Security Art Work

Some time ago I had the chance to manage a fraud security incident using a technique based on the classic Man in the Middle, but the rare thing is that the attack was not carried in the network or transport layers but in the application layer, more specifically by email. The case was as follows …

The company “A” used to make major purchases of raw materials from suppliers established in other countries. To begin with the transaction, company “A” was asked a first payment and when the order was entirely at their facilities, before delivery, company “A” proceeded to pay the remaining amount.

All these transactions and arrangements were made by email, in which both parties comment the quantities requested, shipping status, prices and bank accounts to pay transfers. Notably, the company staff “A” was used to working in this way and managed dozens of orders with suppliers from various countries of the world.

In one of the email exchanges with one of the Asian suppliers and right in the middle of a thread of replies (the typical n+1 subject Re: email), the employee of the company “A” received an email from an address with the same user name to that he was used to email, but with a domain belonging to Yahoo! This address corresponded with huyin@yahoo.com. That is:

The body of the mail addressed to the employee of “A” from huyin@yahoo.com contained the whole content of the previous conversation in emails, and urged him (the company “A” employee) to change the contact email from huyin@companyA.com to huyin@yahoo.com. The attacker alleged s/he had problems with corporate email and that he was forced to use his personal account.

This request did not raised any alarm, as s/he could see in the email the whole previous conversation, and that the person knew details of the activities and managements carried. Then the attacker requested a bank account change where company “A” had to make the bank transfer. The employee initially suspected, but finally he accepted and proceeded to transfer the remaining amount from the operation. This transfer was necessary in order to pick up the remaining material. When the company “A” employee asked the required paperwork to collect the material to the attacker, s/he not only agreed, but also asked the advanced payment of another order.

Shocked, the company “A” employee phoned the supplier and he discovered that he knew nothing of the e-mail from Yahoo!, or even that they had received made ​​any payments. Moreover, the provider showed him several emails sent from an address “employeeA@yahoo.es”, which of course the employee “A” had not written. These emails showed that the provider had been also misleaded with the same trap: he had been suggested to use a new mail contact, thus completing a perfect man in the middle via email.

The attacker, who had access to the outsourced email server of the company “A”, looked for mailboxes, until s/he found one that had some responsibility in purchasing matters. At that point s/he just had to get in the way of the communication by telling the employee from “A” to use a new email controlled by him/her and the same to the provider. In this way, all emails that were not important to the attacker, were just forwarded, waiting to get to the billing and transfer phase, when he got in the middle, introducing their own bank account.

During the investigation it was found that the scammers used a kind-like TOR network located in Nigeria to consult Webmail their Yahoo! accounts created. We identified over 100 different IPs all geolocated in Lagos (Nigeria). Here is a little sample for you if you find them for your logs. I hope you don’t …

• 41.138.180.104 : Nigeria (Lagos)
• 41.138.191.3: Nigeria (Lagos)
• 41.71.172.3 : Nigeria (Lagos)
• 41.71.176.164: Nigeria (Lagos)
• 41.138.181.105: Nigeria (Lagos)
• 41.71.150.227: Nigeria (Lagos)
• 41.138.172.30: Nigeria (Lagos)
• 41.71.178.215 : Nigeria (Lagos)
• 41.71.171.78: Nigeria (Lagos)

We are aware that these scams are being made to other companies, so watch your mail server closely, especially if you have it outsourced in large service providers that offer incredibly cheap prices, but do not take seriously the security of the customer data.

Sometimes one has to make an effort to balance opposing feelings. This is the case since I work in cybersecurity issues. I have devoted much of my career to work on public infrastructures design and construction, mainly water treatment plants. As an engineer I was in charge of industrial processes and associated control systems design: physical processes, electrical system wiring diagrams (power and control), network architectures and control components, etc. In short, the process and associated SCADA systems. I‘d like to think I did a good job.

I have witnessed the evolution undergone by those systems in the last years, which could be exemplified in something iconic: the end of traditional control panels with their red and green lights and analog gauges. I remember when I saw, for the first time, one of those old fashioned panels replaced by a 42” screen, nearly as big as it could be those days: an amazing thing to see, for sure. Now, surrounded by computer engineers, it feels like swallowing the celebrated ‘The Matrix’ red pill. From my new assignment, I can see in new light those times in which we engineers adopted all that computer technology with a kind of ‘Victorian era’ faith in progress. It’s hard to explain how it feels as I realize that, in most cases, we’ve been building castles on sand foundations. I’m becoming aware of the situation as we find more and more equipment and control systems exposed to the Internet without minimal security measures. I’m not kidding you. I’ve seen them. It’s kind a terrific moment when you fully understand that you have in your hands the power to completely stop a factory’s manufacturing process from your very desk (real case). But who can be blamed for not stopping in a red light when one has never seen a traffic light?

Now it is time to wake up. The threat looming on thousands of systems is just too real and there are no excuses allowed. Nevertheless, in most cases, the first reaction is denial or disbelief. It is easy to understand since attack mechanisms are, in most cases, almost unthinkable for those in charge of these facilities. So, where to start? Here are some tips to my fellow engineers working on the field. May be repeated like a mantra every morning:

Don’t keep waiting for the first blow to come. In the words of Bob Marley: ‘Wake up, stand up …‘

It sounds like something belonging to companies and executives, but no, not this time. This time we talk about the computer systems or technology that is growing in many of our homes. We are making some progress. Spain and European countries in general have a very high level of ICT penetration whilst many of latin countries, such as Colombia, Mexico, Chile or Perú among others, are advancing a lot.

Increasingly we have more sophisticated equipment at home, with dozens of IP devices (TVs, game consoles, computers, routers, tablets, smartphones, etc..) that take many time to maintain, protecting the assets of our homes that protect our information, our life. I have to take into account: my daughters’ Tuenti (note: Spanish most used social network among youngsters), my wife’s Facebook, my bank accounts, digital photos taken with my great reflex that now, not having to take them to a photo shop to reveal can have any kind of content, the list of friends of my daughter even with geotagged photos, the access to that little camera IP I installed to guard when I’m not at home, and a long list of additional systems that for us and our families are confidential personal information and and even family critical infrastructures…

If we go further, in a few years we will see video entry systems with advanced functions that integrate home automation and can, for example, turn off the lights remotely and even open the door without us physically at home.

Given this, the truth is that we parents have little help when protecting our homes against voayeurs, evildoers or evil people in general.

We find some partial recommendations: get an antivirus and keep it updated, do not use cracked programs, be careful with P2P, and set WAP encryption on your WIFI. WAwhat? All of this can become a hell for ordinary mortals. It is to me and I have work in ICT for many years…

In short, a situation clearly worrying that not only affects home systems but also, directly or indirectly jeopardize corporate networks because nowadays it is very difficult, if not impossible, separate professional and personal technological environments. Thus, technological threats at home can become security threats to the corporate environment so we must be ready to get a really safe digital society, because otherwise I fear that even with all the technology in the world protecting our corporate networks, it will be very complicated.

We return to the same problem over and over again. One of the most effective investments in the field of cybersecurity is training and awareness, but the one that works: practice. It is not the only thing we have to do, but at this point, I think it should be the first thing we must do because people don’t have a clear perception of risk. Yes they do with the physical risk and hired security companies services with monthly payments, but they do not have the same perception of risk in the virtual world.

I have no idea if someday those who dedicate to security (such as me) will be able to educate our fellows of the digital risks or even if we will be able to have a sufficiently attractive offer to make people contract digital security services such as they do with of phisycal guards.

Certainly, I don’t know. However, we are obliged to propose you to apply a basic cybersecurity policy for digital homes that we will try to develop in the following Decalogue and progressively over time and make it simple as possible. Take into account that applying these rules does not absolutely guarantee anything; it simply mitigates partially the risk, reducing directly the likelihood of an digital incident.

If you need professional help, contact with private specialized centers of digital security or public centers devoted to security incident response such as CERTS.

And now, let’s see some of these basic rules of the cybersecurity policy for digital homes:

• Always change the router password. Never leave nor password nor user default. The “evin ones” know them.
• Passwords should not be shared. Each member of the family unit must have its own user and their passwords with the privileges appropriate to each person by age and knowledge.
• A password must be a real password. Potato is a tuber. JM are the initials of my name. “S2” the company where I work. None of them are passwords.
• The administrator password of shared computers on the network family should be known by mother, father or the head of family and no one else.
• All computers must have updated antivirus. Some are free for personal use that are great, such as AVG.
• All computers must be updated. Updates are not an annoying task that take a long time. They are activities of Software manufacturers absolutely necessary for our security.
• Access to the home wifi network must be protected with the MAC filter if possible. This is not a thing hard to do. It is part of the minimum knowledge that we have to have to manage the security of our home.
• The wifi key should not be related in any sense with our usual passwords, especially if I’m going to let friends to connect to it (and thus provide them with the wifi key).
• I don’t give my friends my computer’s password. If they need to access it I type the password without them looking at it. And the same goes for email, social networks, etc.
• When a file is deleted with the delete key it really does not erase the file. It can be recovered. If you need a file to really disappear from a storage device you must use a secure erase tool (eraser for example)
• If I have to access the corporate computer from home I always have to ask the IT department in order to do it safely.
• The installation at home of P2P programs such as emule, Ares, torrent or similar involve many risks. Be very careful with this type of programas.
• Hacking elements that connect to the network to play online or to download programs of any type introduces a very high risk. Do not break the protections of this type of systems and above all do not let our children surfing with hacked devices.
• We do not disconnect the Windows firewall just because it is annoying. Try to find out the reason that prevents any program to operate. There are always ways to keep the firewall working and the programmes are correctly working.
• And above all, use common sense. Most network risks can be controlled with a good dose of common sense and a bit of distrust.

Surely many of you have recommendations of this type that we could use extend the list above. Help us make this list more useful through their comments. We commit ourselves to analyze them and to incorporate them into a set of universal measures of security for our homes and our families, and to publish it in HD (hijosdigitales.es, only in Spanish) and SAW (SecurityArtWork.es) so everybody can use it. They must be simple recommendations that can be applied to non-technical people that need to implement certain standards at their homes. They can be simply resources in the network or small useful applications.

Please, note that this is a post we publish in both HD (hijosdigitales.es) and SAW (SecurityArtWork.es). In first case, we have included it because we have many readers, parents, who are concerned about the safety of their children and their homes in general. In the latter because I firmly believe that to improve the security of our corporations and businesses of all types and colors we have no choice but to promote training and safety awareness of people who are part of them and their environments common technology, including of course their homes. Let’s therefore get to work. Let’s work for a Digital Society safer for our businesses, our homes and our families.

During the post-exploitation phase of an intrusion, after getting a shell on a computer, one of the steps to gain access to other computers or networking devices is thru traffic sniffing. Just listening to the traffic passing through the machine, even in a switched environment, can provide us with very useful information about the network topology or the potential vulnerabilities that can we exploit later: NetBIOS names, users / passwords in clear ARP, CDP, DHCP, HSRP, VRRP, etc..

To listen the traffic from a shell, however, we must make use of external tools that we need to download and run on the compromised computer. A good choice is rawcap which allows packet capturing without relying on packet capture drivers as WinPcap (libpcap library for Windows used by many traffic analysis tools).

Another option is to use Meterpreter from where we can rely on capture modules without using the compromised machine harddisk. To do so, Meterpreter sniffer has the sniffer extension o the packetrecorder module by @Carlos_Perez aka Darkoperator. Both can be used to generate and save the pcap file locally with the captured traffic.

As an alternative to these two options, I have created a small module (rpcapd_start) that activates the service rpcapd in order to capture traffic remotely. It is not uncommon to find user computers, even Windows servers, with WinPcap installed. So, what better way to get traffic than using this service remotely? As an additional benefit we won’t depend on the meterpreter session because once activated, we can capture traffic with any software that supports rpcap.

The WinPcap installation will create a new service called rpcapd disabled by default.

The module will just activate rpcapd, specifying the port and the operating mode (active or passive). We may also choose whether or not we want authentication.

Since it is likely that the computer will be NATed behind a router or firewall, in practice, the most useful will be the active mode, where the compromised machine will be the one connecting to us.

After starting the service and in the case of using a passive connection (as in the example) a new rule will be added in the Windows Firewall under the name “Windows Service” to allow incoming traffic.

Then we can connect to the machine from any tool that supports rpcap and start capturing traffic.

The module is already included in Metasploit so you just need to update it so simply for download.

Although I have tried most of the proxies that allow to modify web traffic “on the air” such as burp or WebScarab, I recently discovered a pretty interesting, not only because of its developers and the context in which it was presented, but also because of its features and architecture. Mallory Proxy is a proxy developed by the computer security experts Intrepidus that was presented at the Black Hat 2010.

Mallory is developed in Python and shows a server side and a client interface for configuration and user interaction.

For those who want to try Mallory, the application shows basically has two options. The first is to follow the installation instructions and download and install both proxy sources and dependencies. The second is to download a VMWare image whose operating system is Ubuntu and that comes with both software and dependencies.

[Read more…]

(Please note this post was originally published in the Spanish version of Security Art Work last 5th Nov 2012)

Some weeks ago I was playing with django, when I accidentally deleted an application that I had already finished. It was not complex; it had few lines of code and I think I would have been able to recover it in less than a day, but I saw in this error the chance to learn how to make a recovery of data on a SSD drive.

The configuration of this computer’s drive is as follows: GPT partitioning with multiple partitions formatted with ext4 (without LVM). My previous experience in this type of situations has always been to use the most known tools in GNU/Linux environments: sleuthkit, autopsy, testdisk y photorec (these last two usually come in the same package), dd, grep…

[Read more…]

Since smartphones installed in our lives, either for personal or professional use, one of the greatest fears is losing it. We store a great amount of sensitive information in this devices that can be potentially accessed by a malicious person. This problem is even bigger when it comes to professional smartphones, which have not only personal but also access to the corporate environment and information.

So what happens when you lose your mobile phone? If we have correctly hardened it, that will not be a major problem. The person who finds the device must know the code or the unlock pattern screen. In the best case, after N repeated attempts the device will wipe and no information will be compromised (full erase of user data). (Paranoid note: Do not leave footprints on the screen if we use a pattern to unlock the device).

And if we want to find it? Who knows, maybe no one found it and it still lays beneath the park bench. In this case we need third-party applications that allow us to locate the device. There are many of them, free and commercial, but we will describe briefly the most popular, although of course any reader contribution is obviously welcome.

Commercial applications

On one side we have the commercial applications, and every person must decide if the app is worth the price or not.

StealthGenie

This product comes from an American company that provides a product to perform a full trace of a mobile device with an application available for Android, iOS or Blackberry. However, you need to pay $99.99 per year. The basic version includes the following features:

• Call Log.
• SMS received / sent.
• Access the phonebook.
• Tasks and Calendar.
• History and Web bookmarks.
• GPS tracking.
• SIM change notification.

The ‘Platinum‘ version offers the possibility to listen to telephone calls among other options. This version ‘full-equipe‘ costs $199.99/yr. You can access a demo of the dashboard (or control panel) in the following link: http://demo.stealthgenie.com/dashboard

Cerberus

In the past we have already talked about Cerberus, as in the post regarding a case of “>malicious user that loses a mobile device on purpose (Spanish).

This application is available from € 2.99, with a lifetime license that allows you to control up to five different devices.

From the dashboard of Cerberus we have the following list of possible actions to control the device, among which is tracking through GPS.

This product is only available for Android smartphones.

Free applications

On the other hand, there are other free applications that allow you to track your mobile device. The features included are more limited than those offered by commercial solutions, but to some users they may be enough.

InstaMapper

This application only allows to track the device via GPS. Although free, next December 13th it will cease to provide this service, something that can be of interest for those users who are currently using it.

Prey

This is one of the solutions that most caught my attention, since from the begining it was a product to keep track of a computer (Windows or Mac OS X). Prey gradually expanded its range and now can be installed on Android, iOS and even Linux.

The advantages of this product is that there is a paid version ranging from $5 to $399 per month depending on the number of devices and functionality required. On the product page you can find more information on the plans.

Below there is a screenshot of the dashboard on an Android device that has this product installed.

As you can see in the picture above, the geolocation feature is not enabled unless the device has been lost, which is one of the main differences it has with Cerberus.

Another option to highlight is the locking of the mobile device with a password. In the moment that this feature is enabled (be the phone marked as lost or not) the device is blocked until the owner enters the password specified in the control panel, as shown in the image:

Plan B

What would happen if you lose your device without any of the above applications installed? As its name suggests, there is a plan B.

This application is available to download from Google Play and can be installed remotely on the device. We conducted a test setup and in minutes the application appeared correctly installed in the device.

Once installed, when the device gets GPS coverage it sends its coordinates to the Gmail account that’s associated with it.

This product is only available for Android smartphones.

Personal opinion

Getting into a more paranoid view, the application that best security and privacy offers (call it confidence if you want) is Prey, not only because it has a free version but because the trace options. Maybe it is not as complete as its competitors, but being an open source product has the advantage that the code is auditable and it can be verified that no unknown actions are performed without the user consent.

Of course, with this I want to re-emphasize the danger that we saw in the previous post about finding a mobile device on the street and using it in our daily tasks (or business, even more dangerous) without taking proper precautions.

How much is our reputation worth? To respond to this issue we have to consider the relationship between reputation and success. And when I say “success” I mean achieving our objectives, both personal and professional. In certain groups, reputation is an essential element for its success or decline. We could include in that group people with public office as mayors, councilors, ministers, etc., but it also directly affects professionals from the private sector as actors, singers, designers and a long etcetera.

In this entry we’ll talk about the particularities of online reputation and see some examples that show its importance. Let’s start by defining what online reputation is. Although the concept has many corners worth to explore, the simplest definition comes courtesy of Wikipedia: The online reputation is a reflection of the prestige or esteem of a person or brand on the Internet.

It is known that to achieve and maintain a good reputation requires much effort, perseverance, dedication and time. On the other hand, “bad reputation” can be reached in the most unexpected moment as either hand of a scandal, a simple misunderstanding or an error. The same happens with “online reputation” but with the particularity that information technologies highlight the impact of our actions. If you are good, there are ways to publicizing, disseminate and make the most of our effort. However, our failures will also be more widespread, deeper and faster. Therefore, we could say that online reputation is more “fragile” than the reputation traditional concept. Needless to say that both concepts (reputation and online reputation) are closely linked.

To illustrate what we commented on the “fragility” of the online reputation, we will see some examples in which a unfortunate simple comment and/or misunderstanding has tarnished the reputation of some famous.

[Read more…]

(Please note this post was originally published in the Spanish version of Security Art Work last 2nd Oct 2012)

Act I: The cloud

(In a small room we find the Chief Executive Officer (CEO), the Chief Security Officer (CSO) and the Chief Marketing Officer (CMO). The latter comes with a PC World magazine under his arm)

Act II: Hunky-dory

(While the Chief Executive Officer looks at the Chief Marketing Officer tablet, they see the Chief Security Officer, who quickens the pace but is intercepted in the aisle)

Act III: A small problem

(There is a problem in the Marshall Islands that has disabled the connection to the cloud provider, and althought it is not known yet, may have caused data loss)

Act IV: Choose Your Own Adventure

(Do you remember these books? ;)

Well, how did finished the adventure in the cloud?

If you’ve been able to continue this conversation, you might like this video that our colleague Adrian has found:

(Please note this post was originally published in the Spanish version of Security Art Work last 26th Oct 2010)

Covert channels is an evasion technique that allows an attacker to send information using the communication protocols headers. In this post we will cover-up of channels in the TCP/IP protocols and provide a tool, CovertShell, designed as a proof of concept. The sources are at the end of this post.

The TCP/IP protocol has headers that usually are initialized by the client to maintain or number a communication. The technique covert channels uses these fields to assign them values ​​so the target machine does not interpret these fields as part of the communication, but to obtain data.

An interesting example was developed by Craig H. Rowland in his paper back in 1996: Covert Channels in the TCP/IP Protocol Suite, where he created a small client/server “CovertTCP” of no more than 500 lines that allowed file transfer between client and server, using for it only the fields SEQ, ACK (TCP protocol) and ID field (IP protocol). This information was on the protocol overhead and not in the payload.

[Read more…]