TripleCheck Consulting Blog

Avoiding Ransomware Payments: 4 Backup Fundamentals

2020-10-06T12:57:00.006-06:00

Having access to backup copies of critical data is the only way to guarantee avoidance of costly ransomware payments, insurance claims, and extended downtime to business operations. All too often this advice is heard only after experiencing an attack, and in hindsight these simple steps seem obvious.

During ransomware incidents technology staff are commonly not aware of techniques used by these criminals to take advantage of ineffective backup routines. In our experience conducting incident response recent ransomware events involve the targeting of backup processes. Reconfiguration of backup technologies, deletion of cloud storage environments, and destruction of backup data discovered in their attack are all used to prevent you from a simple recovery.

When you wake up to discover encrypted systems, there are literally no copies of your critical data left to be restored, your business operations are crippled, and the only path forward is negotiations with criminals. This is, as terrifying as it sounds.

As dire as the situation appears, simple steps should be used to avoid it altogether.

Include critical data

It seems obvious, but many people don't realize that important data lies outside of core business systems. This can include file shares, mail box contents, and 3rd party services. Mapping out critical business processes and the data used to support them will help to create and maintain this list. For each set of data the next step is to determine how far back in time you need to maintain (recovery point) and how long it will take to restore the data (recovery time).

Apply the rule of 3

Three copies of any critical data, two different storage technologies, one copy off-site. Although not as relevant to ransomware attacks this rule reinforces the reliability of backup data by avoiding single points of failure related to physical losses like fires and floods and also failures in backup technologies. In most cases we recommend the off-site copy of the data be the immutable one.

Use immutable storage

The third best practice to leverage an immutable storage service for one of the copies of backup data. These write-once read-many (worm) backup solutions prevent existing backups from being deleted until a pre-determined recovery time is exceeded no matter what level of access is obtained. This option exists in almost every modern cloud-based storage provider including Amazon S3, Microsoft Azure Storage, Google Cloud Storage, and many others. Combining immutable storage with regular online/on-premise backups

Test recovery

Simulation of an attack will validate your procedures. Build and hold scenario-based exercises to simulate a ransomware attack, and test your ability to recover critical data within an acceptable period of time. These test scenarios should assume that the criminal has administrative access and the ability to access backup systems.

Through understanding data, implementing reliable backup techniques and testing them, impacts of crypto ransomware attacks can be mitigated, and provide executives piece of mind.

The PhishSeine Advantage

2015-11-05T17:01:00.001-07:00

Making improvements in our services is one of our top priorities. The feedback we get from clients is invaluable in connecting with the needs of others and making sure our solutions remain effective.

This is a great opportunity to share the feedback we've got on our PhishSeine service. The social-engineering platform provides our clients with the ability to test their users susceptibility to phishing attacks and provide on-the-spot training to those users that need it.

The first key difference in our service is the lack of a need for whitelisting. Other vendor's solutions require you to whitelist their servers so that the messages bypass traditional spam and email filtering. We feel that this is cheating, if our campaigns aren't good enough to bypass your spam filters, then either you have very effective filtering (whitelisting) or we're not good enough at our jobs.

The second key difference is our ability to custom tailor the experience to your users, each of our campaigns is built specifically for you as the client with tweaks made to reflect the really risky targeted attacks that are becoming very common.

The last important difference is our licensing model, instead of charging a higher rate per user included in the program we have a lowered fixed per-campaign fee and only charge for users that are successfully phished. So as your education gets better your costs go down, motivating you to build the most effective educational messages for your staff.

Give us a call or email for more information on how you can take advantage of this service.

ShellShock Basics - Updated Oct 1st

2014-09-25T17:59:00.002-06:00

Update 2 - October 1st: As expected still lots going on;

As the mainstream media attempts to make sense of all the hype surrounding the latest security vulnerability, IT support staff are left to try to make sense of it all and determine what if anything needs to be done.

Background: Bash (aka Bourne-again Shell) is used as an interactive shell on most Unix-like operating systems. It comes by default on many popular distributions such as Ubuntu, OSX, and other Linux platforms.

The bug: One feature of the shell is to allow a user to set environment variables, unfortunately the bash shell does a poor job of interpreting these values and if the right sequence of characters is used, extra commands can be executed.

Apparently introduced in the 1980's
Initial NVD CVE - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
Followup NVD CVE (incomplete patch) - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

Exploitation: By simply injecting extra code that will get passed to bash it will get executed in the context of the process reading it. This happens as soon as the environment variables are read by bash.

Mubix (Rob Fuller) has a repo of all the available PoC's - https://github.com/mubix/shellshocker-pocs
OpenVPN vulnerable in certain configurations
Metasploit modules available - https://github.com/rapid7/metasploit-framework/commit/38c8d9213162e95fdcdafd793514acd4010afa24
Generic Python Reverse Shell Tool - http://pastebin.com/166f8Rjx
Linux ELF malware exploits in the wild - http://blog.malwaremustdie.org/2014/09/linux-elf-bash-0day-fun-has-only-just.html
cPanel CGI Scripts - http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shock-thousands-of-cpanel-sites-are-high-risk.html

Am I vulnerable: Any software that you use that reads environment variables from untrusted, unauthenticated inputs should be examined. Example if a CGI script parses HTTP headers. It is prudent to review all of your public interfaces for potential exposure. Use the Cert list to see if your vendors are listed and get a link to the specific advisory.

CERT List of Vendors Affected - http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=252743&SearchOrder=4
Nmap tests
Masscan tests

Is it patched yet: There are numerous vendors affected. Many of the major vendors were informed about the bug prior to release to prepare patches, some have patches that work, others do not. Basic patches have been released.

Apple released a patch for OSX - software update
The first patch was apparently incomplete (but did block remote code execution
Cisco confirming ASA and other products affected - http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Word of Oracle Solaris affected - https://community.oracle.com/thread/3612825
Rumours of Apple's position - http://www.imore.com/apple-working-quickly-protect-os-x-against-shellshock-exploit

What else should I do: Monitor requests (in the past if you have the capability) this will tell you if people are attempting to exploit you. Look for signatures that have been released by Sourcefire, BroIDS and other IDS vendors. If you can look at past traffic captures then you might be able to determine if you had been a target prior to the bug's disclosure.

Updated Snort IDS rules - http://emergingthreats.net/products/etpro-ruleset/daily-ruleset-update-summary/
Bro IDS updates - https://github.com/broala/bro-shellshock

Monitor the situation closely, it is likely that there will be details of the specific applications and software affected as well as other mitigations that can be taken until robust patches are released.

Testing the CVE2014-0160 HeartBleed Attack - Part I

2014-05-01T08:33:00.000-06:00

This is part one of a multi-part series associated with the HeartBleed vulnerability. This part deals with getting your environment setup with a vulnerable SSL webserver (using Kali Linux), and the client software used to test for and exploit it.

Setup the vulnerable web server.

Kali Linux already has apache installed, so simply enable the SSL mod, create a directory to hold the key material, generate the private key and ssl cert, and restart the server to

sudo a2enmod ssl
sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo openssl req -x509 -nodes - days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/webserver.key -out /etc/apache2/ssl/webserver.crt

Then you'll need to edit the ssl site configuration to enable it for your ip address (not the one below).

vi /etc/apache2/sites-available/default-ssl

Add the information for your server.

ServerName 192.168.4.134:443

and change the following lines to use the newly generated key material:

SSLCertificateFile /etc/apache2/ssl/webserver.crt
SSLCertificateKeyFile /etc/apache2/ssl/webserver.key

Then restart the apache server

sudo service apache2 restart

And test the server using a web browser:

Your browser should still complain about the self-signed cert.

Install the HeartBleed test software:

To test for / exploit the vulnerability I'm initially using the python test code here: https://gist.github.com/takeshixx/10107280

git clone https://gist.github.com/takeshixx/10107280
cd 10107280
python hb-test.py 192.168.4.134|more

Great I can confirm that I have been able to extract data from the vulnerable OpenSSL library. But the returned data doesn't make much sense.

Many people have been kind enough to release tools that take the exploitation a step further. Robert David Graham @erratarob released the heartleech tool as a response to the cloudflare challenge. This tool provides a bunch of extra features including;

Automated extraction of mass amounts of memory
Automated retrieval of private keys
Limited IDS evasion (most signature based IDS products)
STARTTLS (email server library)

Building the binary on OSX 10.9 is fairly easy but you need to download and compile the OpenSSL library as documented in Robert's instructions. Once built simply run it against the site in question;

Extract and Use the Private Key:

Good, it reports it as vulnerable. Now lets try to extract the private key.

Very quickly it came back with the key material, now I could create a new server certificate using this private key and impersonate the server. Which should match the one on the vulnerable web server.

Now with the private key extracted, I can create a message and encrypt it with the extracted private key, and verify the signature using the certificate that I got from the web server.

Very good work by @erratarob on the speed of getting a tool like this out publicly, I should have a new post soon with results of testing the IDS evasion functionality soon.

Edmonton HeartBleed Information Session - April 16th, Royal Glenora Club

2014-04-14T21:13:00.001-06:00

Since the latest major OpenSSL vulnerability was publicly disclosed, many people and organizations are scrambling to understand, respond and prepare themselves for the future.

Twitter, vendor support channels and media outlets have been quick to cover different angles of the issue but there has been overwhelming amount of information released.

With all this information, it can be difficult to understand what's relevant. To help clarify we holding a special ISACA sponsored 2-hour session on Wednesday, April 16th, starting at 12:00pm at the Royal Glenora Club.

Benoit and I will be attempting to explain as much of the issue as we can from a technical and non-technical perspective, discussing the vulnerability, its scope with relation to our personal and professional lives and other related concerns such as our trust in the public PKI system. The second hour we will be an interactive discussion about how others are dealing with problem, questions about related topics, and peer discussions.

We encourage you to attend and invite others that you think might benefit from this session. Space is limited to approximately 50 people on a first-come first-serve basis. Please have lunch before you arrive as no food will be served.

We'll make our presentation available after the session, and as always you are welcome to send questions to me directly.

See you there,

Mark

Touch ID - Distributed Fingerprint Lookup

2013-09-27T13:54:00.000-06:00

All the press regarding the new Touch ID fingerprint biometric on Apple's new iPhone has brought some insight into how to misuse this service. Most of the critics have focused on circumventing the device to gain access or Apple deciding to share the data with the Government.

One interesting perspective that I haven't seen covered yet is if the system could be used as a distributed matching system for existing fingerprint image systems. In an over simplified view of the process, a law enforcement agency can take an acquired fingerprint and search for patterns in the database of collected prints and spit out possible matches.

Although Apple states that an API won't be available for apps, it is conceivable that such an interface might exist, and provide the ability to take an acquired print (either from the iPhone hardware or from software) and check it for validity against the stored print.

There are some limits to this, as there is likely only going to be one print stored (Thumb in most cases) and the matching wouldn't be perfect (high false-accept and false-reject rates), and distributing a request for matching over public networks could potentially be discovered. But, the pros of attempting matches across the entire iPhone population might outweigh these cons.

If anyone has more detailed information about the potential for this type of use I would like to hear about it.

Local Classified Penny Auction Scam

2013-05-16T13:22:00.002-06:00

While there are a lot of new posts regarding the new ways to exploit people using novel techniques and 0day exploits, there continues to be a rash of tried and true methods of coercion. I want to just walk through a simple example and reflect on how effective these methods continue to be.

Many people turn toward online classified sites to buy and sell items online. This example starts with kijiji.ca which even I've used on occasion to find used electronics and other items. Doing a search on the site for a "Samsung Galaxy Note 2" returns a posting from today with someone selling one for an unreasonably priced unit.

$125 for a $500 phone?, but what if it's for real? No harm in just asking some simple questions. Email sent with some obvious questions regarding the condition and location.

About an hour passes before I get a response from what appears to be a legit seller.

Notice no answer to the questions I asked, but a friendly pointer at where the unit came from and how I could get one for the same price. What is biddycacts.com though? Well this online penny auction site claims to allow for purchases way below the value of the items being sold.

Including a not-so-obvious but intentionally generic newsreel video.

https://www.youtube.com/watch?feature=player_embedded&v=OK9mUVAPTMY

That's when I get the second email from another email account with the exact same content and a link to a different URL but same exact site. bidcactus.com.

Ok so even now I'm suspicious and I do a little digging into the DNS registration information, YouTube account posting the videos and the posts on Kijiji related to the items. All appear to be somewhat anonymous and scammy.

Switching mindsets to that of the people behind this scheme. What might be going on here? Here is one likely scenario:

The scammers setup the fake bidding site and youtube accounts and probably twitter and email accounts too. Including fake items and auctions.
They post a few ads on local advertising sites for desirable items for too-good-to-be-true prices.
Setup a script to auto-reply to inquiries about the items from legitimate buyers with links to the scam site.
Ask for registration from the user which includes an email address and password.
Use this email address and password to attempt to access the email provided. Any that work add them to the list of people that scam messages are sent from.
If the user is gullible enough to bid and pay for items using a credit card or paypal, this is free cash.
Wait a week or two then switch to another email address, URL, payment gateway etc
If the scammers were really nefarious they could also extract all of the email from the user and likely use it to conduct additional fraud or ID theft.

Simple scams like these are obvious to critically minded people, but with so many people online exposed to this how do we find out about them? Plus what's to stop more from springing up all the time.

Three lessons for people:
1. If something looks to good to be true, it almost always is.
2. Follow safe browsing practices. Be patient and don't rush into giving anyone your information or registering with unknown sites.
3. If you fall for a scam, tell people about it and register it with local law enforcement (http://www.rcmp-grc.gc.ca/scams-fraudes/index-eng.htm), Internet Crime Compliant Center (http://www.ic3.gov/default.aspx), and google's phishing report (http://www.google.com/safebrowsing/report_phish/).

Creating an Encrypted Bootable OSX Lion USB Recovery Disk

2011-12-05T17:15:00.001-07:00

With Apple's latest operating system release 10.7 - Lion they have included a number of new features which make it a bit more convenient to both backup and secure your data in case of a failure. In this short post I'll explain how to use a generic external drive to make a secure bootable disk for your mac.

First a disclaimer and some assumptions regarding your setup. I have used these instructions to get a working disk on my setup - but this does not mean that the same steps will work for you, so use caution - and if anything goes wrong please feel free to add to these steps.

I am also assuming that you are using the latest operating system patches for OSX and I'm at version 10.7.2.

Step 1 - Connect and prepare your external USB drive.

Connect your USB disk and open disk utility.

Change the formatting scheme of the disk to include two partitions, a 1GB partition, and a partition using the remaining disk space. I named one as RECOVERY and one as TIMEMACHINE. Ensure that under "Options" the format is GUID Partition

Select the format for both of the partitions as Mac OS Extended (HFS) and click apply. Note - this will erase all of the data from the selected drive so make sure you have the right drive selected.

Step 2 - Download and Install the OSX recovery disk assistant from Apple - http://support.apple.com/kb/dl1433

The wizard will ask you which disk you'd like to use to install onto. Select the RECOVERY Volume. Be aware that this will erase all data on the selected disk (well except for the TIMEMACHINE partition that we created earlier :)).

There is now a hidden recovery partition with a type of "Apple_Boot" on the USB drive that you used. To see it, in a terminal window type:

diskutil list

Step 3 - Open Time Machine preferences and click select disk. Select the TIMEMACHINE volume. Also check off the encryption checkbox to ensure that your files are protected. You will be prompted for a passphrase to use for this. Note - this is a different passphrase than is used for the user on the computer and for the wholedisk encryption you have on the hard drive.

Step 4 - Wait until the first backup is complete. Once the files are transfered for the first time the backups will be encrypted as well. This also will take some time. During these operations you can eject the disk and have it resume once the disk is reconnected. When you reconnect the encrypted disk, you will be prompted for you password.

Step 5 - Once the backup and encryption operations are complete, you should test your backup solution by rebooting the computer and holding down the Option key, then select the USB disk. The recovery wizard will walk you through the processes of restoring your computer from the recovery Volume on the USB drive.

I will update this post, when I get a chance to test out the recovery process.

Step 6 - Always remember the rule of 3 when making copies of your important data. 1 live copy, 1 backup copy, and 1 copy stored somewhere other than your other two. In this case you could get by with just periodically (weekly / monthly) backing up to the USB drive and then storing this drive in a different location.

Announcing new team member - Benoit Desforges

2011-11-21T09:20:00.001-07:00

I'm very pleased to announce that we've added another significant resource to our team. Our new advisor Benoît Desforges brings international experience and a fresh perspective on information risk management.

Prior to joining, Benoît worked for KPMG's advisory group, he holds several professional designations including CISSP, CISA, GCIH, and GAWN. When he's not teaching advanced networking courses for a local university, Benoît enjoys travel and time with his family.

Benoît will be providing our clients with security advice and building out a number of new and improved professional service offerings. He'll also be regular contributor to our blog. Congratulations Benoît!

New Trust Solutions

2011-09-01T13:11:00.000-06:00

With the all of the activity circling around SSL certs and CA trust, there is an inherent trust problem. Internet users have been taught to trust the PKI scheme that we use for all secure browsing activity. There are two very valid cases for the destruction of this trust:

1. Law-enforcement / Government interception. There are product vendors whose business model is to supply equipment to law enforcement and government clients which can "law-fully" intercept communications without the knowledge of the end-user. Example is www.packetforensics.com. Although I do not have a link (can anyone supply a corroborating link?), there are several product pages that are not publicly accessible which would likely confirm this fact. In order for these products to work, the SSL certs that are used would have to be trusted by the browser software to avoid being detected as un-trusted. I am theorizing that these certs would be generated by one of the trusted roots within the existing trust-model.

2. Compromised CAs. Both Comodo and Diginotar both purport to have been compromised resulting in the generation of certificates that can be used to emulate the trust with popular web properties. To the end user there is no easy way to differentiate between valid and invalid certs.

The impact here is that a user may think that all information is secured between them and the server, but in reality this traffic may be routed through a very-untrusted 3rd party and intercepted. We currently have no effective tool to provide information to users that any activity like this has occurred. So for the mean time we should be very vigilant about who we are communicating with, and the certificates that are used to trust their identities.

I also encourage and hope that we see some innovative solutions created that will allow users to be aware of changes to traffic patterns - indicating potential MITM, and new methods of generating trust in web-services like convergence http://convergence.io/.

Blindly Trusted Roots

2011-08-30T09:38:00.000-06:00

With both Comodo and Diginotar both having their security breached, it highlights some of the important trust issues we have on the Internet. The process of trusting these root CA's is extremely important as they serve as the foundation of protecting our information as it is transmitted across public and untrusted networks.

Both of the breaches resulted in fraudulent certifications being issued and used to impersonate high-traffic sites such as google, yahoo, skype and live dot com properties. These certificates were used to trick browsers (and users) into thinking that they were connected to a valid site, when they were not.

More importantly though is the realization that the trust in the root CA system on the Internet has been eroded. With two publicly disclosed breaches, how many undisclosed breaches have their been, and how many breaches of these CA's have not even been discovered?

While the use of fraudulent certificates on high-volume consumer sites is a big issue, the bigger issue here is the use of low-volume high-value certs to intercept financial transactions, email message systems, and other highly critical services.

My position is that we need to come up with a new paradigm for establishing trust in public/private services, and eliminate the use of old broken systems like the root CA pki's. The only issue I see is the speed with which this can happen.

Application Security - Don't Wait for the Breach

2011-06-10T09:50:00.000-06:00

The ongoing Sony saga, the Conservative Party, and now CodeMasters. High-profile breaches of data are becoming everyday occurrences. Reports like Verizon's DBIR indicate that more than 90% of these incidents would have been avoidable using basic security controls. TripleCheck offers straight-forward assessment services to ensure that you're organization is prepared to meet these challenges. Call or email us today to gain assurance over the security of your environment.

May Security Catch-up

2011-05-19T17:55:00.000-06:00

Its been much too long since my last post - Sony's PSN network has been breached a few times, a record number of vulnerabilities have been published, and the US government has released a new set of cyber space strategies.

On the cool tools and technologies there have been lots of notable releases:

Some research from Albert Cotesi New Zealand on the traffic flowing from IOS to 3rd parties, now sniffable thanks to MITMProxy, and instructions on getting it working with IOS
As always SQLmap is making life easier for the vulnerability assessor and pen-tester.
Microsoft has released an updated to the Enhanced Mitigation Experience Toolkit - I'll be looking into this over the next few weeks, and how it can be applied practically.
New major version of Backtrack also released, for those of you that are still relying upon live-cd's as a source for tools.

RSA SecurID Information Breached

2011-03-17T17:19:00.000-06:00

In a disclosure made by RSA today, they indicated that they have been breached by an "extremely sophisticated cyber attack" which has partially compromised the SecurID information which millions of clients use to provide strong authentication to services.

It is not yet clear what information was breached or what the impact will be to RSA customers, but for now I would suggest that people stay tuned to ensure that they take appropriate action based on what RSA and others release.

Update 1 - Found the recommendations made by RSA to customers regarding how to better protect their environments. I have added my comments on what these recommendations could mean to RSA.

• We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.

This could mean that part of the RSA breach was associated with a social media application attack vector - maybe employees reusing passwords across internal and cloud-based sites?

• We recommend customers enforce strong password and pin policies.

Could mean that the data that was compromised is related to the seed and token records kept by RSA, and with less reliance on this part of the SecurID solution, that customers must make the corresponding passwords and pins used in combination with the token more robust.

• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.

Could mean that the attack vector was related to additional privileges assigned to RSA security administration staff.

• We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.

Could mean that social engineering was part of the attack vector, sounds very similar to the HBGary breach here.

• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.

• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.

Could mean that users privileges were escalated as part of the attack, and that regular users were given privileges without any alerting of this fact.

• We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.

Critical security software could mean the RSA intellectual information or customer information. Could also refer to the infrastructure.

• We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.

Could mean that RSA staff were pre-texted, difficult to train out-sourced helpdesks.

• We recommend customers update their security products and the operating systems hosting them with the latest patches.

Could mean that the attack vector took advantage of previously known vulnerabilities with patches available but just not applied.

Hopefully we continue to hear more about the attack.

Canada's Federal Government Targeted in "Cyberattack"

2011-02-17T08:45:00.000-07:00

A couple of news outlets are reporting that a new attack which has resulted in unauthorized access to "highly classified federal information in two key departments".

There isn't much to the story at this point, other than it appears that some lock-down of Internet services has taken place at the affected agencies, and some analyst's reports seem to point the finger at China.

The real story here is that the storyline starts "An unprecedented cyberattack..." where it would appear by the details released so far, that this is simply another routine spear-fishing attack targeting a valued target.

Some of the scarce technical details regarding the attack include:

"The hackers apparently managed to take control of computers in the offices of senior government executives as part of a scheme to steal the key passwords.."

"Canadian government cybersecurity officials immediately shut down all internet access at the Finance Department and the Treasury Board, in an attempt to stop stolen information from being sent back to the hackers over the net."

"The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks."

"The program hunts for specific kinds of classified government information, and sends it back to the hackers over the internet"

I'll be interested and will post on the technical details of the attack when we know more, and also comment on how these types of attacks can be prevented in the first place.

The other interesting part of this, is that the federal government is not forth-coming regarding the details of the attack, the impact, or what controls are going to prevent and detect these things from happening again.

Microsoft Attack Surface Analyzer - Review

2011-01-27T12:17:00.000-07:00

As part of their involvement at the Black Hat security conference in virginia the microsoft security team has released a new beta of a tool to assist security analysts in understanding the security impacts and effects that result from installation of software that performs unknown installation features.

The Attack Surface Analyzer or ASA for short is based on a slightly dated, but still very relevant Carnegie Mellon paper on measuring attack surfaces - link. The beta product implements a few of the methodologies discussed by creating baselines of system information before and after the installation of the target software, then analyzing the differences noted and providing an analysis based on a predefined set of security properties (set by Microsoft).

This approach is not new, however Microsoft's product makes the work of baselining, analyzing and reporting extremely easy, with a easy to read browser readable report generated for the analyst.

I decided to test this tool out with software that I had not previously installed to see what kind of value this could bring to the average security analyst. The Google Cloud Connect for Microsoft Office is a new product that allows Google Apps collaboration within the Microsoft Office product suite. Shouldn't be any security impacts from this combination right?

After installing the ASA tool itself and running it from the icon installed in the Windows 7 start menu. The interface prompts the analyst to run the initial baseline scan and save the results to a .cab file.

The tool provides a progress report as it collects the information about your system. This includes all of the expected types of data that this type of comparison would use. It does take a few minutes as it includes scans of both the filesystem and registry.

With both baselines recorded now we generate a report by comparing the baseline scan with the post installation scan. This is useful as you can create multiple scans with different installation options and compare them to each other and to the original baseline to determine what changes are made.

The resulting HTML (and javascript) report provides three tabs, the first summarizing the conditions of the analysis and tombstone information regarding the versions of tools, OS, etc.

There is a tab that summarizes the details of the security issues, and includes helpful explanations of each of the issues if you aren't already familiar with them. In Google Cloud Connect's case, there were three security issues reported:

Directories With Weak ACLs - related to the use of NT SERVICE\TrustedInstaller (needs more investigation to see why this was reported)
Processes With NX Disabled - GoogleCrashHandler.exe included in the software does not use DEP security options (why not?)
Services Vulnerable To Tampering - The Google Update service that was installed is also susceptible to tampering by the NT SERVICE\TrustedInstaller account.

The Attack Surface tab describes each of the areas assessed in which changes were introduced and details regarding what changed in each area. This is the most valuable component to me as it describes the specific changes to the operating environment that resulted from the installation of the software.

In our case here is what the Google Cloud Connect software changed:

New Service - Google Update Service
New Running Processes - google crash handler and a .NET framework utility
113 New Registered COM Controls - IE mostly but controls used within the software.
3 New Internet Explorer Silent Elevation Entries / Preapproved controls - Google Update plugin - This is interesting as it looks like this gets added to the list of approved protected mode controls - more investigation needed here.
1 New TCP Port - Established outbound TCP port on 49336. This is likely the port used by the google update service and checks for updates during the install. Not sure more investigation likely here as well.
6 New Named Pipes

Overall this tool is extremely helpful in understanding the changes made to the Windows OS environment from the installation of software. It will detect things like new services being installed, such as the google update service that you might not have realized was being installed. I recommend using ASA to analyze software that you intend to install and make sure you know what you're installing and what effect different installation options have.

Business Browsing Insecurity

2011-01-20T14:43:00.000-07:00

Just finished my talk on browser insecurity for the Calgary ISACA chapter. Thank you to those who attended. The intention of the topic isn't to scare people, but to help inform those that only hear from vendor's regularly regarding the state of their controls.

Here is a link to the presentation in both pdf (with speaking notes) and the ppt formats.

PDF Presentation
PPT Presentation

If anyone wants to continue any of the discussions we had afterward please feel free to email or call me.

PCI-DSS Version 2.0 - Standard Effective

2011-01-05T13:08:00.000-07:00

If you've stayed connected to the PCI-DSS world, you'll know that version 2.0 of the standard was released late last year. As of January 1st, 2011 stage 2 has begun, which means the standard becomes effective. Which unfortunately only means that stakeholders (merchants, processors, etc) should start using the new standard and not the old, not that the standard provides effective security (that would be nice if you could just announce that kind of thing). Here is a link to the standard's lifecycle to make this more clear.

Keep in mind that you can still use the old standard for compliance reporting for 14 months, but if the new standard is available, its likely a good idea to get a handle on the changes and how they'll affect your compliance program.

Encryption Fails - Embedded SSL Keys - PS3 root keys

2011-01-03T10:50:00.000-07:00

A couple of noteworthy failures in the implementations of encryption.

The littleblackbox project over at google code aims to provide a list of all of the private keys embedded into device firmware by vendors that are too lazy to create unique private keys for devices. This includes consumer devices, some commercial devices, basically anything that has a private key embedded in common firmware shipped with the device. Once you have the private keys you can then decrypt future communications from the devices (read: admin interface traffic, SSL vpn session negotiation, etc).

This affects lots of products and software including many of the popular dd-wrt devices.

Want to add to the list of recognized private keys, simply download the binwalk tool and feed it a firmware file from your device.

It also appears that the root encryption key from Sony's PS3 game console has been discovered and posted by Geohot on his site. Here is a video from fail0verflow's explanation of the weaknesses in the PS3 security model.

Google's Michael Z Releases a Contentious New Tool - cross_fuzz

2011-01-03T09:42:00.000-07:00

Lcamtuf or Michael Zalewski has released a tool to test browsers for security issues by parsing the DOM object model, injecting values into a large number of objects, and triggering garbage collection by destroying the created objects. A more detailed explanation of the tool and how it works can be found here:

http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

The interesting part is that Microsoft had previously asked to have the tool's release delayed due to an un-patched vulnerability discovered in the IE browser, exploitable on XP. Michael declined to delay the release stating that he had reason to believe that possibly nefarious individuals were aware of the bug, and may be exploiting it in the wild.

Some commentary over at Slashdot here

Interesting start to 2011!

Protection and Response to User Account Leaks

2010-12-13T10:33:00.000-07:00

Today it is being widely published that Gawker media has had their entire databased of user accounts and passwords (DES encrypted) leaked to the public. Although this event may have been limited to those with user accounts on Gawker properties, imagine this happening on a major service like google, hotmail, or your bank.

The two most significant impacts to most people are:

1) Gaining access to the Gawker services exposed. Once the encryption is brute forced on the password data it is possible for someone to directly login to the service as you.

2) Reuse of passwords on other services. Because humans are creatures of habit, we tend to reuse usernames and passwords across services, so if someone can find your email address and password, they can attempt to login to other services as you as well.

This provides an opportunity to reflect on methods of preventing and responding to these types of events.

Response - Although it appears to be a good idea to change the password on the affect service account immediately, one of the serious issues with this is that the systems on which you are changing the password may be compromised which would lead to the attacker knowing the new password.

Also, if you are the security manager for an organization, get a copy of the dumped account information and find out if you have any affected users. Do a search for your company name / domain name, and/or search for hashes of email addresses.

Prevention - IMPORTANT - stop using the same passwords across systems. Although this is an inconvenience, using different passwords across services will prevent someone from using a compromised password on other services. Come up with a scheme that works for you to create unique passwords for different services that you can remember.

Use strong passwords. There are great strong password generators that you can use to come up with good passwords.

Change your passwords occasionally. Once a year will prevent really stale passwords from being compromised and used, plus it will keep you exercising your brain to remember new passwords.

Use multifactor authentication where possible. Google and others have made it easy to implement two factor authentication using things like smart phones, SMS, public phones, etc. These are easy to implement and makes a password compromise a non-event.

Google Application Security Info

2010-11-23T16:25:00.000-07:00

I've covered this before, but google's team has done a fantastic job of promoting improved application security practices. The gruyere (http://google-gruyere.appspot.com/) is a set of application security training activities focused on educating developers on how to identify and respond to application security issues using a real application. For those with no budget for security training, this is perfect!

Security Updates - Monday October 18th

2010-10-18T10:16:00.000-06:00

Its been close to a month since my last post. Here is a quick list of a few things that are worth mentioning in the security business today;

Advanced Evasion Techniques - StoneSoft and ICSA labs identifying and testing some new network security evasion techniques. Looks like there is some substance here, as tweets are starting from a few credible sources. Link - beware this looks like it might just be vendor FUD!

HDMoore and metasploit release a new version of the wiki, and metasploit unleashed. This is a great resource for anyone needing an intro to pentesting using the framework. Link

Social Engineering Toolkit or SET has been updated with a few notables including new functionality for the teensy - the hardware based HID attack vector. Link

The 2010 Verizon PCI-DSS report has been released. Link

.NET Security Issues - Crypto Attack PoC

2010-09-19T15:57:00.000-06:00

There has been some news regarding the latest .NET attack, which exposes some of the oracle padding issues related to some of the tokens used by .NET applications. Some people have been downplaying the issues saying that these are only theoretical attacks, now researchers have posted a very practical demonstration of the attack on dotnetnuke. Enjoy!

Adobe 0-day Weaponization

2010-09-09T10:42:00.000-06:00

So, it used to take at least some time before published 0-day vulnerabilities were weaponized into malicious trojans and other exploit code. Now it appears that they time to develop exploit modules is extremely limited, and possibly in some cases prepared before public release.

As referenced in the slashdot story an Adobe spokesman described that the situation could change with the availability of the public samples and exploit code. I think these types of advisories should be changed to "..the situation has changed, exploit code certainly already exists and has been used privately for some time.."