blog.andytang.com: September 2014

Friday, 26 September 2014

Shellshocked!

What is Shellshock?

It has been widely reported in mainstream news that vulnerability dubbed Shellshock could affect 500 million devices, which over shadows the 500,000 devices that were affected by the Heartbleed vulnerability.

Shellshock exploits a vulnerability in a command line shell used by many UNIX computers, called the Bourne Again Shell, more commonly known by its acronym Bash. This affects computers and devices using the Linux and Mac OS, including some appliance based devices such as firewalls, which are commonly built on Linux.

Bash is a common component in webservers, but even if Linux is not being used, Apache also uses Bash. It could also be used as a background component for web browsers, email clients and file transfer applications.

Whereas Heartbleed was a vulnerability that allowed the traffic to be sniffed, the Shellshock vulnerability allows direct access on to the vulnerable machine and with potentially three lines of code.

More technical details around the vulnerability CVE-2014-6271 aka Shellshock is linked.

What can be done?

Patch the Linux and Mac OS machines to the latest version. There are rumours that due to the speed of patch dispatch, they may not have been QA’d as thoroughly, but it is still better than being vulnerable.

Remember that devices other than computers and servers running Linux or Mac OS can be affected. Ensure your client software is up to date, regardless of the operating system. With devices such as firewalls, check regularly on the vendor websites for their advice.

Here is the latest government advice on the Bash vulnerability

I’m checking the vendor sites that MTI Technology partners with and slowly creating a list of useful links here:

Aerohive:
http://www.aerohive.com/support-security-bulletins/psa-20140926-001.html

Cisco

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
Cryptzone
https://support.cryptzone.com/hc/en-us/articles/201543171-Statement-regarding-Shell-Shock-Vulnerability
EMC
http://support.emc.com/kb/192608
ExtraHop
http://www.extrahop.com/post/blog/monitor-shellshock-attempts-with-extrahop/
F5
https://devcentral.f5.com/articles/cve-2014-6271-shellshocked
GTA (Global Technology Associates)
http://forum.gta.com/forum/user-community-support/firewall-general/1533-bash-shellshock-vulnerability-cve-2014-6271
Imperva
http://blog.imperva.com/2014/09/shellshock-vulnerability-cve-2014-6271.html
Juniper
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10648
Lumension
https://www.lumension.com/kb/Home/General-Information/1666-(1).aspx
McAfee
https://kc.mcafee.com/corporate/index?page=content&id=SB10085
MobileIron
http://www.mobileiron.com/en/smartwork-blog/mobileiron-not-vulnerable-bash-exploit

Palo Alto

http://researchcenter.paloaltonetworks.com/2014/09/addressing-bash-vulnerability-shellshock-palo-alto-networks-mitigation-cve-2014-6271/

Radware
https://drive.google.com/file/d/0B0zPUWiKiUjRUmJlSnFmaEsyeW8/edit?usp=sharing
RSA
https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a67980
Sophos
http://www.sophos.com/en-us/support/knowledgebase/121444.aspx
Trend Micro

http://esupport.trendmicro.com/solution/en-US/1105233.aspx
VMware
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740

WatchGuard

http://watchguardsecuritycenter.com/2014/09/25/bash-or-shellshock-vulnerability/

Websense

http://www.websense.com/support/article/kbarticle/BASH-Shellshock-CVE-2014-6271
Westpoint
https://drive.google.com/file/d/0B0zPUWiKiUjRaC1zS3U4cWZrUGM/edit?usp=sharing
Xirrus
http://www.xirrus.com/blog/September-2014/Does-ShellShock-Vulnerability%E2%80%9D-impact-Xirrus-Custo

Here is the advice from some of the operating systems affected:

Apple
http://support.apple.com/kb/HT6495
CentOS
http://lists.centos.org/pipermail/centos/2014-September/146099.html
Debian
https://packages.debian.org/sid/bash
RedHat
https://access.redhat.com/solutions/1207723
Ubuntu
http://www.ubuntu.com/usn/usn-2362-1/

Last updated: 11:45 01/10/2014

Thursday, 25 September 2014

Securing the virtual you

I blogged recently about the Cyber Kill Chain where I look at each of the steps. Many of the steps can be dealt with using technology, except one stage, the reconnaissance stage.

Who's the target?

As the bad guys need to be more specific in targeting individuals, research is the key. Knowing who someone works for, who their friends are, their hobbies and pastimes, they all help construction a picture of the target. If you know your target, you can try to exploit it by sending emails with specific topics and links to lure your target to click on a link which can compromise their machine.

Spear-Phishing

People who are normally target to a "spear-phishing" (if phishing is a wide indiscriminate attack to get users details, spear phishing is targeting a very group or an individual person) are people who will have more rights than a typical user. Why? Well I mentioned in previous posts that a compromise will involve administrative credentials 100% of the time. So the target will often be members of the executive team (who often have more rights than a user) or members of the IT team.

Research/Googling?

How would I find out more about someone? Use Google (other internet search engines are available) and search for them. As an example, I'll use me and see what's available out there...

The second hit is for LinkedIn and most of the posts that follow are for a Singaporean racing driver (I'll give you a hint, I'm not a racing driver!). For those who are unfamiliar with LinkedIn, it's a social networking site for "professionals" effectively giving a CV online.

So following the link, it takes me to a number of people called Andrew or Andy Tang internationally, but LinkedIn handily gives a link at the top to refine this list to Andrew or Andy Tangs based in the United Kingdom.

So if you knew who I worked for (MTI by the way), then you'd know to click on the top link. If you didn't, then you probably won't target me! So now I can see a public profile of Andrew Tang, and even without a LinkedIn account I can gather a lot of information.

Now you know who I work for and have worked for, along with people who I must be linked with in some fashion, as people looking for my profile have also looked at these profiles. That already creates links with people or organisations I would potentially trust, or would not find odd if I received a communication from them. Additional information such as company websites and blogs may also be there and give more clues.

Google+/Blogger

Following out to the blog, it can be seen that the URL to my blog (that you're reading by the way, thank you) is http://blog.andytang.com which gives us similar information to the LinkedIn profile, as well as a link to my public LinkedIn profile. There is also a link to my Google+ profile as the blog use Blogger which is a Google company.

Twitter

Information we already have like company and LinkedIn details. There is a link to Twitter, along with some people who have put me in their circles. Again, more people that I would not find odd if I received communications from them. Let's follow the link to Twitter...

No real insights here, except that I say I live in Surrey. That may have been assumed as current and previous employers are in Surrey as well.

WhoIs?

Maybe time to get a little cleverer! We know the domain I own andytang.com, so there must be some information around that domain. A WhoIs will find out who has registered this domain:

No real information here either!

Facebook

I've tried looking for a Facebook page, but struggle to find myself, even if I spread the net wider with more information than can be found above. None of the profiles below are me, but then I have locked down my privacy settings.

I thought I'd try a different way to get to the profile. I know who Andrew Tang works for and I know they have a Facebook page. Having a quick look through would show up any posts Andrew Tang may have liked, and from there I can access the profile and gather more information:

This shows my Facebook privacy settings work!

Corporate Website

Most corporate websites have a who's who on it, but I'm not currently on it. Although if I were, it would probably show a photograph and a brief about me, which could uncover hobbies or pastimes.

So what?

A lot of information can be uncovered very quickly about people. If I were a target to an attack, I would hope that my privacy settings and IT awareness would help. If the communication was more targeted from people I know or around a hobby or pastime, I may well click on them.

Our virtual presence keeps growing, but do we keep tabs on what's out there. I did the above with no special access or logins. The only site that needed an account was Facebook, but the rest is there to be discovered.

Take the time to secure and protect your information, and make sure there's not too much out there.

Googling yourself is no longer about vanity, it's about security!

Tuesday, 16 September 2014

IoT putting security in the balance

My wife and I have recently taken to Fitbit, where we monitor our steps, calories burnt and now our weight.

If I were playing "buzzword bingo", I'd say we have taken the "quantified self" analysis seriously, as it brings "gamification" to the monitoring. Some would say that "gamification" would mean you'd take it less seriously, not more... and I'd say those people are not or have never been gamers!

We purchased the Fitbit Aria bathroom scales to measure weight and body fat, with ability to give an accurate BMW reading, if your height is stored correctly.

I realised that the IoT (Internet of Things) had entered our home, as I was connecting the scales to the home wireless network, and telling my wife to expect an email from the bathroom scales! The scales work by taking your weight, then connecting to the wireless network you configured it for, then it will upload that information to a website hosting your Fitbit portal, allowing that information to be displayed by a dashboard.

Although I'm pretty aware of security, it made me realise that I need to firewall the scales to only be able to communicate with the Fitbit website. It also made me realise how unprepared we are, whether domestically or commercially, for the Internet of Things. As the devices are more autonomous, where it decides when and what it will do, you realise traditional solutions don't work. I'd want the firewall solution to be aware of the device and restrict what it can do. So the scales will only take weight, and only sent weight information to my Fitbit profile, and if it were to do anything else, the firewall would stop it.

I have a more detailed IoT blog post planned, but in the mean time consider what your new toy can do on its own!

Monday, 15 September 2014

Lockheed Martin Cyber Kill Chain

When I first saw the the Cyber Kill Chain, it wasn't actually the Cyber Kill Chain. What I saw was the Websense 7 Stages of Advanced Threats.

The Lockheed Martin Cyber Kill Chain states there are seven stages of a cyber attack, and your organisation can be protected, if the chain is stopped at any of the stages. The higher up the chain it can be stopped, the better the protection to your network.

The stages are as follows:

Reconnaissance
Weaponise
Deliver
Exploit
Install
Command & Control
Act on Objectives

Websense 7 Stages of Advanced Threats

Websense have taken the phases above, and mapped them to the Websense 7 Stages of Advanced Threats.

Recon

Prior to a breach, some research (or recon) will need to be done. This research will include the company and its people. By way of checking yourself, a quick internet search of your organisation or you will bring up a lot of information. The use of LinkedIn helps pinpoint people to organisations, as well as organisations that work together. While Facebook and Twitter will help with hobbies and out of work activities.

Lure

If hobbies or working relationships are known, the lure containing information regarding hobbies or an organisation you work with will be of interest. The lures can use email and social media from seemingly trusted sources.

Redirect

Emails and social media can contain links, which then redirect the target, scan a system or prompt for software to be installed.

Exploit Kit

The links can be for compromised websites, where an exploit kit located there can scan the users computer for vulnerabilities. The exploit kit is effectively looking for a path into the computer.

Dropper File

The dropper file is the malware that is used to infect the users computer. The software when executed can immediate start gathering data, it can sit dormant for a period of time to mask it's true intentions, or may be used to deliver malware in the future.

Call Home

The malware can then call home, contacting a Command & Control server to receive instructions, or additional software and tools.

Data Theft

What as the point of all of this effort? To steal data!

Stopping the Attack

Not all attacks will contain will seven stages. Some attacks will only involve three of these stages, but it highlights the sooner in the chain the attack is prevented, the less damage that will be done to the network.

Working in a technical environment, I see a number of solutions that only focus on some of these stages, which is no good if the attack skips those steps. I have worked with the Websense solutions for over seven years, and see that their solutions can prevent attack at all levels (expect the "Recon", but no technical solution can prevent an attacker from carrying out an internet search on people or organisations!)

MTI is a Websense Platinum Partner in the UK, and can help secure your network against cyber attacks.

Compromise the security (looking back at the RSA breach)

I had an interesting conversation with family this weekend, where I was talking about securing iCloud using two-step verification. Someone mentioned that with personal data it's not really important, but from a work perspective (they use to work for a large US company based globally) that RSA tokens protected them.

Back in 2011, RSA was compromised and is pretty much well documented. As a summary, here's happened:

Targeted emails were sent to the HR team at RSA
Prior to the compromise only 11 emails were sent, but all of them were caught by the SPAM filtering solution
One of these emails were released to the HR team as it looked important
When the attachment was opened, it installed malware onto the computer exploiting a vulnerability in an Adobe product
With this access, the hackers were able to pivot onto other servers, eventually getting to the token database, allowing them to generate the "secret" code of a token with a specific serial number

This breach is said to have cost RSA $66 million, but beyond the actual costs, there reputation of RSA as a security vendor was brought into question. It seems that this wasn't the end goal of the hackers, but rather the start to something much more spectacular!

Lockheed Martin is supplies military and aerospace technology to a number of organisations, including the Pentagon. This in itself would make Lockheed Martin an obvious target for attackers, but as an organisation concerned about security, they used RSA tokens to protect their network.

It would seem that Lockheed Martin were potentially victim to a state-sponsored attack from the Chinese government. Knowing that the target organisation were protected with RSA tokens, make it difficult to compromise them. Much easier would be have access to the RSA tokens, or at least the codes it would generate.

I appreciate that it is speculation that the Chinese nation state were behind the attack, but I would suggest that you do an internet search for two images and play "spot the difference":

Lockheed Martin F-22
Chengdu J-20

After the breach, Lockheed Martin created the Cyber Kill Chain, which shows the various steps of a compromise to your network. Many security vendors have taken this methodology on board, and their solutions can be seen to help during certain stages of an attack. I'll blog about this in more detail soon.

Thursday, 4 September 2014

iCloud Compromise...

The mainstream news has covered the compromise of iCloud, which led to a number of private photographs being exposed to the public. The first assumption was that iCloud was hacked or compromised, but Apple denies this.

Accounts Compromised...

Rather than iCloud in its entirety being compromised, the compromise was to individual accounts. It is assumed that the celebrity accounts were compromised with a brute force attack, allowing multiple tries of various passwords to each account. This meant with the right software toolset which could be acquired cheaply, numerous passwords could be tried against each account.

Simple Passwords...

It would seem that celebrities are very much like the general public when it comes to passwords. There are commonly used passwords, the top 25 of 2013 can be found here. From that article you see the commonly used passwords are "123456" and "password"! With relatively simple passwords or common words, they can easily be compromised using a dictionary attack.

Security (?) Questions...

There are many ways to recover a password. It may be requested a new password which the site or application will ask you to subsequently change. There may be a need to telephone a call centre and provide details over the telephone to reset your password. The least secure in my opinion, is the ability to answer security questions that the user has the answer.

This would seem like a secure way of resetting a password, as how many people would know your mother's maiden name, where you were born, what your favourite football team is, etc? The internet and social media has been great in many respects, but it exposes a lot of information about an individual out into the wild. Once it's out there, there is no way to control, edit or delete it. Bear this in mind if you have to use to methodology for any website or application.

It would seem that this current compromise a is new thing, but something very similar happened over nine years ago when Paris Hilton's mobile phone was hacked in 2005. How was this done? The T-Mobile Sidekick device had an internet facing dashboard. If you forgot your password, you could answer some security questions including date of birth and your pet's name. All the security questions could be answered with an internet search engine.

Complex Passwords, hard to remember?

As the levels of security have to rise, so this can only make it more difficult to use the services or applications. There is always a balance between usability and complexity. We can encourage people to use a mixture of upper and lower case, special characters and numbers, but will only mean more password resets these complex passwords will be forgotten more easily.

Also common advice is not to use the same password over multiple applications and services. This only increases the users capacity to forget a password!

Phishing...

News has come to light this morning that rather than a brute force attack, it may have been a phishing attack. We are reminded to check the legitimacy of an email before acting on it, and if it seems fishy (excuse the pun) to ignore it or delete it. Some celebrities may have fallen for one of the simplest tricks.

The bad guy sends out emails that looks like an email from Apple. It tells the user that there is some sort of issue with the account that requires a password reset/change/confirmation. The user will enter their password which is stored by the bad guy. The user will be presented with either a failed message screen, a confirmation all is OK and if they were clever, even synchronise the password with Apple, so all seems right for the user.

Two Factor Authentication...

I have written a few blog posts in the past regarding passwords and multi-factor authentication, but it's relevant to re-cap it. It we look at the different types of information that can be used to log a user in, we can take different types of information in order to increase security. So one form this can take is information the user knows, such as username, password, PINs and patterns. Another form this information can take is information a piece of technology gives the user, such as a passcode from a token, a passcode from a device such as a smartphone or computer, or a passcode set via SMS to a known mobile telephone number. If the known information and the provided information are different types of information, or factors, it becomes clear where the term two factor authentication comes from.

Free protection...

I've mentioned it before, but service providers such as Apple's iCloud, GMail, eBay and Facebook give the option to switch on two-step verification, where if you try to login from a new device, a new browser or a different country, the user will be prompted to enter a code that is sent to the registered mobile phone number. The security is there and it's free!

Increase your security posture

Be aware of the security questions you choose to to use. Are the answers to your security questions available from the likes of Facebook and Twitter?

Be aware of emails asking for password changes. Double check with the service provider.

If you want to use more complex passwords, but are worried about remembering them all, use a password vault to store these passwords securely.

Although two factor authentication may add a slight delay to using the service, it gives a level of protection that will make it a lot more difficult to compromise your personal information, your data and in this case, your personal photos.

Monday, 1 September 2014

Are you wearing a security risk?

Quantified Self

The "quantified self" is incorporating technology to capture data on various aspects of a person's life. This could be food and water intake, blood pressure, glucose levels, steps, movement, sleep patterns and such like. As these wearable monitoring solutions become increasing popular, there needs to be an understanding as to how some of the more mainstream technology works.

Data Connectivity

Many of these wearable devices will collect data, and then synchronise to a computer or smart device using Bluetooth LE (low energy), sometimes known as Bluetooth 4.0. Data can be manually entered onto the computer or smart device. This data will then transferred to a cloud location giving a dashboard with history, via an internet connection whether that be cellular, wireless or cabled.

FitBit & Security?

I recently purchased a FitBit Flex, which is a wearable band which monitors my steps, movement and sleep patterns. So I wanted to look at this example and if there were any security risks I should be aware of.

Personal Information

First of all I needed to create an account on a web portal, which required either a login using Google or Facebook credentials or create a login with an email address. The portal uses SSL certificate, although there is no stipulation for a strong password.

Personal information can be stored, but it's not mandatory. There is the ability to store your name, postal address, gender, date of birth, country, height and weight. The dashboard can create API links to Facebook, Twitter and WordPress.

The dashboard shows the number of steps taken, distance covered, and then give a calculation of calories burnt.

Bluetooth Wearable

The wearable is charged up and ready to go what next? It will start to collect data and that data will need to be transferred to a smart device or computer. The wearable will use Bluetooth LE, as this will have a minimal battery drain on the smart device. The wearable synchronises with the computer or smart device using the software or app installed. Although the wearable device is visible as a Bluetooth device, I was unable to connect to it.

I'm not suggesting that it's not possible, as Bluetooth hacking tools are quite inexpensive, but it certainly wasn't possible with a simple connection.

Dashboard Access

As mentioned before, the dashboard runs as a secure website using an SSL certificate to protect it. The credentials to log into that dashboard are either social media or an email address with password. No complexity was required on the password, despite the personal information that could be stored.

If someone had access to my email or my social media accounts, then access to the dashboard would be relatively straightforward. On my laptop with my profile, when I access the main website, it takes me straight into the dashboard.

Data Synchronisation

The data sent to the portal seems to be protected and not being transferred in clear text. There may be some concerns with the connection method used to transfer this data, so the normal rules would apply. If there is an open wireless connection, or a connection using WEP to protect it, the data can be gathered during the transfer. Whether the data would be of any use is a different matter.

If web proxy solution is being used, which is able to decrypt the traffic to websites, then some information could be gathered by these systems, where the systems administrator will have access.

I'm not too familiar with cellular data transfer, so I am unable to comment on how secure this data transfer method would be.

Data Privacy?

Another concern is whether my data privacy is being respected. Will FitBit sell my data to highest bidder? Who will have access to my data? How is it stored? How is it protected?

Here is the privacy policy for UK users: https://www.fitbit.com/uk/privacy

Should I use my wearable?

As we have learnt from some very high profile breaches, no organisation or website is 100% secure. Be aware of what data you are putting on internet, but I will carry on using my FitBit Flex in the mean time.