attack. Of the four major players in the browser space, every single one of them has had some sort of security scare in recent history. They are all written primarily for speed, and include features that put the business interests of the developers ahead of user online safety, so say the folks at Whitehat Security.
Whitehat are a security research firm, and have just launched their first foray into the world of consumer applications with Aviator. A browser built with security in mind, rather than supporting the advertising industry or collecting browsing data for analytics.
According to Whitehat, Aviator was an internal tool that their staff used to protect themselves when scouring the darkest murkiest corners of the Internet. It is built on the Chromium framework, so users of Google chrome will find the UI familiar (let’s be honest, most of the ‘big 4’ look the same these days) and will be able to run their favourite Chrome extensions in Aviator.
Other security features of Aviator include built in Ad blocking and tracking, often a vector for malicious redirection. The browser has no browser history, cookies that could be harvested by cross site scripting attacks are not saved longer than they are required. In a similar vein, each browser tab is sandboxed, isolating the contents of the tab.
Flash and Java, arguably the security professional’s biggest adversaries in the world of browser technologies, are blocked by default in Aviator, but not completely. A handy click to play feature allows the user to unlock the content they trust, while the nasty stuff remains blocked.
Finally, the browser prevents external sites from querying websites that live behind your firewall. Improving the security of intranet resources.
You can download Aviator from Whitehat Security here:
Currently, the browser runs only on the Mac OS X operating system, but depending on popularity, the company says they may offer the browser to Windows users.
So go and explore the first browser designed by security professionals, specifically with security in mind and help keep the doors to your organisation closed.
Security Begins at Home
By Mike Sheward
As I glance around my living room, I can’t help but notice the number of devices in my field of vision that have an IP address. I see a couple of laptops, a smart TV, my DVR, a games console, security camera system and a couple of smartphones. That’ll be 8 IP connected devices without turning my head a single degree.
I consider my set up to be fairly typical; I can guarantee that there are plenty of homes out there with so many more devices floating about the place.
The rapid growth of the number of IP connected devices has pushed technologies that only a few years ago resided exclusively in the realm of the office IT department.
Consumers can take home the power of packet filtering firewalls, access control lists, port forwarding, advanced routing and wireless encryption – all for about 70 quid.
However, as we can all attest, having all of these tools in the box and knowing exactly what they can do are two very different things. Anyone who has given a child a toy on Christmas day that requires some sort of construction, or installation of randomly shaped, impossible to find batteries, will know that the finer details are frequently glazed over in favour of getting the thing working as fast as possible.
The same is true of home IT and networking equipment. Get it operational, so that everyone at home can use it, and then go back to relaxing.
It used to be the case that what happens at home stays at home. However, in today’s world, the home is an extension of the workplace. The work computer goes from the home network, to the work network and back again. Often, the work computer will stay in the office, and only the ‘work’ will go backwards and forwards. Documents and spreadsheets sent out of the relative safety of the corporate email system, to personal email addresses where the contents can be harvested for sidebar advert material, and other much worse things.
The lines between home and work are blurred. If your company loses data as a result of a breach originating in an employees home network or equipment, it is still your organisations data. It is your organisation that will feel the pain.
Now, you can’t very well go around and knock on all your employees’ front doors and say ‘Hi, I need to sweep your network, it’s basically an extension of the office’. Some may not like this; it may be considered an invasion of privacy.
What you can do as a business, is offer basic security advice to employees that will reduce the risk a home breach becoming an office breach.
Provide Wireless Security Advice
The single biggest weakness in home networks is poorly configured wireless encryption. It takes about 10 minutes to remind employees of the need to ensure they are running WPA2 encryption with a complex password.
Provide Antivirus Software
An increasingly common strategy is to offer antivirus software for free or at a reduced cost to employees for home use. That way you can guarantee they aren’t going to fall for a fake AV scam, and they are running something half decent.
Host a Mobile Device Security Drop In
It takes about 5 minutes to look at someone’s mobile device and determine if it is appropriately protected with a passcode and automatic lockout. A drop in session once a month for employees will help build relationships between the IT/security team and the employee and is a non-intrusive way to help enforce mobile device policies are personal devices.
Encourage Secure Use of Social Networks
Content spread over social networks can either be mildly embarrassing or down right destructive. Provide advice to employees on how to restrict access to social networking profiles, and encourage them to pass on the lessons to their immediate families. Little Timmy’s relentless installation of apps on a machine Dad uses to manage payroll is a situation we’d all like to avoid.
Make Consumer Device Security News Accessible
Not everyone knows where to look for security news, and to be honest; most people outside of the ‘biz’ will never visit a security news site. The occasional cyber security story may go mainstream if the impact is big enough. As an organisation, you should do what you can to inform employees of security problems with consumer devices, which may impact them.
A good example of this is advising employees when a bug is discovered in a consumer grade router that requires a firmware upgrade to fix.
These ideas are designed to be powerful enough to have a positive impact on security at home, which will spill over into the work environment. While at the same time being lightweight enough to maintain with little overhead or intrusion into an employees private space.
And for those who say that they do not permit employees to work at home – if someone needs to work, they will work, and they will use the tools they have available to complete that work. If that means grabbing the nearest computer to send an email, or work on a document, chances are they’ll do it. It’s human nature to want to get the task done with the least resistance.
Talk to your employees; ask them how they use home technologies to do work, and build controls and programs that help them understand the responsibility of ensuring that information security begins at home.
Unless you’ve had your head planted firmly under a rock for the last couple of years, you are probably aware that more and more people are purchasing their own devices – tablets, smartphones, smart watches, hybrid tablet-small laptop things and using them not just at home, but in the workplace to.
It can be as simple as reading work email on a personal phone, or fully replacing a company issued 5-pound ‘regular’ laptop with a tablet for travelling.
It makes a lot of sense, why shouldn’t folks use the same devices they are comfortable with at home for work purposes? But then again, what are the security and compliance implications for such a move?
Herein lies the argument that has surrounded BYOD since someone first came up with that term put it to paper, only for it to be reprinted seventeen million times in various articles and publications.
This post will not serve as another yay or nay post for BYOD, because honestly, for most organizations the answer will lay somewhere in the middle – yes, you can use a personal device for certain things, but not for others. It also depends on the industry of course; confidential healthcare records probably don’t belong on Tina’s iPod.
Instead, we are about to discuss what should really drive a BYOD policy – the answer is data, and the requirements around the handling of that data.
Confidential healthcare records are of course an example of data, and they are subjected to various regulatory standards. Credit card information, trade secrets, source code, sales data and financials are also valid examples of data that are again subjected to external and internal standards and requirements.
Those examples are particularly sensitive it has to be said. If someone has to own, handle, update or manipulate this data as part of his or her day job – as a security person, you might start to shiver when folks start to use their own devices to touch any of it.
You might be thinking that the solution is simple – ban all personal devices. Sure enough, there are plenty of organisations that will do this, and those who do will usually have the resources in place to police this policy. Others, might not have such capabilities, so although the official line says one thing, the reality is quite another.
A solution that can meet the needs of both sides of the BYOD argument can be referred to as ‘ring fencing’. This is not a new idea by any means (think terminal server), but the technology that allows this solution to be delivered both reliably and securely has advanced significantly in recent times, this means it is rapidly gaining momentum.
Essentially the idea is that you keep all your data on your organistion’s servers, users access the data via a company owned and controlled virtual desktop infrastructure (VDI), which provides a layer of abstraction between the personal device and the data, finally security controls prevent the flow of data out of the ‘ring-fenced’ environment.
This allows the organisation to declare the inside of the ring-fence to be their compliance boundary, for standards like the PCI DSS, as strictly speaking this is the only place the data resides.
This approach has other advantages to – it is much easier to deploy today’s Java patch to a VDI farm than 500 globally disparate laptops.
As with all things though, there is a downside – the switch to VDI isn’t for everyone, it does require significant investment initially to get things running. Not everyone will use a personal device for business, because not everyone wants to mix business with pleasure. Everyone knows at least one person that carries two phones around (and will get teased about their secret identities as a result).
That said, VDI does seem to be proving itself as a way for organizations to maintain centralised controls in an increasingly decentralized IT world. This can have a significant positive impact on an organisation’s security and compliance posture.