Tuesday, December 22, 2015

Cybercrime Motivation (week 3)

Source: Cybercrime, 2013
According to cve.mitre.org, “Juniper devices running ScreenOS 6.3.0r17 through 6.3.0r20 are affected by the fixed backdoor password (CVE-2015-7755)”. Juniper issued an advisory on December 18th, 2015 about this CVE (Common Vulnerabilities and Exposures) and they indicated that Administrative Access can be obtained allowing unauthorized remote administrative access to the device. It seems that Juniper devices have a backdoor password (<<< %s(un='%s') = %u) that can be supplied with any user name and this would allow an attacker to bypass authentication through SSH and Telnet.

Barely 4 days later, these exploits are being observed and reported in the wild; at my job I am already observing attacks targeting clients with Juniper devices from all across the globe. This appears to be an Internet wide scan as opposed to a targeted attack against specific organizations. Using sites like Shodan, one can easily map out Internet-connected devices, therefore discovering Juniper devices on the net would not be that hard if an attacker knows their recon 101. The pattern seems to be the same across the board, a CVE is published, soon after, right before end users can deploy patches and security updates, attacks start flowing. 

Question therefore is, what really drives attackers to engage in cyber-crime?

Before looking at the motivators, it might be prudent to evaluate some of the skill sets that attackers possess.

None
These are your day to day end users, pawns, or patient zero whose intentions aren’t to attack. They are most of the time not even aware that they may be propagating attacks. They may be acting as pawns. a good example is with Denial of Service Attacks, where compromised devices can be used to attack an organization and most of the time, the owners of the compromised devices are not even aware until they get that phone call from an ISP or law enforcement.  
The insider threat can also be classified under this skill set since by being complacent for example admins not changing default passwords, they may be inadvertently enabling an attack.

Novice
The script kiddies fall under this category. The attackers usually use well known methods of exploitation and are usually loud, predictable and a nuisance. Can be easily caught or stopped. They basically come across tools on the net and might perform scans and low level reconnaissance to get ‘soft targets’.

Intermediate
A step above your average Joe. They do possess some knowledge of different computer languages and can even reverse engineer some aspects of code to fit their needs. Their attacks may be somewhat targeted and they may even have links to the dark webs to shop around for malware and exploit kits.

Expert
These are the top guns of cybercrime. They do this for a living. Typically employed or funded by the State, Intelligence service, Defense organization, Organized crime syndicates or terrorist groups. When you think about Advanced Persistent Threats (APTs), these group comes to mind. They have the ability to develop specific exploit codes targeted at specific hardware/software and for specific goals. They are covert and are very hard to detect based on their modus operandi. They use covert channels like Torrent and I2P (The Invisible Internet Project) to hide their activity.

So what motivates them?

Money
Money has always been a driving force for most crimes. Before technology, you had to physically accost the victim be it an individual, bank, or retail store in order to steal from them. Now all you need is a computer and Internet connection. The Nigerian 419 scam was (or is) successful as it preyed on people’s trust and hope for making a fortune. Just recently, the cryptolocker malware has been used to scheme money off of affected users who have to pay up or lose their encrypted data. FYI ...don't forget to backup your data. 

Money as a motivator is applicable to all skill levels.  

Notoriety (bragging rights)
As the admin of your website you get a call from your boss in the middle of the night asking you what happened to your company’s website. You browse to the website and you see that it’s been defaced. Apparently someone thought it would be funny to break into your web server and deface your website. Most of these types of attacks are just attackers trying to prove they can do it; for bragging rights and notoriety.

By being security conscious some of these attacks can be prevented. These type of motivator is mostly for the novice and the lower level Intermediate attackers.

Moral Agenda (hacktivism)
Everybody remembers Occupy Wall Street. Anonymous came to the limelight for their support of this movement. November 5th has been earmarked by Anonymous and its followers as a day for global civil disobedience. Attackers who are motivated by moral agenda usually target specific organizations that they feel are going against their beliefs and thoughts.

The skill level may vary from Intermediate to Expert. Given that these groups are usually open to the public, you may even have guys with novice skill level sets affiliating themselves to the hacktivists.

Competitive Advantage
This motivating element requires more focused and sophisticated attacks. This is where intellectual property is the price. The attackers may be State sponsored trying to find out how a successful Fortune 500 company conducts its business. A foreign government trying to steal blue prints for a secret military project.
This is mostly for the Expert attackers. Their attacks have to be sophisticated as the targets are more security conscious and have multi-layered security checks.

Destruction/Sabotage
Their sole purpose is to cause havoc, anarchy and destruction. They may be targeting infrastructure to bring it down. They may be targeting nuclear reactors to cause harm. Mostly terrorists with money or influence/sway to buy hackers with the right skill set to fit their agenda.  

In conclusion, Kim Zetter in her article on Wired.com, 10k reasons to worry about critical infrastructure, quotes Eireann Leverett who during an S4:SCADA Security Scientific Symposium conference stated, “If a student can put this together, surely a nation state can do it” (2012). This was in regards to a research he had conducted using Shodan and vulnerability databases to map out Supervisory Control and Data Acquisition systems (SCADA) connected to the Internet. 
That statement speaks volumes in that it shows that no matter what skill level an attacker has, with enough time, right tools and mindset; the novice attacker all the way to the skilled state-sponsored attacker, should be accounted for when planning an Information Security program.


References:
2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with
     ScreenOS (CVE-2015-7755, CVE-2015-7756). (n.d.). Retrieved December 22,
     2015, from Juniper Networks website: https://kb.juniper.net/InfoCenter/
     index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
CVE-2015-7755 [Press release]. (2015, December 10). Retrieved from Common
     Vulnerabilities and Exposures database. Website: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7755
Zetter, K. (2012, January). 10k reasons to worry about critical infrastructure.
     Retrieved December 22, 2015, from Wired website: http://www.wired.com/2012/
     01/10000-control-systems-online/
 Cybercrime [Image]. (2013, July). Retrieved from http://www.abc.net.au/btn/image/
     story/2013/07-cybercrime.jpg



Wednesday, December 9, 2015

Ho! Ho! Ho!…Hold on (Week 2)



Social Media Awareness


‘Tis the season to be merry and enjoy family, stuff our faces with food and for those legally able to, drink some eggnog or whatever concoction we cherish. It’s certainly the age of ‘selfies’, hashtags (#), tweeting and checking in. The movie Home Alone was one of my favorite movies. The burglars waited till the home owners left for vacation and then tried to break in. Of course the movie has them fail miserably at this but the point is, before technology, cat burglars had to physically scope a target. We do this job for them by publicly sharing this information without hesitation.

            Social media is a great tool to have personally and even as a business as it can be used as a ‘free’ marketing tool. I stay in touch with my family and friends who are thousands of miles away via Facebook. They post photos and I post photos and we like each other’s photos; the cycle goes on and on. The downside with social media sites is that they make money off of having as many users as possible share information; Privacy and Security are a second thought. The more connected they can get their users the better for them. How does someone have over 1,000 friends? How do you keep up with all these relationships? If you post a picture, not only does the 1,000 friends have access to these pictures but also their 1,000 friends (if you haven’t locked down your account). That means about a million ‘strangers’ could potentially view that picture you just posted. In terms of marketing this is great, because if you like a product and share it, potentially a million people will view it and there’s a chance that a sale may come out of this. As an individual though, would you like to have a million eyes staring at your body since you decided to flaunt your new body ink?

Data shows 93% of hiring managers will review a candidate’s social profile before making a hiring decision. And that review matters: 55% have reconsidered a candidate based on what they find, with most (61%) of those double-takes being negative.” (Davidson, 2014)
So not only should we be worried about sharing personal pictures and information to strangers but this can also hurt our careers.

How can social media be used to propagate an attack?
Let’s walk through some basic information gathering (recon) and possible spear phishing based on a ‘fictional’ post that was posted by the HR manager at company ABC. On her social media page she posted a picture of a soccer game and stated #GoBruins #MyDaughterRocks. Typical stuff that any proud parent would post on social media. No harm there. As the Human Resources manager, Jane Doe has some information posted on her social media about page stating her title at company ABC and her privacy settings are not that strict, friends of friends can view her profile page. Her LinkedIn page is also tied back to her other social media accounts like Facebook and Twitter.

While doing recon on company ABC, bad-guy Joe used Metagoofil. (Information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. Metagoofil will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner? and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.)

The HR manager stood out to him based on the access she would have to personal employee information (PII) within the targeted company. Through online stalking, bad-guy comes across the post talked about earlier. By copying the image and using metapicz, some information is gathered like the date the picture was taken. Images usually contain information (metadata) like the camera used, what application was used, even location the picture was taken.

Bad-guy Joe also used Google reverse image search capability to get some more information about this picture. Using this, bad-guy Joe can see that the soccer match was played at Tranquility Park. (See figure 1.1)

Note that there are other powerful metadata extraction tools like ExifTool that can be used to pull even more information.

Figure 1.1



Figure 1.2
Now that bad-guy Joe has this information, it’s time to craft a targeted email (spear phishing email) that can deliver a malicious payload. Before the email is crafted though, to ensure the exploit has a higher chance of success, bad-guy Joe scans through Jane Doe’s social media page again and runs into a post talking about the Internet browser and computer that she uses (IE 11 and she is running Windows 10 – See figure 1.2)    

Now the email can be sent with a ‘legitimate’ message and the embedded exploit is specific to the Operating System Jane Doe uses.

Figure 1.3




























How to stay safe on social media

Is it time to pull out the Kodak and order some film?
Not necessarily, social media is here to stay and as much as staying away from it entirely would be the best way to avoid its pitfalls, there are basic steps that we can take to avoid sharing too much.

  1. Configure your privacy and security settings. Lock down your social media accounts as much as possible. You really don’t have all those friends, it’s probably time to cut back on the attention.
  2. Question before you post. Ask yourself what you would lose if you posted that picture or tweeted that post. Think about it before sharing. Yes, now you can edit posts and even deleted pictures but are you 100% positive someone did not already take a screenshot!!?
  3. Less is more. The whole world does not need to know about your day to day life we have TMZ and the gossip magazines to keep us busy. The less information you share the less likely someone can map out your life.
  4. Mirages are real. Approach everything with caution and doubt, yes that single lady on christianmingle.com may not be so Christian after all. Online profiles can be sprung up and made to be whatever you fancy. Be careful what you trust on the net. Pictures of friends and family can be used to create fake profiles to dupe you.
  5. Security through obscurity. There are no rules that say you have to use your real name out there. Sometimes using aliases may help keep that CEO out of the social media limelight.


As we enjoy family and friends, we need to be vigilant and aware of what we are posting online.

I will borrow a leaf from the National Cyber Security Awareness Month (NCSAM) – celebrated every October – they highlighted the campaign theme STOP. THINK. CONNECT and the capstone concepts of the campaign are:
  • Keep a Clean Machine
  • Protect Your Personal Information
  • Connect With Care
  • Be Web Wise
  • Be a Good Online Citizen


  
References
Tutorial: Metadata Analysis. (n.d.). Retrieved December 9, 2015, from http://fotoforensics.com/tutorial-meta.php

Davidson, J. (2014, October 16). The 7 Social Media Mistakes Most Likely to Cost You a Job. Retrieved December 9, 2015, from http://time.com/money/3510967/jobvite-social-media-profiles-job-applicants/



Sunday, December 6, 2015

Back to Basics


You really don’t need to be a sports 'junky' to be aware of the term “defense wins championships”. Being a Philadelphia Eagles fan I’m still waiting on that ever elusive Super Bowl championship …fingers crossed. On the IT security side, CISOs and all high level IT management personnel are faced with the million dollar question …how much money can I throw at IT Security to ensure I’m safe?

In this day and age, we have smartphones that have more computing power than all of NASA back in 1969 when it landed astronauts on the moon. Thanks to competition, technology has advanced at a rapid pace and just as we, the good guys, have access to these massive processing capabilities, the bad guys are also on the same canoe as us if not in a speed boat. Most problems can be easily resolved by throwing money at it. We have bandwidth and storage issues! Well, let’s buy bigger servers, faster routers, and build a secondary data center. When it comes to IT security however, does having the meanest and ‘bad-est’ Firewall or IPS for example equal guaranteed security?
Like my dreams of the Eagles winning a championship this coming season; one can only hope.
Just recently news of a breach at the Office of Personnel Management (OPM) was revealed to the public. While Target was still trying to pick itself up from the huge ‘blow’ it got from hackers, JPMorgan Chase was also hit. 2015 rolls in and then Anthem announces they too were hit. JP Morgan Chase spent over $250 million on cyber security last year, but still suffered from a significant data breach. According to Darkreading.com’s survey results on security spending in organizations, most respondents agreed that they did have adequate tools and personnel to minimize (72%), quickly detect (69%), prevent (65%), and determine the root cause of (55%) data breaches. Being attacked in the cyber age is not a matter of if but when. 

Attacks are going to happen regardless, so the question becomes, are we prepared enough to at the very least find out that we were breached? How many breaches have fallen between the cracks without organizations ever finding out?

Why are we not keeping up?
It is human nature to try to make life easy that’s why we created fire and tools. As we evolve in technology, there’s more and more automation and less and less human interaction. This is a double edged sword, however. Yes, we eliminate the weakest link, humans, but then the computer is only as smart as the coded program. If there are unwanted code lines added to this program will we notice? Unless there are safeguards included in the program during the coding phase, probably not and the computer will simply follow its master’s instructions. It’s like installing cameras and then leaving the door unlocked. In IT terms, adding a firewall or IDS but leaving all unnecessary ports open to the outside world. 
There’s a joke about a guy who had his WiFi SSID (Network Name) named ‘Hack_Me’. The next day the WiFi name was ‘Challenge_Accepted’.
Threats are always lurking and we need to be vigilant of our surroundings and not leave everything to technology. The good ol’ human instinct still has a place in this technology savvy world.

Why are we always a step or two behind the attackers?
For one, bad guys have the time, patience and are even State sponsored. Malware is always being released. You can purchase an Exploit kit from the dark webs. There are too many open source tools and instructions on the Internet for script kiddies and hacktivists to use. Not to sound like the prophet of doom but if we don’t adapt we will surely die!   
A typical Advanced Persistent Threat (APT) involves roughly seven stages:
  •         Recon                       
  •        Lure
  •        Redirect
  •        Exploit
  •        Drop Payload
  •        Call Home
  •        Data Ex-filtration

Our focus will be on the Reconnaissance stage as this is usually overlooked although it’s a crucial stage for the attacker.

Reconnaissance is sometimes one of the easiest elements in this process because the victim provides all of the information you need without even knowing it. Imagine a scenario where you are watching your child at baseball practice. You take out your Android cell phone to snap a quick picture and upload it to Facebook. Unless you’ve locked down your privacy settings, this simple post provides a wealth of information about you, your technology and your location.
While it may seem harmless, this provides more than enough information to an attacker to craft a spear phishing email directed at you. The photo metadata discloses information about the make and model of your phone, enough information to craft an exploit against your specific platform. The geographic coordinates of the picture or the location tag on your post indicate where the practice takes place, allowing someone to identify what league or tournament your child participates in and on what day. This covers the approach: a change to the baseball practice schedule with a malicious calendar attachment, spoofed from the official email address of the practice facility.
Scary stuff …right!?

So how do I prevent this?

Change is the only constant
Implementing information security user education programs to ensure employees are aware of targeted threat methods such as social engineering through spear phishing and watering hole attacks. As users and endpoints become the biggest vulnerability to large organizations, this is one of the most critical steps in preventing attacks.
In addition, expanding security defenses to include technologies that can expedite detection of attacks and therefore close the attack surface.
Leveraging an MSSP or in-house SIEM to monitor the network 24x7x365. These solutions allow for granular customization and correlation of each proposed technology to allow for accurate and rapid response to threats.
While each of these is a step in the right direction, none are as effective without ample testing. It is recommended to conduct security reviews and tests at least once per quarter. This will ensure not only the effectiveness of the defenses, but also the incident response preparedness.

Conclusion
While defense is always a good thing, offense comes into play when it comes to the recon stage. By offense, I don’t mean attacking the bad guy but knowing what Tactics, Techniques, and Procedures (TTP) might affect us and the only way of knowing this is by actually ‘attacking’ ourselves. Using an Approved Scanning Vendor (ASV)  or leveraging Consulting Services will help you know what the outside world can gather from probing your network and simulating attacks.


References:
http://www.solutionary.com/resource-center/white-papers/the-advanced-persistent-threat/

http://www.darkreading.com/attacks-breaches/security-budgets-going-up-thanks-to-mega-breaches/d/d-id/1318714?