The Security Blogger

June 17, 2013

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Controlling who and what access your network is a critical element to keep your resources safe from malicious threats. Network Admission Control (NAC) solutions like the Cisco Identity Services Engine (ISE) can police who and what is permitted network access as well as enforce policy for those devices. Examples would be permitting an administrator with a government furnished Windows 7 laptop access to VLAN 10, which holds internal servers, while provisioning a marketing professional’s iPad with VLAN 20 access, which is limited to Internet and email through the use of ACLs.

But what happens once a device is granted network access? Access control solutions are pretty much out of the picture, aside from limited profile monitoring for identifying changes in device types. (Examples of this limited functionality include figuring out that an “Apple Device” is really an “iPad” based on DHCP and other traffic seen while the user is browsing the network, or blocking a user who attempts to spoof a printer’s MAC address to gain network access.)

Example ISE policy for profiled Apple iPad or iPhone and User “Joey” to get Apple_Mobile Access

Beyond this is where the handoff to an internal monitoring solution such as Lancope’s StealthWatch System should come into play. An internal monitoring solution can handle security where the access control solution leaves off. These solutions monitor all devices on the network for performance and suspicious behavior, regardless of whether or not they were approved by NAC. Examples of devices that NAC solutions may miss are virtual systems inside the data center, network sharing such as turning an iPhone into a wireless hub, Linksys routers using NATing to hide unauthorized access, or devices accessing a part of the network without access control.

An important function of a post access control solution is identifying devices compromised while on the network, since most access control solutions only verify policy for patch updates and other installed security applications (e.g. antivirus). Being compromised while on the network can happen when users surf the Internet, plug in a USB drive hosting malware, open an infected email, etc. In most cases, the threats that compromise internal users are not common viruses, meaning there isn’t a known signature that can be used by antivirus or firewall technologies to flag the attack. A post access control technology that leverages behavior as the means to identify threats can catch not only insider threats posed by authorized users, but also stealthy, externally-launched threats that bypass the security measures typically enforced by a NAC policy.

The integration of Cisco ISE for access control and Lancope’s StealthWatch for internal network monitoring saves customers money by leveraging NetFlow data already inherent in routers, switches and other network infrastructure devices to essentially turn the entire network into a giant sensor grid for detecting anomalous activity. Both Cisco and Lancope use industry standards leveraged by most vendor equipment (Cisco ISE using 802.1x and Lancope using NetFlow). Both companies also offer physical and virtual versions of all solution components, and both can be architected in a centralized or distributed design.

Here are the beneficial actions that can be taken by combining access control and internal monitoring:

Enforce policy on devices accessing the network.
Identify unauthorized devices not seen by NAC.
Monitor devices for threats and performance during their entire lifecycle on network.
Know who and what is on the network as well as what they are doing.
Automatically provision network access for trusted users and guests.
Identify threats on the internal network including malware, botnets and data loss.
Limit access for remediation of an identified threat.
Document a threat’s entire presence on the network for information assurance.

And here are the steps for setting up Cisco ISE and StealthWatch within a network:

Configuring On-Boarding via BYOD in ISE HERE
Setting up a Lancope StealthWatch small lab HERE

Click here for more information on how Cisco and Lancope work together to defend governments and enterprises against advanced threats.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as Access Control, advanced persistent threat, ATP, botnets, Cisco, Cisco NAC, cisco security, Clean Access, Compliance, Enforce Network Policy, Home, Identity Services Engine, insider threat, iPad, iPhone, ISE, ISE Integration, ISE Lancope, ISE1.0, ISE1.1, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Lancope Integration, malware, Muniz, NAC, NAC appliance, NAC Integration, NAC Lancope, netflow, network access control, network security, Post Access Control, Security, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, Total Access Control, www.lancope.com

June 9, 2013

Breaking WPA2-PSK with Kali Linux : wireless.

Great post by Aamir Lakhani on breaking WPA2_PSK. The original can be found HERE

WPA2-PSK may not be as safe as you think. There are a few attacks against WAP2-PSK. One of the most common attacks is against WPA2 is exploiting a weak passphrase.

Below you will find a few easy steps on how to break WPA2 with a weak passphrase.

Breaking the wireless Lab Home Network:

I set up a test network for this blog article. The client box is logging into my wireless Lab test network. This is the network we will break.

Step 1:

The first step is to verify the router configuration. Normally in a real penetration test we would not have this option, but since this is a home lab I have a little more flexibility.

In this case the lab access point is securing the wireless network Wireless Lab with WPA2-PSK. It using the passphrase Cisco123. You can use any wireless router to setup your wireless lab.

Step 2:

We will be using Kali Linux to complete this task. Kali will need a wireless card configured before it can be used by the operating system. I am using the Alfa AWUS051NH adapter. Almost any Alfa wireless adapter will work. I am a big fan of the AWUS051NH adapter because it a duel band adapter. However, this card is very difficult to obtain since it is no longer sold.

The iwconfig command will show any wireless cards in the system. I am using a RealTek wireless card. Linux ships with the RealTek drivers, making it a Linux plug and play wireless card.

The operating system recognizes a wireless interface named wlan0.

Step 3:

My next step will be to enable the wireless interface. This is accomplished issuing the ifconfig wlan0 up command.

Step 4:

I need to understand what wireless networks my wireless card sees. I issue the iwlist wlan0 scanning command.

This command forces the wireless card to scan and report on all wireless networks in the vicinity.

You can see from this example it found my target network: Wireless Lab. It also found the MAC address of my access point: 0E:18:1A:36:D6:22. This is important to note because I want to limit my attack to this specific access point (to ensure we are not attacking or breaking anyone else’s password).

Secondly, we see the AP is transmitting on channel 36.This is important because it allows us to be specific on what wireless channel we will want our wireless card to monitor and capture traffic from.

Step 5:

The next step is to change the wireless card to monitoring mode. This will allow the wireless card to examine all the packets in the air.

We do this by creating a monitor interface using airmon-ng. Issue the airmon-ng command to verify airmon-ng sees your wireless card. From that point create the monitor interface by issuing the command: airmon-ng start wlan0

Next, run the ifconfig command to verify the monitor interface is created. We can see mon0 is created.

Now verify the interface mon0 has been created.

Step 6:

Use airodump-ng to capture the WPA2 handshake. The attacker will have to catch someone in the act of authenticating to get a valid capture. Airodump-ng will display a valid handshake when it captures it. It will display the handshake confirmation in the upper right hand corner of the screen.

Note: We will manually connect to the wireless network to force a handshake. In a future post I will show you how to force a reauthorization to make a device automatically disconnect and reconnect without any manual intervention.

We used the following command: airodump-ng mon0 – -bssid 20:aa:4b:1f:b0:10 (to capture packets from our AP) – -channel 6 (to limit channel hopping) – -write BreakingWPA2 (the name of the file we will save to)

airodump-ng mon0 – -bssid 0E:18:1A:36:D6:22 - -channel 36 – -write BreakingWPA2

(make sure there is no space between “- -”)

To capture the handshake you are dependent on monitoring a legitimate client authenticate to the network. However, it does not mean you have to wait for a client to legitimately authenticate. You can force a client to re-authenticate (which will happen automatically with most clients when you force a deauthorization).

When you see the WPA Handshake Command you know you have captured an valid handshake

example:

Step 7:

We will use aircrack-ng with the dictionary file to crack the password. Your chances of breaking the password are dependent on the password file.

The command on is: aircrack-ng “name of cap file you created” -w “name of your dictionary file”

The BreakingWPA2-01.cap file was created when we ran the airodump-ng command. The valid WPA2 handshake airodump captured is stored in the BreakingWPA2-01.cap file.

Backtrack 5 ships with a basic dictionary. The dictionary file darkc0de.lst is a popular worldlist that ships with BackTrack5. We added our password Cisco123 in this file to make the test run a little smoother

Many attackers use large dictionaries that increase their chances of cracking a passwords. Many dictionaries contain passwords from real users and websites that have been cracked and posted on the Internet. Some sophisticated dictionaries combine multiple languages, permutations of each word, and key words and phrases from social media sites such as Twitter and Facebook.

Kali does not come with the darkc0de.lst but you can download it from here

In this blog we created a file named “sample.lst” and added the word Cisco123 in it.

Success:

If the password is found in the dictionary file then Aircrack-ng will crack it.

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as 802.1x, aircrack breaking wireless, Aircrack-ng, AWUS051NH, breaking wireless with Kali, Breaking WPA2, Compliance, cracking wireless, cracking WPA2, hacking wireless, hacking wireless networks, Joey, Joey Muniz, joseph, joseph muniz, kali, Kali Linux, LanCope, Muniz, Security, Stealth Watch, wireless lab, wireless security, wpa2, WPA2 with weak passphrase, WPA2-PSK

June 1, 2013

Are Mermaids, Aliens and Vampires Real? Researching Bogus Stories

There are documentaries popping up that showcase outrageous claims such as the government hiding captured mermaids or encounters with aliens. I’ve heard friends and coworkers talk about such things around the water cooler believing the stories are real based on fake videos and actors posing as specialists. Movies like The Blair Witch Project and The Forth Kind present fictional stories as documentaries, however most people figured out they are not real based on being available at major movie theaters. Some documentaries have been seen on TV networks displaying “A Speculative Documentary”, which doesn’t clearly translate to fictional footage.

A recent example of a fake documentary is MERMAIDS: THE NEW EVIDENCE claiming Mermaids are real. The documentary has been seen on the Discovery Channel and Animal Planet side by side with real documentaries making it seem creditable. The documentary includes camera footage of a Mermaid found on a beach as well as research by various specialists. The film claims mermaids are hiding in deep ocean waters to avoid military sonar that causes brain hemorrhaging in some aquatic life. At first glance, the concept seems plausible to some people.

I decided to show research used to qualify documentaries such as this. Here are some steps to prove Mermaids: The New Evidence is fake.

Step 1: General Research

Google is your friend. In many cases, you will find general conversations about a subject that may lead to evidence of the truth. A Google search on the mermaid film shows a number of people pointing out how the film is not real. WIKI had the passaged above confirming the film is fake. This research exercise pretty much sealed the deal (and took less than a minute) however I continued gathering evidence in the event the general public as well as WIKI is wrong (which sometimes happens).

Step 2: Look At The Website

There is a website associated with the documentary “believeinmermaids.com” that displays The Department of Justice has seized all evidence of mermaids presented in the film. Why would DOJ violate the freedom of speech in this manner is beyond me however lets investigate this website.

The first thing to check is the website history using WayBack Machine found at http://archive.org/web/web.php. WayBack Machines shows the entire lifespan of a website and changes to the website. This website was created in 2012, which happens to be around when documentary was filmed. If you select April 1^st to show the first version of the website, it shows the DOJ warning has been the only things displayed since day 1.

The next question is who owns the website? By looking at the WHOIS information at http://whois.net/, I can see believeinmermaids.com is owned by Discovery Communications, LLC. Ok, so the Discovery Channel created the believeinmermaids footage the week of the filming. Pretty obvious it was created to drive attendance to the film rather than be a real website featuring controversial evidence.

Step 3: Research People

The mermaids documentary featured lots of evidence from a few scientist including Dr. Paul Robinson. Usually a marine biologist seen on TV would have lots of published creditable information however searching “Dr. Paul Robinson marine biologist” drummed up the actors real name Andre Weideman. Searching Andre Weideman confirmed his role in the fake mermaid documentary.

Hopefully this post educates people on how to qualify concepts prior to believing anything told by public networks. Similar research tactics should be used when considering questionable specialists such as physic mediums or historical events that seem to be fishy. Knowing is half the battle.

Rating: 5.0/5 (2 votes cast)

Leave a Comment

Filed under General Security

Tagged as Andre Weideman, Andre Weideman mermaids, Animal Planet, Discovery Channel, discovery channel mermaids, Dr. Paul Robinson, Dr. Paul Robinson fake, fake documentary, fake mermaids documentary, Home, Joey, Joey Muniz, joseph, joseph muniz, LanCope, MERMAIDS: THE NEW EVIDENCE, Muniz, network security, researching fake documentaries, Security, security research, Speculative Documentary

May 27, 2013

Kali Linux – The next generation for BackTrack

Written by Aamir Lakhani, www.DrChaos.com and Joey Muniz www.thesecurityblogger.com. Article is cross posted.

BackTrack is a digital forensics and penetration testing arsenal used by many security professionals and malicious hackers. The last release of BackTrack was 5r3 and many expected a new release sometime in 2013. The creators of BackTrack decided to start from the ground up building a full-fledged operating system and release a next generation penetration distribution rather than updating the existing live CD release. The creators note “Kali Linux is a more mature, secure and enterprise-ready version of BackTrack Linux”.

Lifeline of BackTrack ending with Kali 1.0

Kali Linux has many advantages over Backtrack. Kali comes with more updated tools. The tools and streamlined with Debian repositories and synchronized four times a day. That means users have the latest package updates and security fixes. The new compliant file systems translate into running most tools from anywhere on the system. Kali has also made customization, unattended installation, and flexible desktop environments and strong feature in Kali Linux.

Kali Linux offers a number of customized tools designed for penetration testing. Tools are categorized in the following groups as seen in dropdown menu shown below.

Main Tool Categories in Kali Linux

Most of the useful tools from BackTrack made it into Kali with updated versions as well as some new stuff. For example, Vega and Proxy Strike are updated, while tools like Grendel-scan were removed. One interesting catalog is the separate Top 10 Security tools listing.

Top 10 Security Tools in Kali Catalog

Kali Linux does have some limitations to its predecessor BackTrack. Some tools do not operate correctly in the new environment or require customization to gain stability. Some of these limitations will probably be fixed in updates. Within a few minutes of using Kali, we realized that darkc0de.lst dictionary file wasn’t loaded with Kali, or get SET needed some reconfiguration for updates to work. Most of these gotchas are well documented and a simple Google search will get you to the right place.

Sticking with the last release of BackTrack 5 RC3 has some advantages such as having more streamlined installation options on various operating systems. One huge limitation for Kali is support in a large VMware ESXI server environment due to VMTools not running on the 64-bit version of Kali. There is a workaround using 32-bit images with VM Tools preinstalled that is downloadable from the Kali website. If you want to install VMware Tools natively on the Kali Linux ISO (including 64-bit versions of the ISO) than check out our HowTo Install VMware Tools On Kali Linux.

BackTrack also has much more content available online as a veteran to Kali’s 1.0 release.

So far I like the new platform and have been using it for multiple projects. I haven’t had issues running Kali on a MacBook Pro as a VMware fusion server as well as MACMINI hosting ESXI 5.1 (note the MACMINI operates like a desktop therefor avoiding issues found with ESXI server farms.). I recommend checking out the new release at http://www.kali.org/.

Aamir Lakhani (www.DrChaos.Com) and Joey Muniz (www.thesecurityblogger.com) are co-writing a new book on Kali for Web Penetration Testing. Stay tuned for details!

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, Access Control, backtrack, backtrack 5r3, backtrack 6, Compliance, Debian repositories, digital forensics, drchaos, Home, Joey, Joey Muniz, joseph, joseph muniz, kali, Kali Linux, LanCope, Muniz, network security, new backtrack, next generation Backtrack, penetration testing arsenal, Security, StealthWatch, VMTools, World Wide Technology, world wide technology inc., wwt

May 26, 2013

Installing VMware Tools on Kali Linux

Great find and post by Aamir Lakhani. Check out the original HERE

If you are using Kali Linux and trying to use it in a VM environment as a guest operating system on VMware, you may run into some issues. It is recommended that you install VM Tools for VMware on Kali Linux.

This guide will help you install VM Tools on any installation of Kali Linux (including 64-bit ISOs). It will also allow you to use Kali Linux in VMware ESXi environments.

The first thing you need to do on Kali Linux is prep the system for VM Tools. You do so by issuing the following commands:

Note: all commands are typed as one line in the terminal

echo cups enabled >> /usr/sbin/update-rc.d
echo vmware-tools enabled >> /usr/sbin/update-rc.d
apt-get install gcc make linux-headers-$(uname -r)

Note: This is typed as one line

ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linux-headers-$(uname -r)/include/linux/

Now you are ready to mount the VM Tools CD. Simply go to the menu in VMWare and install VM Tools.

Now go back to Kali Linux and use the following commands:

mkdir /mnt/vmware
mount /dev/cdrom /mnt/vmware/
cp -rf /mnt/vmware/VMwareTools* /tmp/

Next, you will change to the /tmp directory and run the VM Tools installation script.

cd /tmp/
tar zxpf VMwareTools-*.tar.gz
cd vmware-tools-distrib/

Lastly type: “ ./vmware-tools-install.pl” to run the VM Tools installation script. Follow the onscreen instructions when you run the script.

What is Kali Linux and how is it different from Backrack? Check out our Kali Linux introduction on www.DrChaos.com

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, backtrack, backtrack 5r3, drchaos, Home, Installing VMware with Kali, Joey, Joey Muniz, joseph, joseph muniz, kali, Kali Linux, Kali using VMware, LanCope, Muniz, network security, next generation Backtrack, Security, VMware tools

May 16, 2013

SSL Strip – Breaking Secure Websites

Aamir Lakhani wrote a overview of how to perform a ssl strip attack. The original post can be found HERE

SSLSTRIP LAB

Before beginning the lab, make sure you have Backtrack 5 R3 VM imported into VMWare Player/Workstation/Server/Fusion, or what ever Virtual machine environment you have chosen to utilize.

The following is an excerpt from the VMWare “Getting started with VMWare Player” VMWare Player 4.0 user guide.

Import an Open Virtualization Format Virtual Machine

You can import an Open Virtualization Format (OVF) virtual machine and run it in Player. Player converts the virtual machine from OVF format to VMware runtime (.vmx) format. You can import both .ovf and .ova files.

OVF is a platform-independent, efficient, extensible, and open packaging and distribution format for virtual machines. For example, you can import OVF virtual machines exported from VMware FusionTM into Player. You can import OVF 1.0 and later files only.

You can also use the standalone OVF Tool to convert an OVF virtual machine to VMware runtime format. The standalone version of the OVF Tool is installed in the Player installation directory under OVFTool. See the OVF Tool User Guide on the VMware Web site for information on using the OVF Tool.

Procedure

In Player, select File > Open a Virtual Machine.
Browse to the .ovf or .ova file and click Open.
Type a name for the virtual machine, type or browse to the directory for the virtual machine files, and click Import. Player performs OVF specification conformance and virtual hardware compliance checks. A status bar indicates the progress of the import process.
If the import fails, click Retry to try again, or click Cancel to cancel the import.

If you retry the import, Player relaxes the OVF specification conformance and virtual hardware compliance checks and you might not be able to use the virtual machine in Player.

After Player successfully imports the OVF virtual machine, the virtual machine appears in the virtual machine library.

Your Lab

In this Lab, we are using Virtual Machine based attack hosts. The Hosts are Linux based Backtrack 5 R3 (based on Ubuntu Linux). The reason for using backtrack is that all of the modules, and associated dependencies for this lab are preloaded with the distribution. The module dependencies for SSLStrip are (these are already loaded with Backtrack):

Python >= 2.5 (apt-get install python)
The python “twisted-web” module (apt-get install python-twisted-web)

Additionally to utilize SSLSTRIP you need (Again already in Backtrack):

Arpspoof or Ettercap (this lab we use Arpspoof, Ettercap has issues with wireless)
IPChains / IPtables
Netstat

Additionally when using backtrack or any Ubuntu distribution, it is a good idea to run APT to updates the existing packages. Backtrack has several custom distribution resources pre configured.

#Use this command to update: apt-get update && apt-get upgrade -y && apt-get dist-upgrade –y

Getting Started

Once your Backtrack virtual machine is installed and booted use the following credentials to log in:

Username: root
Password: toor

Start the desktop environment by issuing the startx command from the terminal session:

Note: It is not mandatory that you utilize a GUI desktop. But for the purposes of this lab it is recommended. Those not as familiar working in a Linux command shell will likely find it simpler to switch between the multiple terminal windows needed to perform the upcoming operations.

You should now see an environment similar to the following:

For the purposes of this LAB we will only be using a single interface, your virtual machine might be configured with multiple Ethernet interfaces. We will need to check if there are multiple (virtual) Ethernet interface enabled.

In the upper left hand corner of the desktop click on the Xterm link.

When see a terminal window open on the desktop you are ready to continue.

Use ifconfig to determine what interfaces are on the virtual machine.

Ifconfig | grep “eth”

This command will filter out all the miscellaneous and just show us the Ethernet interfaces, like below.

If we do indeed have more then one interface enabled issue the command ifdown with the interface name to disable it. If there is an interface named eth1 like shown above issue the command:

Ifdown eth1

The output should be like what is shown below.

Continue reading →

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, Access Control, Arpspoof, backtrack, breaking https, breaking secure websites, cracking https, cracking secure websites, Ettercap, hacking, hacking secure websites, Home, IPChains, Joey, Joey Muniz, joseph, joseph muniz, kali, LanCope, Muniz, Netstat, SSL Strip, SSL Strip lab, sslstrip, sslstrip lab, Stealth Watch, vmware, World Wide Technology, world wide technology inc., wwt

May 12, 2013

How Hackers Crack Weak Passwords

People use weak password practices to secure critical information. Weak password practices include using the same password for multiple systems regardless of the value of the asset, dictionary words, short phases and keeping the same passwords for extended periods of time. For example, it’s common to find a password on a non-critical asset such as a PlayStation 3 be the same as a person’s bank account login.

The more information an attack knows about your password profile, the more likely they will crack your password. For example, a policy of “6-10 characters with one upper case letter and special character” actually helps an attacker reduce the target space meaning passwords are weaker with the policy. If an hacker captures a password for another system and notices a formula such as ‘<dictionary word>’ followed by ‘<3 numbers>’, it helps the attacker prepare a dictionary attack (utilities such as Crunch makes this easy). Any password shorter than 10 characters is an easy target to brute force attack based on today’s system process power.

Here are some tools that hackers can use to crack your passwords.

John the Ripper is an old school yet powerful password cracking utility. It has several types of engines that can crack different types of passwords including encryption and hashes. John can detect most hash types (about 90% accurate) and generate matching hash outputs to map back to auto generated passphrases Attackers like John the Ripper because it’s very customizable

John the Ripper cracked 3 passwords from a Linux shadow file.

Hashcat is a password cracking utility. Hashcat is multi-thread tool meaning it can handle multiple hashes and password lists during a single attack session. Hashcat offers many attack options such as brute-force, combinator, dictionary, hybrid, mask and rule-based attacks

Hashcat GUI

Ophcrack

Ophcrack is a Windows password cracker based on rainbow tables (Rainbow tables are pre-computed hash tables). Ophcrack can import hashes from a variety of formats including dumping directly from the SAM files of Microsoft Windows.

Ophcrack Cracking Hashes

Findmyhash

Findmyhash is a python script which uses a free online service to crack hashes. Findmyhash will analyze against multiple website Rainbow tables.

Findmyhash running a MD5 hash against multiple websites

Crunch

Crunch is a tool used to generate password lists. This can be extremely helpful if you are able to gather intelligence on how your target creates passwords. For example, if you capture two passwords and notice the target uses a phase followed by random digits, Crunch can be used to quickly generate a list of that phrase followed by all possible random digits. Perfect tool for defeating company password policies!

Creating a password list for the word “pass” followed by any two numbers

Crunch output. List of all combinations of “pass” and two numbers

Chntpw

An alternative to breaking a Windows password is completely bypassing it. Chntpw is a software utility that can reset or remove a Windows passwords. This gives a hacker with access to your Microsoft Windows SAMs file the ability to obtain Administration privileges.

Chntpw options. Option 1 clears the password.

There are many tools available to break weak passwords. Best practices is using a password longer than 10 characters (having a repeated character at the end even helps!), don’t use dictionary words, change your password periodically, don’t use the same passwords for secure and non secure sources and don’t use a computer that accesses sensitive data for personal use (IE same system for Facebook and configuring routers). I suggest using the first letter of each word of a long sentence so you can remember the password yet the output is random. Hope this helps. All tools shown are free and available on BackTrack / Kali.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Penetration / Hacking

Tagged as backtrack, Breaking Passwords, Chntpw, Compliance, cracking passwords, Crunch, Data Loss Prevention, DLP, findmyhash, hackers crack weak passwords, hashcat, Home, how to crack passwords, Joey, Joey Muniz, john the ripper, joseph, joseph muniz, kali, LanCope, Muniz, network security, Ophcrack, password cracking tools, password cracking utilities, password policy, password security, passwords, secure passwords, Security, stealing passwords, Stealth Watch, weak passwords

May 6, 2013

Verizon’s 2013 Data Breach Investigations Report

Verizon recently released their annual Data Breach Report (download HERE). This report is based on statics from 19 organizations and showcases 621 security breaches and 47,000 security incidents with the goal of educating the public of the current risks from cyber threats. All results are built from first-hand evidence collected during paid external forensic investigations and related intelligence operations conducted by Verizon from 2004 through 2012.

There are a lot of interesting findings that range from most common attacks to popular targets. According to the report, everybody is a target. The report states, “from pubs to public agencies, mom-and-ops to multi-nations, nobody was immune”. Some attacks had as high as 95% success rates such as phishing meaning “most attackers would be able to slap a “guaranteed” sticker on getting a click”. They even call out that most agencies should mentally be thinking they are already compromised.

To break things down, here are some highlights:

Who are the targets? – Everybody

Who is perpetrating breaches? The majority of attacks are outsiders (92%) however insider is on the rise (14%).

How do breaches occur? 76% was based on weak or stolen credentials followed by hacking (52%) and Malware (40%).

How sophisticated are the attacks? From a range of High to Very Low, the majority of first breaches were done leveraging Low level attacks. I like how they put it by saying “Would you fire a guided missile at an unlocked screen door”.

Who are the Criminals? Organized Crime made up the majority of external attacks (over 50%) while others fell around 20% or less.

The leader for espionage was China while Romania followed by the USA lead for financial crimes. Spyware (including keyloggers) is the common method for financial crimes while multiple forms of malware are typical for espionage.

Social Engineering took a dip the last two years but is now up according to 2012 (29%)

Installing Malware to compromised systems is still the most common vector to be breached.

ATM hacking was top of the list for physical crimes. I wonder if this was triggered by Barnaby Jack’s Blackhat.

2/3 of data compromised was data at rest meaning on an asset like a database or file server. 1/3 of the data was compromised when the data was being processed such as Ramp scrapers, skimmers and key loggers. No data was compromised while in transit (IE compromising a backbone router).

The Verizon report is another confirmation that cyber threats are very real and probably active insider your network. The reports calls out that the most common attacks are easy to execute and have very high success rates (such as phishing campaigns). Standard security products that leverage signatures will not catch many threats called out in this report. The best way to identify these threats is monitoring behavior inside the network and utilize a layered approach to building your security strategy.

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as 000 security incidents, 2012 report, 2012 threat research, 2013 data breach, 2013 data breach report, 47, 621 security breaches, annual Data Breach Report, Compliance, investigations report, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, network security, Security, security research, Stealth Watch, top threats, verizon, verizon report

April 26, 2013

5 Steps to Take Right After Suffering a Cyber Security Breach

Thanks to my guest writer Kyle Olson for this post. Kyle’s bio is below.

Security breaches on your website hosting servers and any other server based online assets are no laughing matter. Suffering one of these breaches can mean anything from the theft of data for fraud related purposes to the total destructive erasure of all your information just for the fun of it (Hackers aren’t exactly known for always being motivated by money)

Whatever the case may be, you as the hard working owner of a site you spent months or years building, can enjoy the fun position of watching everything you built come crashing into zero in less time than it takes you to have lunch. This is not something you want, and especially since it can be avoided through some fairly straightforward security procedures that would have saved you nicely.

Anyhow, what’s done is done, you’ve been hacked, and the only thing left to do is save what you can. Let’s cover how you can do that with 5 essential and effective steps.

1. Don’t Panic, Be Methodical

This is the first and most basic thing you need to do; calm down and proceed methodically. Yes, a hack is a severe thing that needs to be dealt with quickly, but running around like a headless chicken won’t solve anything. If you calmly assess the situation, go through the possibilities and the steps we’re about to cover, you’ll have a much better chance of successfully countering any damaging effects than if you work randomly or just freeze up, waiting for the situation to improve on its own.

2. Check in With Your Hosting Provider

Contact your Hosting provider as soon as you’ve noticed that your site is down, redirecting to suspicious third party sites, or showing unmistakable signs of serious malfunction. Do the same if you can’t access key parts of your back end admin such as servers, cpanel or CMS login. For one thing, your hosting provider has the tools and expertise to help you with resolving your hack or saving your data, and secondly, they can help you uncover vital information about the hack, such as how many people it’s affecting and how it might have occurred.

3. Make a Record of Everything and Save All Suspicious data

As soon as you start to notice something wrong with your servers or site, also start noting things down. Make a record of everything you saw, experienced and the times at which you saw it. Additionally, save copies of any malicious or suspicious code, files and processes. Even if you need to destroy them as part of your damage control, first save all such data on a remote medium such as USB. This saving also includes (when possible) making a mirror copy ISO of your entire drive or server.

Just as if you’re dealing with a police crime scene, creating a record of events and a chain of evidence will help you more clearly understand and possibly resolve your hack source.

4. Shut Your Site and FTP off then Start Backing Up Your Data

Back up everything in your servers and all associated files to a remote storage medium. Don’t worry if some of it is still contaminated with malicious code –you can later scan and clean it of everything abnormal—for now the key thing is to save as much of your site data as quickly as possible.

Before you start your backup process up, disconnect your site from all remote access. This may mean taking it offline and cutting off access to all FTP accounts. You can also later change all of your server/site access passwords in these FTP profiles and elsewhere.

5. Download Everything Again

Once you’ve performed a thorough backup of all your data, cut your site off from outside access, changed all your access passwords and stopped as much malicious activity as possible, you can now download fresh programs for any third party applications that were supporting your site on the server. These may include LAMP software (Linux, Apache, MySQL, PHP), plugins like Java, Flash and Adobe or a CMS bundle like WordPress.

Having downloaded the newest, cleanest copies of all these applications to your newly secured server, you can start re installing all your salvageable backed up data from the site before it was hacked.

When all else fails, you can always contact a company that will perform digital forensics tests to determine the cause of the incident.

About the author: Kyle Olson has written for the tech industry for over 10 years and has operated his own small business in the industry. When he’s not writing poignant articles, you can find him covering civil engineers in Boston or working on his forthcoming novel.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as 5 steps, Compliance, cyber security, Cyber Security Breach, Data Loss, Digital Third Coast Internet Marketing, hacked website, hacking, hacking websites, Home, Joey, Joey Muniz, joseph, joseph muniz, Kyle, Kyle Olson, LanCope, Muniz, network security, Olson, post security breach, Security, service provider security, Stealth Watch, website breach, website security, www.digitalthirdcoast.net

April 15, 2013

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

The terms Penetration Test, Vulnerability Assessment and Security Audit are often blended together when requested by clients or offered by security service providers. All three terms have security aspects however are very different regarding what purpose they serve as well as the expected deliverable.

A Security Audit typically means evaluating a system or application’s risk level against a set of standards or baselines. Standards are mandatory rules while baselines are the minimal acceptable level of security. Standards and baselines achieve consistency in security implementations and can be specific to industries, technologies and processes.

Most requests for Security Audits are focused on passing an official audit (IE preparing for a corporate or government audit) or proving the baseline requirements are met for a mandatory set of regulations (HIPAA, PCI, etc.). In many cases, Security Audit services do not include any level of insurance or protection if an audit isn’t successful post services meaning services will only provide information that a client can use to become compliant.

IMPORTANT: In many cases, security audits give customers a false sense of security. Most standards and baselines have a long update process that is unable to keep up with the rapid changes in threats found in today’s cyber world. It is highly recommended to go beyond standards and baselines to raise the level of security to an acceptable level of protection for real world threats.

A Vulnerability Assessment is the process in which network devices, operating systems and application software are scanned in order to identify the presence of known and unknown vulnerabilities. A vulnerability is a gap, error or weakness in how a system is designed, used and protected. When a vulnerability is exploited, it can result in giving unauthorized access, escalation of privileges or denial-of-service to the asset.

Vulnerability Assessments typically stop once a vulnerability is found meaning services doesn’t include executing an attack against the vulnerability to verify if it’s legitimate. A Vulnerability Assessment deliverable provides potential risk associated with all vulnerabilities found with possible remediation steps. There are many tools that can be used to scan for vulnerabilities based on system type, operating system, ports open for communication and other means. Vulnerability Assessments are a valuable way to assess a network for potential security weakness to identify where to invest for future security.

A Penetration Test is attempting to attack vulnerabilities in a similar method of a real malicious attacker. Typically, penetration services are requested when a system or network has exhausted investments in security and seeking to verify if all avenues of security have been covered. The key difference between a Penetration Test and Vulnerability Assessment is a penetration test will act upon vulnerabilities found and verify if they are legit reducing the list of confirmed risk associated with a target.

IMPORTANT: One popular misconception is a Penetration Testing service enhances IT security since services have a higher cost associated than other security services. Penetration Testing does not make IT networks more secure since services evaluates existing security! A customer should not consider a penetration test if there is a belief the target is not completely secure.

Hopefully these definitions help define future security service requests.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as audit, baselines, Compliance, compliant, Defining Security, HIPAA, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, network security, Network Security Services, pci, Pen Test, pen testing, Penetration Test, Penetration Testing, RFI, RFQ, Security, security audit, Security Definitions, Security Services, standards, Stealth Watch, StealthWatch, vulnerability, Vulnerability Assessment, wireless security

The Security Blogger

Post NAC: Cisco Identity Services Engine (ISE) and Lancope StealthWatch for Total Access Control

Breaking WPA2-PSK with Kali Linux : wireless.

Are Mermaids, Aliens and Vampires Real? Researching Bogus Stories

Kali Linux – The next generation for BackTrack

Installing VMware Tools on Kali Linux

SSL Strip – Breaking Secure Websites

How Hackers Crack Weak Passwords

Verizon’s 2013 Data Breach Investigations Report

5 Steps to Take Right After Suffering a Cyber Security Breach

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll