Defending Against Social Engineering
Due to technical advances in today’s society, traditional boundaries, borders and personal privacy have been redefined. This has resulted in a new freedom of expression for many people throughout the globe, providing advances such as the availability of educational resources and the collaboration of great minds in every discipline regardless of their physical location or language. This worldwide connectivity has effectively collapsed a once-expansive world into a small, tightly-packaged virtual neighborhood.
[Read more...]
Corporate Espionage – Cyberwarfare Is Here To Stay
Last week, Facebook was attacked. this week, it was Apple’s turn. Also, Jeep‘s twitter account became a target. And on Monday, Feb 18th, it was Burger King’s Twitter account that got defaced with McDonald’s logo.
Something peculiar is going on here. Cyber-warfare is now absolutely here and it here to stay. 2012 was rough but looking ahead makes a very scary reading for the future that has yet to come or for the one that is already here. If huge corporations and government departments that invest heavily to protect themselves are getting caught out, then what hope is there for those that are not even concerned about their security posture and awareness?
[Read more...]
Art of Lockpicking at Ruxcon 2012
Ruxcons 2012 is now over. In the next few weeks, I will be going over different topics and exercises from the this great conf
However, there was one exercise I had never tried my hands on – Lockpicking! As physical security remains the fundamental of securing assets, I felt that it was important to take part in the exercise.erence which presented me with unique opportunity to meet other security professionals from Australia and Asia Pacific region as well as see first hand some of the coolest projects that are going on out there.
I after several tries and learning to be patient, I eventually managed to unlock two padlocks during the lockpicking workshop. But to really learn the art, I would need to get the right tools and practice more with “practice locks”. when I have all the tools that I need, I will update this entry with adequate information on how to get involved.
Security Evolutionary Process
Two top news today May 3rd 2012
- Over 1.5 million Visa, MasterCard credit card numbers stolen? - http://www.zdnet.com/blog/security/over-15-million-visa-mastercard-credit-card-numbers-stolen/11755?tag=nl.e036
- Attack takes Soca crime agency website down - http://www.bbc.com/news/technology-17936962
Evolutionary process
There are three significant areas to modern security - Databases, File Servers and Web Applications. Those are significant points whereby either critical data resides or in the case of Web Server, provides portal to critical data. With the nature of the Internet, information sharing has become the driver for most businesses. This may be trade information that gives an organization a competitive advantage or in many cases, an organization holds private information of customers. It is therefore becoming ever so challenging to protect all key assets. In the case of RSA breach last year, in which they lost key proprietary data, the cost is estimated at around $66.3m. Then you have the case of Sony, Citigroup, Stratfor, Lochheed Martin Corp, Google Inc and the list goes on. As we have seen, no single organization is fully excepted. A breach is no longer a simple passive event, but it actively destroys the credibility of the company involved. The level of damage depends of what is compromised.
There used to be a time when security conversations ended at whether or not there is perimeter firewall. That has now changed. In the case of RSA attack, social engineering method by way of phishing attack by exploiting Adobe Flash vulnerability (CVE-2011-0609) to compromise the node and created a backdoor with zero day payload for the attacker to gain access into RSA network. Zero day payload would have allowed the attacker to bypass most signature based Anti-virus solutions. It was only a matter of time before the attacker compromised critical systems and thereby gaining access to critical data.
Over the course of the past 12months, I engaged in research and analysis of various attack methods. I focused on simple propagation of attack methods – from ARP spoofing, DNS poisoning, to the phishing methods as the one that I have described in the case of RSA. This type of research gives an insight into an attacker’s mind. By understanding various methods used, one tends to gain greater level of appreciation for what is required to protect organizations. The goal is to protect corporations most valuable assets which is essentially their critical data. In today’s hyper-connected world, the goal is always to try to keep out the bad guys by attempting to remain one step ahead.
Secure and Optimize Your Web Application
Given the rate at which we continue to see cyber attacks, it is obvious that there is still a wide gap in how security controls are implemented for web applications. I have been experimenting with number of solutions to help me solve this problem to not only secure but to also optimize HTTP requests to a web server.
Here is a used case that describes a problem I faced with a fan forum website when I was consulted to help to help improve security and performance. The website is based on vBulletin engine and running under Linux Apache MySql and PHP (LAMP).
Here goes…
Problem 1 – Security
Documented issues of persistent Denial of Service (DoS) attacks, especially SYN flood. Given the nature of the attack, implementing iptables was simply not enough. Every couple of months, the site would be down again. Due to limited resources, I had to implement new set of controls to that would go beyond functions of a conventional firewall.
Problem 2 – Performance
The site had performance issues with a hook called Shoutbox, which allowed members to chat in real time using HTTP post requests. This is usually alright until you have high volume of users. At that point, Shoutbox can cripple the CPU as requests are passed between the database and back to the hard-drive and presented to the user.
Solution
Solution to Problem 1: Web Application Firewall – ModSecurity
An hybrid firewall of protocol sensitive application Intrusion Prevention System (IPS) is needed – Web Application Firewall. The conventional Firewall that sits at the perimeter with port 80 wide open to the world is no longer sufficient as attacks such as SQL Injection, Cross Site Scripting (XSS) and Cross Site Request Forgery (XSRF) or HTTP DoS attacks.
What can I get that is cost effective without compromising on the objectives of providing in-depth security controls by addressing all forms of attacks as I listed above? – ModSecurity
ModSecurity is a Web Application Firewall (WAF) from Trustwave SpiderLabs that filters both incoming and outgoing data and able to stop malicious traffic by using set of predefined rules.
[stextbox id="alert" caption="Alert" color="e55619" ccolor="E55619"]HTTP Request (Port 80 passes through firewall) –> Apache Server[/stextbox] - Conventional model – opens the flood gate to different forms of attack
[stextbox id="info" caption="Secure model" color="black" cbgcolor="41d628"]HTTP Request –> ModSecurity –> Apache Server[/stextbox]
ModSecurity is extremely versatile and effective at providing an exceptional added layer of security to web services. Not only does it provide application level protection, it can help mitigate effects of zero exploits that use unpatched modules or software as attack vector. It is one of the recommend solutions to mitigate at least four of OWASP top 10 vulnerabilities.
[stextbox id="grey" caption="ModSecurity rule to block Blind SQL Injection"]# Blind SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer “@pm sys.user_triggers sys.user_objects @@spid msysaces instr sys.user_views sys.tab charindex sys.user_catalog constraint_type locate select msysobjects attnotnull sys.user_tables sys.user_tab_columns sys.user_constraints waitfor mysql.user sys.all_tables msysrelationships msyscolumns msysqueries” \
“phase:2,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,pass,nolog,skip:1″
SecAction phase:2,pass,nolog,skipAfter:959007
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer “(?:\b(?:(?:s(?:ys\.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect\b.{0,40}\b(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)\b|(?:locate|instr)\W+\()|\@\@spid\b)” \
“phase:2,capture,t:none,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E,log,auditlog,msg:’Blind SQL Injection Attack’,id:’950007′,tag:’WEB_ATTACK/SQL_INJECTION’,logdata:’%{TX.0}’,severity:’2′”
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer “\b(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtype\W+\bchar|rownum)\b|t(?:able_name\b|extpos\W+\())” \[/stextbox]
Solution to Problem 2: Web Application Accelerator – Varnish Cache
To resolve Problem 2, performance issue, I deployed HTTP optimization solution called Varnish Cache.
What is Varnish cache? Varnish Cache is a web application accelerator which sits in front of an application server based on HTTP protocol. It caches content of all the requests made by users in volatile memory and consequently expediting the speed of each transaction. Varnish also integrates very well with ModSecurity to become a Web Application Firewall.
Conclusion
These two tools combined have greatly improved security and performance of the web application server and subsequently enhanced the availability of the services to the users. While you require advance knowledge of web attacks, understanding the syntax for both ModSecurity and Varnish Cache require deep planning and some familiarity with programming as you have to configure all the rules manually. It is, however, worth noting that both ModSecurity and Varnish-Cache are free under open source license.
Impact of Security on Compliance.. Which First?
Over the past several years, need to be compliant with a government or industry standard has been driving IT security spending. However, as I highlighted in my last post in which I reviewed some of the major hack attacks of 2011 that included Sony, RSI and DigiNotar, it is safe to predict that there is going to be a shift in corporate mentality when it comes to security spending. It is no longer going to be a case of “let’s do it to become compliant”, but more like “let us secure our business to protect our bottomline”.
A recent study by Ponemon Institute estimated that the cost of data breach is around $1.5 million to $36.5 million for organizations. That pales in comparison to the estimated $170m lose expected from the attacks against Sony last year. Therefore, it really depends on who you are and your type of business.
Another new reality is that no one is really immune to these attacks. On Christmas eve, Stratfor (firm for global intelligence and corporate security) was attacked as credit card data of subscribers were comprised. To that effect, Stratfor’s website is still down as of today. That tells you the magnitude of the attack of which fallout may get ugly. Visit www.stratfor.com and you will be greeted with the brief message below. It doesn’t get worse than that, folks!
stratfor.com as of Jan 6th 2011
In addition to that, it was revealed today that Symantec source code for Norton Antivirus has been compromised. Given Symantec is synonymous with “security” tells you that no one is immune.
The following are examples of personally identifiable information that count toward critical data that must be protected:
- Full name (if not common)
- National identification number
- IP address (in some cases)
- Vehicle registration plate number
- Driver’s license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Digital identity
- Date of birth
- Birthplace
- Genetic information
- http://en.wikipedia.org/wiki/Personally_identifiable_information#Examples
Penetration Testing path
I’m currently working on gaining a certification in Penetration Testing. I’m yet to decide on whether to go for C|EH (Certified Ethical Hacker) or OSCP (Offensive Security Certified Professional). I have some materials that I’ve been using to gain further knowledge of ethical hacking and counter measures. Along with that, I’m in the process of finishing my lab which involves multiple virtual machines (VM) with several operating systems such as Ubuntu, Windows XP and Fedora. These VMs are the corner stone of my research and development into testing tools and exploiting vulnerabilities in software, operating systems and services in my lab. To support my virtual machines, I have a Juniper SSG firewall, Cisco UC520 and SIP Trunk.
- Penetration Tester’s Open Source Toolkit
- Gray Hat Hacking
- NIST-SP800-42 – Guideline on Network Security Testing – http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf
- Open Source Security Testing Methodology Manual – http://www.isecom.org/osstmm/
- www.hakin9.com – Magazine detailing techniques and trends in security
- Last but not least, BackTrack 4, a tool for all ethical hackers
Privacy – Do you trust fax machines?
I’m been watching the case of Caster Semenya, the South African athlete that had to take a gender test before 800m women’s final in Berlin at the World Championship event.
What is ‘Reasonable’ IT security?
Times are changing and changing fast. The world we live in today is no longer a world whereby our choices are limited by technology or ignorance. Information Security is now part of regular news bulletin and the technologies to secure assets are now readily available. Ten years ago security was not always on the agenda for most enterprise. However, since the turn of the century, which may be attributed to the attacks on the World Trade Centre, the sense of awareness and responsibility to protect data is now top agenda for most institutions.
While security solutions in both physical and logical controls are now very accessible, a new problem seems to be brewing up. I have seen cases whereby controls are so tight that it becomes a nightmare to manage for Network and Security Administrators. This can create a frustrating situation but if an accurate risk analysis is factored in, one can challenge why such stringent security measures are ever implemented.
You would want to ask questions such as:
- What are we protecting and the value to our business?
- What is the cost of maintaining this safeguard and Does it match the value of the asset being projected?
Factors to consider when implementing security solutions:
Risk Analysis
Before undertaking any project to protect assets, risk analysis should always be the starting point. This analysis will help in valuing the asset that needs protecting, potential threats to the asset, probablity of occurrence and how much should be spent to provide safeguards. Risk Analysis can be either Qualitative or Quantitative depending on the risk and asset in question. An accurate risk analysis helps in presenting a clear case to upper management.
Cost
While many start with cost of safeguard in deciding how best to protect assets, this is not wise. Without an accurate risk analysis, too many assumptions are made based on wrong perceptions. The general consensus of opinion is that most attack on assets are logical in form of Internet based attacks but other threats such as fire, system failure and human error (ignorance and negligence) are just as prevalent.
So remember to fully identify the threats and examine them against the value of the asset you wish to protect.
Manageability
Irrespective of the safeguard you decide to put in place to mitigate risk, it is imperative to ensure management of it does not become a burden. You want to ensure that the people that are going to be administering the controls are fully aware of their responsibilities by giving them adequate training and raising their awareness. To maintain Confidentiality, Integrity and Availability (CIA), there must be a good balance between creating complex controls and manageability of such controls. If the controls implemented (Physical or Logical) turns out to be too complex to maintain, negligence creeps and employees grow resentful and do everything they can to circumvent the controls. Likewise, if administrators find it hard to perform daily mundane tasks because they always need to fill change control forms to perform mundane tasks, the purpose of the implemented control is thus defeated.
Monitoring and Auditing controls
It is essential to have a well scoped Monitoring and Auditing controls in place. Monitoring deals with day to day events that occur on that could compromise security while Auditing ensures that the right security controls are implemented properly with the right policies.
Monitoring is a daily real-time following of events that may result in an outage or compromise assets; while Auditing happens at intervals.
Summary
The key to implementing successful controls is balance. Care must be taken to ensure controls are not girded too tight to manage and sustain. Always keep in mind that a complex network does not translate to a secure one.