Cloud services, Multi-factor authentication and the death of the security question

Mainstream news has covered many compromises of internet facing services over the last five years.  This has included compromises of email systems, retail outlets, Internet auction sites and last year Apple's iCloud service, which led to a number of private photographs being exposed to the public.  The first assumption was that iCloud was hacked or compromised, which Apple denied.

Accounts Compromised

Rather than iCloud in its entirety being compromised, the compromise was to individual accounts.  It is assumed that the celebrity accounts were compromised with a brute force attack, allowing multiple tries of various passwords to each account.  This meant with the right software toolset which could be acquired cheaply, meant that numerous passwords could be tried against each account.

Simple Passwords

Despite education from service providers and IT departments, the most commonly used passwords in a recent 2014 survey are "123456" and "password"!  With relatively simple passwords or common words, the password can easily be compromised quickly using a dictionary attack in a matter of seconds.

Security (?) Questions

There are many ways to recover a password.  It may be to request a new password and the service delivers the new password or asked for confirmation via an out of bound method, such as the registered email address or registered mobile number via SMS.  There may be a need to telephone a call centre and provide details over the telephone to reset your password.  The least secure is the ability to answer security questions that the user has the answer. 

It may seem like a secure way of resetting a password, as how many people would know your mother's maiden name, where you were born, what your favourite football team is, etc?  The internet and social media has been great in many respects, but it exposes a lot of information about an individual out into the wild.  Once it's out there, there is no way to control, edit or delete it.  Bear this in mind if you have to use to methodology for any website or application.

It would seem that this current compromise is a new thing, but something very similar happened over ten years ago when Paris Hilton's mobile phone was hacked in 2005.  How was this done?  The T-Mobile Sidekick device had an internet facing dashboard.  If you forgot your password, you could answer some security questions including date of birth and your pet's name.  All the security questions could be answered with an internet search engine.

Even before then, hackers were wise to how to gather this sort of personal information.  Around 15 years ago, there were email chains on how to generate your pornstar name.  You took your first pet's name and combine it with your mother's maiden name.  Information such as "Fido Jones" would have been very useful!

Complex Passwords, hard to remember?

As the levels of security have to rise, so this can only make it more difficult to use the services or applications.  There is always a balance between usability and complexity.  We can encourage people to use a mixture of upper and lower case, special characters and numbers, but will only mean more password resets these complex passwords will be forgotten more easily.

Also common advice is not to use the same password over multiple applications and services.  This only increases the users capacity to forget a password!

Phishing

Even with strong and complex passwords in place, the user can still be a victim of a phishing attack.  We are reminded to check the legitimacy of an email before acting on it, and if it seems fishy (excuse the pun) to ignore it or delete it. Many people have fallen for one of the simplest tricks, as the email looks so legitimate.

The bad guy sends out emails that looks like an email from the service provider.  It tells the user that there is some sort of issue with the account that requires a password reset/change/confirmation.  The user will enter their password which is stored by the bad guy.  The user will be presented with either a failed message screen, a confirmation all is OK and if they were clever, even synchronise the password with the service provider, so all seems right for the user.

Multi Factor Authentication

There are various ways or factors, when authenticating users.  So one form this can take is "Something you know", where the information is known, such as username, password, PINs and patterns.  

Another form this information can take is "Something you're given", where the information is provided to the user through technology, such as a passcode from a token, a passcode from a device such as a smartphone or computer, or a passcode set via SMS to a known mobile telephone number.  If the known information and the provided information are different types of information, or factors, it becomes clear where the term two factor authentication comes from.  

Other factors can include "Something you are" through the use of biometrics, through iris scans, fingerprint readers, voice recondition and other forms tied to the physicality of the user.  There also ways of analysing "Somewhere you are" through the use of geolocation, thereby allowing or denying access by the users location.

A combination of these authentication methods, or factors create Multi Factor Authentication (MFA)

Proof and compliance

With the factors of authentication described above, it would be harder for a hacker to access the service or website, but would also make it hard to deny an action.  Many online banking systems uses a combination of passwords, PINs, tokens, SMS and unique codes to ensure transactions are genuine.  By using multi factor authentication, the processes within compliance processes can be tied to specific users and the actions cannot be denied.

Free protection

Service providers such as Apple's iCloud, GMail, eBay and Facebook give the option to switch on two-step verification, where if you try to login from a new device, a new browser or a different country, the user will be prompted to enter a code that is sent to the registered mobile phone number.  The security is there and it's free.

The use of multi factor authentication is accepted as commonplace and widely used for by users for personal services, such as email and banking.

Consumerisation

Recent technology adoption within a corporate environment has been driven by domestic technology.  The rise of wireless, tablet and mobile computing has been driven from the use of these technologies within the domestic environment.

There is often a concern that the user community with an organisation struggles with new technology, but it's often the enforcement of unfamiliar technology that causes the user to become disengaged.

The use of multi factor authentication can only strengthen a network or website, and with this technology used for personal consumption, the use corporately will offer less resistance from the user community, especially if there is a familiarity with the technology.

Cloud Support

As more corporate applications move to the Internet, cloud security becomes the concern of every IT Manger, IT Director, CSO, CISO, and in fact every member of an executive team.

As cloud based applications such as Salesforce and Microsoft Office 365 become popular, it is essential to remember these applications are the very lifeblood of an organisation.  The need for security and multi factor authentication become more apparent when looking to protect these web based applications. There are protocols such as SAML designed to support cloud applications, and offer multi factor authentication.

Impact to the business

A poorly designed or poorly designed solution will impact the user adoption of any technology, but a familiar system will offer acceptance and executive sponsors.  Security is high on the executive boards agenda, so the impact of a compromise or a disgruntled employee is greater than financial considerations such as return on investment. 

Multi factor authentication is not new, but is an obvious solution the the many security challenges for organisations, whether the data and applications are located on premise, in data centres, in public cloud, in private cloud or a hybrid approach.  Security is no longer the concern of technical sponsors, but of the Executive Board.

Familiar security solutions such as Multi Factor Authentication, can only increase the security posture of an organisation, protecting the data and reputation of an organisation. 

Morality vs Criminality: Ashley Madison Hack

As you may have read in the press, that the Ashley Madison website was hacked.   What's the big deal, you may think, it's another compromised website.  Ashley Madison,as it says on their website, "is the online personals & dating destination for casual encounters, married dating, discreet encounters and extramarital affairs", with the tagline is "Life is short, have an affair".  There are 37 million users, across over 50 countries, with around 1.2 million of whom live in the UK.

What was lost?

Personal data that was lost includes, names, postal addresses, credit card numbers and sexual fantasies.  Made worse is the organisation charged a $19 fee to carry out a "full delete" on user accounts, which appears to have not been the case.

Who did it?

The hackers taking responsibility are the Impact Team, where the database was comprehensively stolen.  In a recent article from The Guardian, it states that it was an insider threat, where the compromise was carried out by someone who had access to the systems, but was not an employee, highlighting the need for control on third party access.

Morality?

I've read a few comments that said that people should not be using these sorts of sites.  A crime has been committed in the database being stolen, but we are judging the victim for the crime.  Who is to blame if your house is broken into?  The criminal or the victim?  

Advice

Be aware that there is no safe place on the internet.  The internet is effectively a public place, where a majority of people will have access.  You are entrusting a third party to look after your data, so in this case, a secure and unique password would not have helped the users.

The fault here lies with Ashley Madison.  Some security technologies would have prevented this from happening:  

• A Privileged Account Security solution would have prevented the third party from recycling their access to the system, and with some solutions recorded the sessions of compromise.
• A database encryption solution would have prevented the data from being used.
• A Data Leak Prevention (DLP) solution would have prevented the data from exfiltrating the organisation.
• A Security Analytics solution would have seen and prevented this.

I have mentioned the Cyber Kill Chain in the past, and these solutions would have stopped the compromise, and the data leaving the organisation.

For me, this is not a case about morality, but we allow that to cloud our thoughts and allow a criminal act to be downplayed because of it.  This is a crime, but worse a crime that could have been prevented.  The right solutions configured correctly, supported by polices and procedures would have prevented this hack from happening.

Web Application Testing - Hacking with KALI Linux

Web Application Testing for beginners

I was asked to give a presentation on Web Application Testing, so as well as supporting information as to why and what a test involves, I highlighted why OWASP was important, and showed how easy a simple a SQL injection attack is to carry out.

OWASP

Who or what are OWASP?  Wikipedia gives the definition as: “The Open Web Application Security Project is an online community dedicated to web application security.  The OWASP community includes corporations, education organizations and individuals from around the word”

OWASP gives information on security coding of web applications and following their guidelines will help ensure the development of secure web applications and that the security standards are upheld as part of this process.

KALI Linux

A common penetration testing tool is KALI Linux, which is available here as software or here as a virtual machine.  It’s a suite of testing tools that run on Linux, and includes tools to test web applications.

OWASP ZAP

One of toolsets found in KALI Linux is to a tool called OWASP ZAP, which will test websites for vulnerabilities.  It’s a vulnerability assessment (VA) tool for web applications.

You enter in the website you want to test against.  I have to say ensure you have the permission of the owner of the website, although there are many websites that can be tested against.

SQLMAP

One of the vulnerabilities that OWASP ZAP can test for are SQL injections.  Wikipedia defines SQL Injections as: "SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker)"

Find Database

Once you have a site that is vulnerable to an SQL injection, you can use the SQLMAP tool on KALI via a Terminal session.

To use SQLMAP to check a website for a database, use the following line of code:

sqlmap -u <vulnerable site url> --dbs

This command will show if there are any databases available on the site

Find Tables

Once you have the database information, the next task will be see what tables are available on that database, and that can be done using the following code:

sqlmap -u <vulnerable site> -D <database name> --tables

Once you have the tables, you’ll probably want to have a closer look at any interesting ones.

Find Columns

Once you find an interesting table, it would be useful to see what is available in the columns, which can be done using the following code:

sqlmap -u <vulnerable site> -D <database name> -T <table> --columns

Dump Data

Now you have the column information, it would be useful to dump the data, using the following code:

sqlmap -u <vulnerable site> -D <database name> -T <table> --dump

Once the data has been dumped, you’ll be asked if you want to use external tools to analyse the data, performing an attack using a default dictionary attack and whether you want to ignore common suffixes.

Review Data

Copy and paste the data into Leafpad to view the data, where you’ll see passwords as hashes, and where they are common passwords in the default dictionary, then they will be displayed as clear text.

Conclusion

As you can see, with very little experience, it’s incredibly easy to check for vulnerabilities and use simple commands to perform some very powerful tests against the sites.  The recommendation is to have any web application development team to follow the OWASP Top 10 and ensure regular testing against your web applications.  If you are commissioning an external organisation, ensure they are offering an SLA to delivering a secure application, so they have to pull the stops out to ensure security is built in, rather than it being of additional expense to you and your organisation for not building this into the contract.

Duqu 2.0

Introduction

On the 9th June 2015, Kaspersky announced to the world that they had been a victim of a cyber attack that targeted their own corporate network.  If an organisation like Kaspersky can become a victim of a cyber attack of this magnitude, all organisations can potentially become victims.  Data is the lifeblood of any organisation and the loss of critical data could mean the demise of that organisation.

Analysis

Kaspersky, a Moscow-based security company, disclosed details of a cyber attack that they had been victim of.  After its discovery, Kaspersky launched an extensive investigation, gathering the facts and sharing the findings with the world.  The attack was dubbed Duqu 2.0, due to its similarity to an attack known as Duqu which was first spotted in 2011.  The use of Duqu and Duqu 2.0 is attributed to nation-state sponsored attacks, in this case trying to discover intellectual property, such as research into advanced persistent threats (APTs).

Cyber Kill Chain

The comprehensive nature of the attack meant it was highly likely to succeed.   Lockheed-Martin’s Cyber Kill Chain breaks down a cyber attack into seven steps.  Some attacks may only use some of these steps, while others will repeat them when attacking multiple systems prior to attacking the intended target.  The Duqu 2.0 attack not only followed the kill chain, but there were also elements repeated to make the attack more covert.

Reconnaissance/Weaponisation/Delivery /Exploitation

It is believed that an employee in one of the APAC offices was a target of a spear-phishing email, with a lure and redirect to a malicious dropper file that exploited a specific unpatched zero day vulnerability.  The attack was thorough, ensuring emails and browser history were cleared of all traces of the compromise.  Kaspersky confirm the machine was fully patched leading to the assumption of a zero day exploitation.

Installation/Weaponisation/Delivery/Exploitation/Installation

Once on the network, the attacker was able to escalate unprivileged credentials to that of the Windows domain administrator using another zero day vulnerability. The attacker was then able to explore the network by moving laterally and deciding which machines to compromise.  Microsoft Windows Installer Packages were used to deploy Duqu 2.0 into the network.  The attack software runs in memory, where most modern production servers have high uptimes and are rarely power cycled.  Had the machine been power cycled, it would have quickly been re-infected.

Command and Control/Action on Objectives

Once the desired information was found by the attacker, the data was exfiltrated out of the network.  Kaspersky have reported that non-critical information was taken as part of the attack.

Prevention

By analysing the sequence of the attack, a number of mitigating controls could be used to prevent the Duqu 2.0 and similar attacks.  Many of these elements may have been caught in isolation, but the prevention of the attack would need a more integrated approach to security.  The end goal for the attacker is to steal data.

Spear-phishing

The entry point to the network was to specifically target an individual or small group of people.  This highlights the need for user education at every level and every department of an organisation.  In conjunction with education, an email security gateway with sandboxing technology may have prevented Duqu 2.0 from entering the network.

Web Access

An exploit kit would have been introduced to the network to check for unpatched and zero day vulnerabilities.  This was delivered through the web vector as a malicious link or a compromised site with a malicious file.  The presence of this could have been detected with a web security gateway, ideally with a sandboxing solution to check the functionality of the file.

Zero Day vulnerabilities

The patching of operating systems, browsers, third party software and plug-in is highly recommended, although this will not prevent zero day vulnerabilities from being exploited.  The removal of non-essential software from a computer will help reduce the surface area of attack, and the use of host based firewalls and host intrusion protection system can help.

Administrative Credentials

The administrative credentials within the network were compromised, which allowed the lateral movement within the network.  This is a shortcoming of using static passwords for a period of time before being cycled; giving a window of exposure if the password is compromised.  A privileged access management solution, would cycle the administrative credentials after each use and video record each session.  This would give a greater level of security to the credentials and traceability on what each administrative session had executed.

Lateral Movement

Many networks are segmented using VLANs, which offer limited security.  Micro-segmentation would provide protection to the servers or groups of servers, with security controls to prevent the East-West movement within a network.  When coupled with a security analytics engine, this would give context to the abnormal traffic within the network.

Resident in memory

As Duqu 2.0 resides in memory, there are a number of mitigations that could have prevented this.  The simple act of rebooting the server would have cleared the application from memory, although this can be difficult to routinely perform on critical production servers.  Whitelisting application control solutions would have stopped the MSI from executing into memory by simply preventing the unknown application from running. 

Data Exfiltration

A gateway data loss prevention solution would have seen the data leaving the network.  It is especially important that the solution is able to analyse the data being drip fed out, piecing together many smaller exfiltrations to gain visibility of the overall loss and give context to the data leaving.

The Future

The Duqu 2.0 attack follows the seven stage cyber kill chain. Preventing the attack at any one of those steps would have ultimately stopped data loss.  Kaspersky caught the attack before critical data loss had occurred.  As attacks such as these are published it raises the profile for both vendors and attackers.  These techniques could still be used against any organisation, with the ultimate goal of stealing data.

To prevent these attacks, security vendors will need to take a more holistic view of security working with other vendors to specialise in the areas they don’t.  We see this collaborative working with technical partnerships by vendors, and with OEM agreements in the supply point solutions.  Alternatively security vendors need to take a more comprehensive approach tackling all the stages of the kill chain with integrated solutions.

The solutions need to become less reactive to the known and more proactive to the unknown.  There needs to be more focus on how security solutions deal with anomalies, where prevention and remediation is far more important than notification.  With a security staff shortage and the gap growing year on year, the vendors have the supply security intelligence in their solutions. The future for these solutions is not to supply data logs and notifications, but to provide context and proactive remediation through intelligent analytics.

In the short term, ensure endpoint security solutions are running the latest versions, with the latest updates and the recommended features are enable.  There needs to be a focus on running supported operating systems, with the latest patches, and to ensure that third party software and plugs-ins are updated as well.  Any web and email security solutions need to be updated and the security policies regularly reviewed.  The final piece is user education, which should be ongoing process, where the learning is engaging, flexible and relevant.

As these attacks become more mainstream where vertical and size no longer matter, look to future solutions that are able to tackle all stages of the kill chain, providing intelligence and context; and ultimately prevent the organisation’s data from entering the wrong hands.

Preparing for cloud worse case scenarios [Link - MTI Bytes]

I was asked to write an article about preparing for the cloud for the work blog:

http://www.mtibytes.com/post/Preparing-for-cloud-worst-case-scenarios

Hacked? Here's what to do next [Link - Network World]

After being interview for an article for The Guardian, I've noticed a re-work of that here:

http://www.networkworld.com/article/2905311/security0/hacked-heres-what-to-do-next.html

Twelve Years....

Twelve years in technology

12 years doesn't seem like a long time ago, but in technology terms it's a very long time.

The Nokia 6310 was released in 2001 and its successor the Nokia 6310i was release 12 years ago.  iTunes is 12 years old, although the iPod has been around a little longer.  The iPhone has been with us for eight years and the iPad for five years.  So it doesn't just sound like an Apple-fest, the Blackberrys were in their hard case holsters and Android formed as a company in 2003.

Why is this relevant?  It’s not really, it’s just to put into perspective where technology was 12 years, the same time that Windows 2003 was released.

Windows 2003

Windows 2003 was released 24th April 2003, but as of 14th July 2015, Windows 2003 will no longer receive support from Microsoft.  There is also an IDC whitepaper covering why it’s important to upgrade here

What does no support mean?

When Windows 2003 no longer receives support there will be a number of impacts:

• No patches, updates and fixes - This means that whether a vulnerability or issue is security related or not, Microsoft are not obliged to patch it or fix it in any fashion.
• There will be no support from Microsoft - Fairly simple you'd think, but again any issues encountered can not be raised or escalated to Microsoft.
• Applications support challenges - As Microsoft no longer support the operating system, why would the application manufacturers.  This means that new versions of the application will only be supported on the newer operating systems.
• Compliance issues - There could be issues meeting compliance in healthcare or with PCI:DSS if an unsupported operating system is in scope.

Upgrade

The obvious answer is the upgrade, but if bespoke applications are being run and depend on specific versions of operating system or supporting applications such as databases running on specific version, upgrading is certainly not straightforward.

Protect

If you can't upgrade, or are unable to upgrade before the 14th July 2015, there is another option.  Trend Micro have solution called Deep Security, which can protect physical, virtual and cloud based servers.  Trend Micro Deep Security offers a number of features including anti-malware, intrusion prevention, host firewall, integrity monitoring, log inspection, application scanning and interestingly virtual patching.

Virtual Patching

Virtual patching or vulnerability shielding, is taking Trend Micro's understanding of the vulnerabilities and create a secure bubble around the Windows 2003 server preventing those vulnerabilities from being able to be used against the server.

Trend Micro Deep Security

Before being forced into a quick migration of your existing Windows 2003 servers, it would worth considering if Trend Micro Deep Security could be the way of keeping your existing environment secure for longer.