Category Archives: Opinion

Do as I say, not as I do. RSA, Bit9, Adobe, and others…

Posted on by
Reply

So you thought you had everything nailed down. You might have even gone past the “best practice” (which would have driven you to compliance, and your security to the gutter), and focused on protecting your assets by applying the right controls in a risk-focused way.

You had your processes, technologies, and logs all figured out.

But you still got owned. Want to know why? Because you are still a little naïve.

You put your trust in big name vendors that preached for you to get your stuff together. You listened to them, were convinced by their pitch, and you might have even put their products through rigorous testing to make sure they deliver. But you forgot one thing. Big ticket vendors are no much different from a zealot church.

They will preach, and guide you through to the righteous passage. But when you look behind the curtain, well, you know what I mean…

The latest Bit9 compromise isn’t that surprising. Bit9′s customers are obviously very security aware as they opted to use a whitelisting product to protect their computing assets. As such, these customers are most probably high value targets to adversaries. It also means that with such an awareness to security, these customers probably have more measures and practices to mitigate and protect themselves from attackers. That means, that if I were to scope such a target for an attack, I would have focused on supply chain elements that were weaker than the target itself (much like the way we teach at out Red-Team Testing classes…).

RSA was such a target. Adobe is a similar one. Bit9 just was for some of its customers.

Color me surprised.

And yes – if you are a vendor that gloats over the latest compromise – please don’t. If you haven’t gone through a similar threat model your products are either not good enough (hence your customers aren’t high value targets. How does that make you feel now?), or your own security isn’t up to speed and you haven’t realized you have been breached yet. Now go clean your own mess.

If you are a security consumer (hence – care a bit more for your information than just getting compliant and tabling it), make sure not to make any assumptions about your providers. Especially about your providers. They aren’t the target. You are. As such, they are the vehicle, and they have a more generalized security practice than yours. Account for it in your security strategy, and never fully trust anything outside of your control span. It is your responsibility to hold them to at least their own standard, and demand oversight and proof that they do so.

Phishing/Threatening done wrong

Posted on by
Reply

It’s been a long time since I posted here since life and work really got in the way (in a very good way!) to publishing here. But I just had to share this as it has some relevance to security…

So, woke up this morning to an email claiming to be from FARC (yes – the Colombian militant underground rebel thingy).
In preparation to our visit to Colombia next week, they welcome us “experts” and expect us to cooperate with them and help them. Something about being passed a note with a phone number when going through immigration, and calling them to coordinate a meeting. Sprinkled with a little threat that if we choose to ignore it, we are considered cooperating and supporting of the government and as such we are a target.

Now, I won’t go through all the mistakes, but seriously?

First – using a stupid “fake mailer” domain to send it (emkei.cz), is just very low.

Second – the attached PDF has no exploits, no trojans, nothing. At least TRY to humor me.

Last – come on, all of the speakers are “foreign”. None of us really speaks/reads spanish that well. Putting a note “Whether you need translation go google” at the top isn’t really showing a lot of investment from your end. The least you could do is get someone who speaks English to help you a bit.

I mean – this is what I do for a living. Next time – ping me before so we can at least get a decent domain, set up a nice mail service on it, get some content on it, generate some plausible background data, something…
Although we won’t have the red-team class next week, I highly suggest whoever tried this to spring up the money and fly to The Hague for the NCSC  Conference in January for our red-team class.
I personally promise free drinks from Chris Nickerson and myself if you can prove that you sent the email. And you know what – the class is on me. Just show up! :-)
Here’s the PDF if you are so inclined to have a laugh: Invitacion_FARC-EP
Update – December 1st, 2012: The Colombia National Police and Ministry of Defense have issued a letter stating that after investigating the issue, and working with the intelligence group, they have reached the same conclusion – this is NOT a letter that FARC has produced (duh – FARC would have done a much better job!), and is a fake. There is obviously no risk to the recipients of the letter. See you all in Colombia in a couple of days!
Update – December 10th, 2012: Well, we obviously made it back. No one handing any of us a piece of paper at the airport (and I’ve been through two, and trust me I tried ;-) ). No one threatening, or suggesting we should work for them (other than a great business dinner we had). Overall, this is the stuff that hoaxes and prejudice are made of. I guess that for laypersons this would be a big deterrent to showing up in a country that had its name smeared as much over a long time. For someone who has already experienced Colombia and knows something about security – not so much.
Just as an anecdote – attaching the letter that the national police has sent the organizers following the threat.
Oh, by the way – no one owned up to sending the letter so far, our invitation is still open for the Red-Team Training in January. You guys really need it, so here’s our community outreach to help out :-)

Ambulance chasing or DNA research?

Posted on by
Reply

I am fortunate enough that some of the new topics that I have discusd lately have generated interest in the community and the industry. As such, there are obviously  voices that do not agree with the approach (I still like to call is SexyDefense, although the more adult part of me agreed to SDES – Strategic Defense Execution Standard).

More pointedly – there is the argument of “what would an offensive player know about defense”, and “defense is hard, we’ve done it [for our customers] forever, and people are fairly happy”. I’d like to tackle these two head on:
Yes, I’m mostly an offensive security person. I cannot deny my passion for Red-Teaming (heck – I’m good at it, and I enjoy it. Deal with it), nor my past research on finding issues with systems and organizations. Nevertheless, as we all know – practicing offensive security is done in order to boost defenses. Its main role is to find flaws in the defensive mechanisms and then amend them. Here comes the tricky part – amending them is also something that I do. I know, a shocker! But fortunately I’ve had a chance to work not only with small businesses, enterprises, and F-100 companies, but also with nation states and multi-national organizations… So yes – I know how hard defense is, and I have also practiced it and can say that I actually enjoyed it – especially since I was able to “sign off” of some great improvements in the defensive posture of such organizations. Last but not least – guess what happens after a Red-Team engagement is over? Right – a long, hard look at the systematic failures and vulnerabilities of the organization. And how to fix them, and how to prepare for another attack such as the one that the res-team simulated. (reality reminder – red-team is essentially adversarial modeling – probably the only true test of how an ACTUAL attack is going to look like on your organization. And guess what? It doesn’t look like a Nessus scan or a Metasploit autopwn…).

Second – yes, defense is hard. And this “newfangled” approach is something that has not only been tested in the real world, but it also makes sense <gasp>. Our old approaches of detection and “prevention”, using the same old tools (spell Anti-Virus, Firewall, Intrusion Detection/Prevention, DLP, and what-not) are not working. Let me say that again:

It’s not working!

Why? Simply – we keep chasing our tails with the same old issues. We are really good at Incident Response (some of us are making a nice chunk of money off it), but we really suck at actually improving the security posture over time. Hence my reference to ambulance chasing (i.e. incident response), vs. DNA research (actually changing the defensive strategy and posture to cut the number of incidents).

Personally – I have enjoyed some really tricky incident response engagements that challenged me and my customers (and sometimes led to the satisfying “gotcha” moment when coordinated with LE). Nevertheless, organizations do not really learn from such incidents. They have a short memory span, and get back to their old “look at the blinky lights on the firewall appliance” approach. However, changing the DNA is something waaay more interesting and rewarding. And that’s what we are trying to do here folks…

So – are you going to stay an ambulance chaser and keep rejecting the idea that your revenue stream may be affected if organizations take defensive security more seriously, or are you going to help the change and actually make an impact?

Apple, meet GPG, GPG, meet Apple.

Posted on by
4

Why is it so f&^#ing difficult to get this right? I’m looking at you “recently identified as the most valuable public company” – Apple!

The guys at GPGTools are doing some fantastic work in bringing a comprehensive GPG implementation into Mac OS X, and Apple seem to not only ignore the need for such an important tool, but consistently screw things up with Mail such that every new OS X update the  GPGMail plugin is rendered useless.

As a longtime supporter for gpgtools, and a longtime user of Apple products (sans the funky iPhone of course), I urge you – get this thing fixed.

And now – as I usually tell people who just rant and not offer any advice – how to somehow get things working:

The current solution for having a decent PGP experience on Mac OS X (and please – correct me if you have anything better/easier than this) is to do he following:

  1. Install Thunderbird. This is required as Apple’s Mail won’t work with any encryption plugins (that I know of) to handle PGP/GPG encrypted/signed emails.
  2. Install Enigmail. This is a “just works” plugin for Thunderbird to handle GPG. It simply just works. No hassle, great default config, recipient rules, the works…
  3. Install DavMail. This is a tricky one – it basically provides a local proxy for Microsoft’s OWA and “translates” it into IMAP/POP3/SMTP. The tricky part is that the application is not yet “signed” by the developer, and on Mac OS X 10.8.1 it simply won’t run in the default configuration (you’ll get a prompt to literally throw the application to the trash because it failed to start). Initially I just though botched download, but then realized that it’s got to do with Apple’s new gatekeeper… You’ll have to change the security settings to allow applications that were downloaded from _ANYWHERE_ to run (as opposed to application from the AppStore and “identified developers”): System Preferences -> Security and Privacy -> General.

It sounds like a kludge, and it is. But for now it works. At least until gpgtools manage to get enough support to have a version that works on Mountain Lion, or until Apple wakes up and start working with these guys and finally integrate it natively into the OS X Mail client.

Vegas 2012 by the Numbers

Posted on by
1

So, I’m finally back from a very long week in Vegas. How long you ask? well, here are some numbers that start to reflect how it felt:

  • Number of days in Vegas: 6+1 (un-planned extra day due to a missed flight)
  • Number of conferences attended: 3.5 (BlackHat, BSidesLV, Defcon, and IOAsis counts as a 1/2 con…)
  • Number of talks given: 2 (in the same day… BlackHat + BSidesLV)
  • Number of shipments to my room at Caesars: 3 (shirts, phone, and locks which ended up unused due to my failure to run the lockpick sessions at IOAsis :-( )
  • Volunteer gigs: 2 (BSidesLV and Skytalks)
  • Average hours of sleep per night: 3 (and that’s really stretching it)
  • Number of nights I went to sleep after sunrise: 2
  • Average number of parties visited per night: 3 (Freakshow skewed the numbers as there was NO reason to leave that place…)
  • No. of phones I came in with: 1
  • No. of phones I left with: 3 (Thank you NinjaTel!)
  • Average no. of meals per day: 1 (I know… but Alcohol does not count as food unfortunately)
  • Gallons of booze consumed: probably illegal in some states.
  • No of friends I caught up with: not enough. And the ones I did manage to catch up with needed much more time :-(
  • Hangovers: 0 (keep drinking -> no hangover to deal with…)
  • Workouts: 2
  • Miles walked: waaaaay too many
  • Weight lost/gain: 3.5lbs lost. Guess that’s the result of adrenaline rushes, parties, Infected Mushroom, long walks in the hallways, not much food, and lots of alcohol.

Overall this was personally the best Vegas trip I’ve had. I did take up a little too much on myself that I should have (as a couple fo friends duly noted, and excused me for some fuckups due to that), and I wanted to meet so many more people that I managed to somehow miss this year.

Nevertheless, some of the experiences were priceless – like having a chat with Infected Mushroom and finding out that Erez used to run a BBS back in the days, and that (although I don’t like to mention my darker days of hacking) we “knew” the same scenes. Having the opportunity to help out with BSidesLV and being amazed again by our community and what it can achieve. Being inspired by so many people, and learning constantly. These are the things that really make up the week of BlackHat/BSides/Defcon for me. It’s not necessarily the talks, but the socializing and the opportunity to pick people’s brains on a personal basis which makes it worthwhile to get to the levels of exhaustion that this week takes you to.

Guess it’s time to wrap up and figure out what timezone my body is on…

Security Awareness and Security Context – Aitel and Krypt3ia are both wrong?

Posted on by
6

It was pretty obvious that after an Information Security persona such as Dave Aitel has posted his “Why you shouldn’t train employees for security awareness” article, there would be a lot of flak from the industry. A lot has been said about training employees to be somewhat more savvy users when dealing with corporate equipment and data (i.e. “stop clicking shit”). And even one of my favorite and outspoken Information Security personal had a great rebuttal on the matter – Krypt3ia’s “Throwing out the baby with the bathwater: Dave Aitel’s approach to INFOSEC“.

While I really appreciate both opinions, and while Dave’s might have been a little self-serving (aren’t all of our statements online?), I find myself in a very “Zen” place – saying, yes – you are both right, and wrong at the same time.

Krypt3ia points out that dismissing the human factor is going to lead to failures beyond what we can imagine as an industry. The reason here lies back in the fact that when we approach “Information Security” we focus too much on the “Information” part, and less on the more holistic meaning of the “Security” part. Trying to solve infosec issues through technological means is a guaranteed recipe for failure. No one, no technology, or software can account for every threat scenario possible, and this is exactly why we layer our defenses. And layering shouldn’t just be done from a network or software perspective – security layers also include access control, monitoring, tracking, analysis, and yes – human awareness. Without the human factor you are doomed. And that’s a personal promise from someone who’s been abusing the lack of layering and dismissal of such human factor for quite some time now running red-team engagements with high-profile, high-security clients (see – I can be self-serving too!).

On the other hand, Dave is also right – you can’t just throw everything on the employee and expect them to magically turn into “APT detectors” just because they clicked through some CBT program for a few minutes (or hours for that matter). You have to get the basics first, and Dave’s list is just as good as anyone else’s:

  • Audit periphery
  • Perimeter defense and monitoring
  • Isolate & protect critical data
  • Network segmentation
  • Access creep
  • Incident response
  • Strong security leadership

In no particular order, one should establish a consistent and solid implementation of all of these aspects for their organization.

Having said that, saying that employee awareness should be out of this list is where Dave went a little too far. Strong security leadership, access creep, and data protection are not technical feats by themselves. These are exactly the areas where employee awareness turns what could be useless (but very expensive) pieces of software or appliances to something that would actually work under an attack on your information assets. The point is not to _divert_ the spending on awareness, but to _combine_ them into your security strategy.

Which brings me back to my first (and only) point – stop thinking of information security as an industry of blinkenlights and snazzy software solutions. It’s about hacking, and hacking as we all know never stops at gadgets and code. Think of information security like an ATTACKER. Think about _their_ scope, and realize how your organization looks from that perspective. Now, take your budget and spend it on the areas where attackers could have compromised your informational integrity (HEY! Don’t touch that Nessus scan result! I told you to THINK goddamnit!).

And with that, I’ll leave you to your wonderful weekend before Vegas (one last self-serving statement – go check out “Sexy Defense” if you are really interested in an effective defensive strategy that goes beyond blogging and writing articles :-) ).

Happy hacking!

 

So you thought you were protected: How hackers can break into your business

Posted on by
Reply

This is a translation of the original article published in Calcalist on May 20th 2012.

 

A group of professional hackers, employed by the most sensitive organizations to detect security breaches, are showing how to gain access to critical information, or take down the power for a whole city – and what is needed in order to protect from such attacks.

If you believe hollywood, breaking into computers or networks is the easiest thing in the world. The hacker just sits in front of the keyboard, types in a few commands, and immediately finds itself in a top-secret database. In reality, it is naturally a more complicated affair: the hacker can’t break into a secure network in a couple of minutes, and not always without leaving the keyboard. He needs to gather intelligence, plan, go out and talk to people. A real hacker is essentiality a detective, a spy, and a bit of an actor.

In this article, in cooperation with experts from Security Art, among which Yoram Golandsky the CEO, and Iftach Ian Amit the Vice President of Consulting, we present the true work of hackers, and detail how a real breach into a secure computer network is performed. Security Art’s employees are hackers for hire – computer security professionals, who get hired by companies in order to break into their own networks and expose their security flaws.

The scenarios that we built here are based on actual attacks performed by Security Art (all client names have been dropped for confidentiality reasons). Others are probability scenarios – such that are based on the knowledge of Security Art’s experts about computer networks, the protections used in them, and their proven ability to manipulate and circumvent them.

The information brought here is not considered secret or as a mean to provide hackers with tools. It has already been published publicly in conferences, and is considered domain knowledge among security experts and hackers, and in any case is not detailed enough to be used maliciously. One thing this guide does show: with enough knowledge, determination and sophistication, there is no computer network or database that is fully protected from computer attackers. Not even a biometric database in which millions of shekels have been invested.

The Phish

The target: infiltrating into an internal communication network of a company.

  1. Intelligence gathering: For weeks, the attacker gathers relevant information on the company and its employees. Identifying employees through social networks such as LinkedIn and Facebook, building detailed profiles on them (from email addresses to hobbies). From such information the attacker identifies that in the near future a trade conference will be attended by some of the company’s employees.
  2. The bait: The attacker builds a site similar to the one used by the conference. The domain used for the fake site is very similar to the real one (for example – aclc.com instead of adc.com). An email from the fake domain is sent to the employees that have been identified as relevant to the conference, inviting them to visit the conference website for updates (while using the phishing domain).
  3. The catch: A few minutes after the email is sent, one of the employees clicks on the link provided in it, and browses to the phishing site. In the fake site, embedded attack code runs, and scans the employees computer for vulnerabilities.
  4. The infiltration: The attack code identified a vulnerability in the employee’s browser, exploits it, and run a trojan application on it. This provides the attacker full control over the PC, without the employee ever taking note.
  5. Data exfiltration: The attacker can track every activity performed on the PC – from keystrokes, through full access to any resource the user has privilege to on the network. The information includes contracts, development plans, strategic documents, confidential business communications with customers, and even encryption keys that provide access to encrypted data.
  6. Expanding the breach: The attacker enjoys the same privileges of the employee’s compromised PC – financial systems, internal operational systems, file servers. Even when the employee has limited access, the attacker can leverage the initial privileges in order to get to restricted resources – by compromising the company’s main server.

How to prevent the breach: The company must equip itself with more advanced (adequate) technical means to filter content and separate the internal resources; educating and training the employees about safe browsing and use of the Internet; self tracking of the organization’s intelligence profile on the Internet.

 

Smartphone spying

The target: Abusing the capabilities of smartphones, or when the company’s network is well protected.

  1. Intelligence gathering: First, the brand and model of the smartphones used by the company is identified, as well as which employees use them with their business email. Then, a traveling employee is located and targeted using his business email – which will be opened on the smartphone.
  2. The trap: A malicious email containing an infected PDF file is sent to the employee. The PDF will install a trojan on the smartphone once opened. The trojan runs persistently on the phone, while mapping all the networks the phone is connected to (WiFi, 3/4G, etc). Additionally, it provides full access to all the information stored on the smartphone, as well as to the interesting features of it such as location services, opening up the microphone and camera in order to stream audio and video back to the attacker.
  3. The spying: The location services feature enables the attacker to pinpoint the user to a specific location, and turn on the microphone and camera when inside the company offices. The calendar is used to identify important meetings, in which the microphone and camera will be turned on again. The result: access to classified information, which includes personal and professional conversations, which may not even exist on the company network.
  4. Everybody’s network: If the employee connects the smartphone to the company’s WiFi, such a connection can enable the attacker to infiltrate it, while easily bypassing most protections that exist towards the official Internet perimeter. Even if the internal network is separate from the WiFi network, such access is still valuable, as other company PCs are connected to it, and can be targeted and breached (for example – during meetings in which employees bring their laptops to and connect to the WiFi in the meeting room). Even more dangerous: when an employee visits other companies (clients) and connects to their wireless networks, while exposing them to further attacks.

How to prevent the breach: Employees can be supplied with company issues phones, which have been hardened and secured. Alternatively, advanced security modules can be installed on employee owned phones. Furthermore, a proactive approach is required in monitoring and mapping the internal network for anomalies.

 

Installing spy software using a flash drive

The target: A defense contractor’s internal network, which is physically separate from the external networks.

  1. Intelligence gathering: Much like the first phase of the first scenario. In this case the target is to understand in which internal network the interesting information resides.
    For establishing a baseline of how the organization works, full mapping of both personnel as well as physical locations of the organization is performed. Based on the professional background of specific employees published in sites such as LinkedIn, employees can be mapped to which products they work on, and in which divisions. Location services such as FourSquare enable associating physical locations to the employee’s profile – thus revealing the actual office in which the secure network operates in.
    In a specific attack which Security Art’s employees performed, a call was made to the office that was targeted. In order to verify the targeted employee’s details, the attacker impersonated another company employee (“it’s easiest to claim you are from marketing, then you have a good enough excuse for your ignorance…”), talked to the development team lead, and corroborated the information gathered so far. Additionally, the attacker managed to identify that there was an internal voice over IP network in use – which could be leveraged later to exfiltrate the sensitive data.
  2. The con: The attacker arrives at the targeted office, bearing a branded USB thumb drive. He hands it over to the receptionist, claiming: “I just found this outside, I think someone from this office dropped it, let’s plug it in and see who’s is it!”. The unsuspecting receptionist plugs the thumb drive into the PC and opens up the files on it. Another alternative for the drop is to leave the thumb drive at the cafeteria, or to hand it over to an employee that’s about to enter the building.
  3. The infection: Once the drive is plugged in, a malicious code runs and installs a trojan. The trojan maps the internal network, locates the relevant data, and encodes it into audio signals.
  4. The call: The trojan maps the voice over IP network and impersonates a handset to initiate a call to the attacker’s voicemail outside the organization. It then “plays” the encoded audio signals from the previous phase. Now the attacker can download the voicemail, decode the audio signals back into binary data, and access the sensitive information.
  5. Command and control: The attacker can further furnish the trojan to call into a conference call number and stay connected to it. In such a scenario, the attacker can join into the conference call anytime, and send simple instructions to the trojans connected to it using the DTMF tones generated by the phone handset.

Hot to prevent the breach: The company should block the option to connect external devices to the organization PCs. Additionally, monitoring of the VoIP network is critical in order to find suspicious activities.

 

Powering off a city

The target: attacking the power supply infrastructure of vast regions by taking over smart meters that use cellular communications.

  1. Intelligence gathering: Smart meters are in a pilot phase in Israel. Several suppliers participate in this pilot. The attacker gathers intelligence on the suppliers, and tries to identify vulnerabilities in the produce that are being tested.
  2. Stealing the data: The attacker uses specialized equipment to set up a cell tower, which impersonates a legitimate cell provider’s tower. It then causes the smart meter to “trust” it, and communicate through it. Now the attacker has full access to the data gathered from the smart meters, and change it before passing it along to the electric company monitoring and operations center.
  3. The hit: Using the information gathered, the attacker can damage the production systems: by falsely reporting a higher or lower utilization than the actual one, the production rate will be modified, causing rolling blackouts through extensive regions.

How to prevent the breach: monitoring critical points in the smart meter system, and having dual checks and controls over any information that is related to production and usage.