Tag Archives: Joey

May 16, 2013

SSL Strip – Breaking Secure Websites

Aamir Lakhani wrote a overview of how to perform a ssl strip attack. The original post can be found HERE

SSLSTRIP LAB

Before beginning the lab, make sure you have Backtrack 5 R3 VM imported into VMWare Player/Workstation/Server/Fusion, or what ever Virtual machine environment you have chosen to utilize.

The following is an excerpt from the VMWare “Getting started with VMWare Player” VMWare Player 4.0 user guide.

Import an Open Virtualization Format Virtual Machine

You can import an Open Virtualization Format (OVF) virtual machine and run it in Player. Player converts the virtual machine from OVF format to VMware runtime (.vmx) format. You can import both .ovf and .ova files.

OVF is a platform-independent, efficient, extensible, and open packaging and distribution format for virtual machines. For example, you can import OVF virtual machines exported from VMware FusionTM into Player. You can import OVF 1.0 and later files only.

You can also use the standalone OVF Tool to convert an OVF virtual machine to VMware runtime format. The standalone version of the OVF Tool is installed in the Player installation directory under OVFTool. See the OVF Tool User Guide on the VMware Web site for information on using the OVF Tool.

Procedure

In Player, select File > Open a Virtual Machine.
Browse to the .ovf or .ova file and click Open.
Type a name for the virtual machine, type or browse to the directory for the virtual machine files, and click Import. Player performs OVF specification conformance and virtual hardware compliance checks. A status bar indicates the progress of the import process.
If the import fails, click Retry to try again, or click Cancel to cancel the import.

If you retry the import, Player relaxes the OVF specification conformance and virtual hardware compliance checks and you might not be able to use the virtual machine in Player.

After Player successfully imports the OVF virtual machine, the virtual machine appears in the virtual machine library.

Your Lab

In this Lab, we are using Virtual Machine based attack hosts. The Hosts are Linux based Backtrack 5 R3 (based on Ubuntu Linux). The reason for using backtrack is that all of the modules, and associated dependencies for this lab are preloaded with the distribution. The module dependencies for SSLStrip are (these are already loaded with Backtrack):

Python >= 2.5 (apt-get install python)
The python “twisted-web” module (apt-get install python-twisted-web)

Additionally to utilize SSLSTRIP you need (Again already in Backtrack):

Arpspoof or Ettercap (this lab we use Arpspoof, Ettercap has issues with wireless)
IPChains / IPtables
Netstat

Additionally when using backtrack or any Ubuntu distribution, it is a good idea to run APT to updates the existing packages. Backtrack has several custom distribution resources pre configured.

#Use this command to update: apt-get update && apt-get upgrade -y && apt-get dist-upgrade –y

Getting Started

Once your Backtrack virtual machine is installed and booted use the following credentials to log in:

Username: root
Password: toor

Start the desktop environment by issuing the startx command from the terminal session:

Note: It is not mandatory that you utilize a GUI desktop. But for the purposes of this lab it is recommended. Those not as familiar working in a Linux command shell will likely find it simpler to switch between the multiple terminal windows needed to perform the upcoming operations.

You should now see an environment similar to the following:

For the purposes of this LAB we will only be using a single interface, your virtual machine might be configured with multiple Ethernet interfaces. We will need to check if there are multiple (virtual) Ethernet interface enabled.

In the upper left hand corner of the desktop click on the Xterm link.

When see a terminal window open on the desktop you are ready to continue.

Use ifconfig to determine what interfaces are on the virtual machine.

Ifconfig | grep “eth”

This command will filter out all the miscellaneous and just show us the Ethernet interfaces, like below.

If we do indeed have more then one interface enabled issue the command ifdown with the interface name to disable it. If there is an interface named eth1 like shown above issue the command:

Ifdown eth1

The output should be like what is shown below.

Continue reading →

Rating: 5.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as Aamir Lakhani, Access Control, Arpspoof, backtrack, breaking https, breaking secure websites, cracking https, cracking secure websites, Ettercap, hacking, hacking secure websites, Home, IPChains, Joey, Joey Muniz, joseph, joseph muniz, kali, LanCope, Muniz, Netstat, SSL Strip, SSL Strip lab, sslstrip, sslstrip lab, Stealth Watch, vmware, World Wide Technology, world wide technology inc., wwt

May 12, 2013

How Hackers Crack Weak Passwords

People use weak password practices to secure critical information. Weak password practices include using the same password for multiple systems regardless of the value of the asset, dictionary words, short phases and keeping the same passwords for extended periods of time. For example, it’s common to find a password on a non-critical asset such as a PlayStation 3 be the same as a person’s bank account login.

The more information an attack knows about your password profile, the more likely they will crack your password. For example, a policy of “6-10 characters with one upper case letter and special character” actually helps an attacker reduce the target space meaning passwords are weaker with the policy. If an hacker captures a password for another system and notices a formula such as ‘<dictionary word>’ followed by ‘<3 numbers>’, it helps the attacker prepare a dictionary attack (utilities such as Crunch makes this easy). Any password shorter than 10 characters is an easy target to brute force attack based on today’s system process power.

Here are some tools that hackers can use to crack your passwords.

John the Ripper is an old school yet powerful password cracking utility. It has several types of engines that can crack different types of passwords including encryption and hashes. John can detect most hash types (about 90% accurate) and generate matching hash outputs to map back to auto generated passphrases Attackers like John the Ripper because it’s very customizable

John the Ripper cracked 3 passwords from a Linux shadow file.

Hashcat is a password cracking utility. Hashcat is multi-thread tool meaning it can handle multiple hashes and password lists during a single attack session. Hashcat offers many attack options such as brute-force, combinator, dictionary, hybrid, mask and rule-based attacks

Hashcat GUI

Ophcrack

Ophcrack is a Windows password cracker based on rainbow tables (Rainbow tables are pre-computed hash tables). Ophcrack can import hashes from a variety of formats including dumping directly from the SAM files of Microsoft Windows.

Ophcrack Cracking Hashes

Findmyhash

Findmyhash is a python script which uses a free online service to crack hashes. Findmyhash will analyze against multiple website Rainbow tables.

Findmyhash running a MD5 hash against multiple websites

Crunch

Crunch is a tool used to generate password lists. This can be extremely helpful if you are able to gather intelligence on how your target creates passwords. For example, if you capture two passwords and notice the target uses a phase followed by random digits, Crunch can be used to quickly generate a list of that phrase followed by all possible random digits. Perfect tool for defeating company password policies!

Creating a password list for the word “pass” followed by any two numbers

Crunch output. List of all combinations of “pass” and two numbers

Chntpw

An alternative to breaking a Windows password is completely bypassing it. Chntpw is a software utility that can reset or remove a Windows passwords. This gives a hacker with access to your Microsoft Windows SAMs file the ability to obtain Administration privileges.

Chntpw options. Option 1 clears the password.

There are many tools available to break weak passwords. Best practices is using a password longer than 10 characters (having a repeated character at the end even helps!), don’t use dictionary words, change your password periodically, don’t use the same passwords for secure and non secure sources and don’t use a computer that accesses sensitive data for personal use (IE same system for Facebook and configuring routers). I suggest using the first letter of each word of a long sentence so you can remember the password yet the output is random. Hope this helps. All tools shown are free and available on BackTrack / Kali.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security, Penetration / Hacking

Tagged as backtrack, Breaking Passwords, Chntpw, Compliance, cracking passwords, Crunch, Data Loss Prevention, DLP, findmyhash, hackers crack weak passwords, hashcat, Home, how to crack passwords, Joey, Joey Muniz, john the ripper, joseph, joseph muniz, kali, LanCope, Muniz, network security, Ophcrack, password cracking tools, password cracking utilities, password policy, password security, passwords, secure passwords, Security, stealing passwords, Stealth Watch, weak passwords

May 6, 2013

Verizon’s 2013 Data Breach Investigations Report

Verizon recently released their annual Data Breach Report (download HERE). This report is based on statics from 19 organizations and showcases 621 security breaches and 47,000 security incidents with the goal of educating the public of the current risks from cyber threats. All results are built from first-hand evidence collected during paid external forensic investigations and related intelligence operations conducted by Verizon from 2004 through 2012.

There are a lot of interesting findings that range from most common attacks to popular targets. According to the report, everybody is a target. The report states, “from pubs to public agencies, mom-and-ops to multi-nations, nobody was immune”. Some attacks had as high as 95% success rates such as phishing meaning “most attackers would be able to slap a “guaranteed” sticker on getting a click”. They even call out that most agencies should mentally be thinking they are already compromised.

To break things down, here are some highlights:

Who are the targets? – Everybody

Who is perpetrating breaches? The majority of attacks are outsiders (92%) however insider is on the rise (14%).

How do breaches occur? 76% was based on weak or stolen credentials followed by hacking (52%) and Malware (40%).

How sophisticated are the attacks? From a range of High to Very Low, the majority of first breaches were done leveraging Low level attacks. I like how they put it by saying “Would you fire a guided missile at an unlocked screen door”.

Who are the Criminals? Organized Crime made up the majority of external attacks (over 50%) while others fell around 20% or less.

The leader for espionage was China while Romania followed by the USA lead for financial crimes. Spyware (including keyloggers) is the common method for financial crimes while multiple forms of malware are typical for espionage.

Social Engineering took a dip the last two years but is now up according to 2012 (29%)

Installing Malware to compromised systems is still the most common vector to be breached.

ATM hacking was top of the list for physical crimes. I wonder if this was triggered by Barnaby Jack’s Blackhat.

2/3 of data compromised was data at rest meaning on an asset like a database or file server. 1/3 of the data was compromised when the data was being processed such as Ramp scrapers, skimmers and key loggers. No data was compromised while in transit (IE compromising a backbone router).

The Verizon report is another confirmation that cyber threats are very real and probably active insider your network. The reports calls out that the most common attacks are easy to execute and have very high success rates (such as phishing campaigns). Standard security products that leverage signatures will not catch many threats called out in this report. The best way to identify these threats is monitoring behavior inside the network and utilize a layered approach to building your security strategy.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under General Security

Tagged as 000 security incidents, 2012 report, 2012 threat research, 2013 data breach, 2013 data breach report, 47, 621 security breaches, annual Data Breach Report, Compliance, investigations report, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, network security, Security, security research, Stealth Watch, top threats, verizon, verizon report

April 26, 2013

5 Steps to Take Right After Suffering a Cyber Security Breach

Thanks to my guest writer Kyle Olson for this post. Kyle’s bio is below.

Security breaches on your website hosting servers and any other server based online assets are no laughing matter. Suffering one of these breaches can mean anything from the theft of data for fraud related purposes to the total destructive erasure of all your information just for the fun of it (Hackers aren’t exactly known for always being motivated by money)

Whatever the case may be, you as the hard working owner of a site you spent months or years building, can enjoy the fun position of watching everything you built come crashing into zero in less time than it takes you to have lunch. This is not something you want, and especially since it can be avoided through some fairly straightforward security procedures that would have saved you nicely.

Anyhow, what’s done is done, you’ve been hacked, and the only thing left to do is save what you can. Let’s cover how you can do that with 5 essential and effective steps.

1. Don’t Panic, Be Methodical

This is the first and most basic thing you need to do; calm down and proceed methodically. Yes, a hack is a severe thing that needs to be dealt with quickly, but running around like a headless chicken won’t solve anything. If you calmly assess the situation, go through the possibilities and the steps we’re about to cover, you’ll have a much better chance of successfully countering any damaging effects than if you work randomly or just freeze up, waiting for the situation to improve on its own.

2. Check in With Your Hosting Provider

Contact your Hosting provider as soon as you’ve noticed that your site is down, redirecting to suspicious third party sites, or showing unmistakable signs of serious malfunction. Do the same if you can’t access key parts of your back end admin such as servers, cpanel or CMS login. For one thing, your hosting provider has the tools and expertise to help you with resolving your hack or saving your data, and secondly, they can help you uncover vital information about the hack, such as how many people it’s affecting and how it might have occurred.

3. Make a Record of Everything and Save All Suspicious data

As soon as you start to notice something wrong with your servers or site, also start noting things down. Make a record of everything you saw, experienced and the times at which you saw it. Additionally, save copies of any malicious or suspicious code, files and processes. Even if you need to destroy them as part of your damage control, first save all such data on a remote medium such as USB. This saving also includes (when possible) making a mirror copy ISO of your entire drive or server.

Just as if you’re dealing with a police crime scene, creating a record of events and a chain of evidence will help you more clearly understand and possibly resolve your hack source.

4. Shut Your Site and FTP off then Start Backing Up Your Data

Back up everything in your servers and all associated files to a remote storage medium. Don’t worry if some of it is still contaminated with malicious code –you can later scan and clean it of everything abnormal—for now the key thing is to save as much of your site data as quickly as possible.

Before you start your backup process up, disconnect your site from all remote access. This may mean taking it offline and cutting off access to all FTP accounts. You can also later change all of your server/site access passwords in these FTP profiles and elsewhere.

5. Download Everything Again

Once you’ve performed a thorough backup of all your data, cut your site off from outside access, changed all your access passwords and stopped as much malicious activity as possible, you can now download fresh programs for any third party applications that were supporting your site on the server. These may include LAMP software (Linux, Apache, MySQL, PHP), plugins like Java, Flash and Adobe or a CMS bundle like WordPress.

Having downloaded the newest, cleanest copies of all these applications to your newly secured server, you can start re installing all your salvageable backed up data from the site before it was hacked.

When all else fails, you can always contact a company that will perform digital forensics tests to determine the cause of the incident.

About the author: Kyle Olson has written for the tech industry for over 10 years and has operated his own small business in the industry. When he’s not writing poignant articles, you can find him covering civil engineers in Boston or working on his forthcoming novel.

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Internet Defense, Security Management & Analysis

Tagged as 5 steps, Compliance, cyber security, Cyber Security Breach, Data Loss, Digital Third Coast Internet Marketing, hacked website, hacking, hacking websites, Home, Joey, Joey Muniz, joseph, joseph muniz, Kyle, Kyle Olson, LanCope, Muniz, network security, Olson, post security breach, Security, service provider security, Stealth Watch, website breach, website security, www.digitalthirdcoast.net

April 15, 2013

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

The terms Penetration Test, Vulnerability Assessment and Security Audit are often blended together when requested by clients or offered by security service providers. All three terms have security aspects however are very different regarding what purpose they serve as well as the expected deliverable.

A Security Audit typically means evaluating a system or application’s risk level against a set of standards or baselines. Standards are mandatory rules while baselines are the minimal acceptable level of security. Standards and baselines achieve consistency in security implementations and can be specific to industries, technologies and processes.

Most requests for Security Audits are focused on passing an official audit (IE preparing for a corporate or government audit) or proving the baseline requirements are met for a mandatory set of regulations (HIPAA, PCI, etc.). In many cases, Security Audit services do not include any level of insurance or protection if an audit isn’t successful post services meaning services will only provide information that a client can use to become compliant.

IMPORTANT: In many cases, security audits give customers a false sense of security. Most standards and baselines have a long update process that is unable to keep up with the rapid changes in threats found in today’s cyber world. It is highly recommended to go beyond standards and baselines to raise the level of security to an acceptable level of protection for real world threats.

A Vulnerability Assessment is the process in which network devices, operating systems and application software are scanned in order to identify the presence of known and unknown vulnerabilities. A vulnerability is a gap, error or weakness in how a system is designed, used and protected. When a vulnerability is exploited, it can result in giving unauthorized access, escalation of privileges or denial-of-service to the asset.

Vulnerability Assessments typically stop once a vulnerability is found meaning services doesn’t include executing an attack against the vulnerability to verify if it’s legitimate. A Vulnerability Assessment deliverable provides potential risk associated with all vulnerabilities found with possible remediation steps. There are many tools that can be used to scan for vulnerabilities based on system type, operating system, ports open for communication and other means. Vulnerability Assessments are a valuable way to assess a network for potential security weakness to identify where to invest for future security.

A Penetration Test is attempting to attack vulnerabilities in a similar method of a real malicious attacker. Typically, penetration services are requested when a system or network has exhausted investments in security and seeking to verify if all avenues of security have been covered. The key difference between a Penetration Test and Vulnerability Assessment is a penetration test will act upon vulnerabilities found and verify if they are legit reducing the list of confirmed risk associated with a target.

IMPORTANT: One popular misconception is a Penetration Testing service enhances IT security since services have a higher cost associated than other security services. Penetration Testing does not make IT networks more secure since services evaluates existing security! A customer should not consider a penetration test if there is a belief the target is not completely secure.

Hopefully these definitions help define future security service requests.

Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under General Security

Tagged as audit, baselines, Compliance, compliant, Defining Security, HIPAA, Joey, Joey Muniz, joseph, joseph muniz, LanCope, Muniz, network security, Network Security Services, pci, Pen Test, pen testing, Penetration Test, Penetration Testing, RFI, RFQ, Security, security audit, Security Definitions, Security Services, standards, Stealth Watch, StealthWatch, vulnerability, Vulnerability Assessment, wireless security

March 27, 2013

Installing Lancope StealthWatch on a Mac mini for Small Lab

Lancope enables visibility for security and network performance. Security capabilities focus on identifying insider threats such as botnets, malware and data loss using non-signature network wide correlation of all traffic. Pretty much anything touching the physical or virtual network leaves a footprint known as NetFlow that is investigated for malicious intent and performance statics.

Lancope offers a virtual and physical appliance option for the StealthWatch technology making it easy to build a lab. This post will explain how to build a simple Lancope lab integrated with Cisco ISE 1.2 beta using an Apple Mac mini server hosting vSphere ESXI 5.1 with ASA 5505 firewall.

It’s important to understand components of Lancope.

StealthWatch Manager (SMC)– This is the centralized system that manages all other components. Administrators will access this system’s IP for GUI management.
StealthWatch Collector – This is what collects NetFlow. All devices generating NetFlow will send data to this device for correlation.
StealthWatch Sensor – This generates NetFlow on behalf of devices unable to send NetFlow. This also can view application layer data providing additional context.
StealthWatch Identity Box OR Cisco ISE – These identify users and devices based on authentication and profiling. IP addresses are linked to USER information.
StealthWatch Replicator – This replicates UDP management data such as Flow data, SNMP traps and syslog.
StealthWatch SLIC – This is a reputation feed that correlates external known threats with possible insider threats.

My lab is using virtualized appliances of all Lancope technology components. You can obtain Lancope .OVA files preloaded on Cisco 3850 switches, Lancope’s website or from a solution provider. The first step is loading the Lancope .OVAs into vSphere. All appliances will ask for basic IP, DNS and NTP information upon launching. The default login for everything is either admin or root and lan1cope or lan411cope. I had some problems with default logins and recommend accessing the administration of each Lancope appliance using command line, typing SystemConfig and resetting the passwords prior to logging into the GUI.

SystemConfig found in the appliance command line

Lancope SMC ESXI Properties

The Lancope SMC requires a minimum of 8 Gigs or memory and 2 CPUs. Step up is basic IP and accessing its GUI via https. Additional system configuration can be done by clicking Administer this server or the User GUI can be opened by clicking Start. One important first step in the GUI is adding the main inside network subnet to the Catch All.

Adding Inside Network To Lancope Catch All

Lancope Collector ESXI Properties

The Lancope Collector lists an 8 Gig memory requirement with 2 CPUs however ESXI 5.1 gave a resource error message upon launching. I reduced the Memory to 4 Gigs per CPU, which fixed that issue. Once the Lancope Collector is up, access its GUI via https. You must point it at the SMC under the configuration tab.

I enabled NetFlow on an ASA5505 firewall (running 8.2(2) or greater) and pointed it at the Lancope Collector for network visibility. My ASA 5505 is also powering my 1121 Access Point for wireless. To enable NetFlow in ASDM, click Configuration under Device Management, click NetFlow under Logging, changed template timeout to 1 min, delay of 15 seconds and checked Disable Redundant Syslog”. Select Inside, enter the collector’s IP and UDP port of 2055.

Creating Netflow Collector in ASA

Next create a firewall policy under Firewall and Server Policy Rules. Click Global, give it a name, select All Traffic, click the tab for NetFlow and select the IP you built under device management. NOTE: If you update device management, you must first delete its reference under the firewall policy to avoid errors.

Add Firewall Policy in ASA

To add visibility into my ESXI environment, I have loaded a Lancope virtual Sensor. The Lancope Sensor requires 1 Gig of memory and 1 CPU. Once the Sensor is up, you must point it at the Lancope Collector and add the ESXI server. Prior to doing that, you must create a read-only user account in ESXI. NOTE: ESXI has discontinued GROUPs. Click Local Users & Groups and create a new user by right clicking and ADD. Give the user a name and password. Next click Permissions right click your New User and Edit. Add a permission of Read-Only. Once the account is ready, login to the https of the Lancope Sensor. Click the Configuration tab and add the Lancope Collector. Next, go under Configuration and add your ESXI server. If the steps are performed correctly, the SMC should automatically detect the new Lancope Sensor and virtual environment.

Adding VMware to Lancope SMC

I have ISE 1.2 providing admission control for my LAN and wireless networks. ISE data can be imported into the Lancope SMC. This is done from the GUI by right clicking Identity Services in the Lancope SMC tree and clicking ADD. Fill out the ISE information using the admin login for ISE.

At this point, the Lancope SMC has NetFlow from an ASA firewall seeing LAN and wireless traffic, ISE authentication and NetFlow from inside a virtualized environment. I plan to add SLIC feed for reputation once I obtain a license. I now have full visibility of my home network.

Lancope SMC Device Tree

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Security Management & Analysis

Tagged as asa, ASA 5505, ASA firewall, Cisco, Cisco NAC, Clean Access, Compliance, Data Loss Prevention, DLP, esxi, esxi 5.1, Home, Identity Services Engine, ISE, ISE 1.2, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, lan1cope, lan411cope, LanCope, Lancope lab, Mac mini, Mac mini esxi, mac mini lab, mobile, Muniz, NAC, netflow, netflow ninja, network access control, Security, SLIC, SMC, Stealth Watch, StealthWatch, StealthWatch Collector, StealthWatch lab, StealthWatch Manager, StealthWatch Replicator, StealthWatch Sensor, SystemConfig, vmware

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

Network reconnaissance
Network interior malware proliferation
Command and control traffic
Data ex-filtration

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading →

Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as aamir, Aamir Lakhani, Accelus eGRC, Access Control, Cisco, Cisco NAC, cisco security, Clean Access, cloudcentrics, Compliance, cyber security, cyber threat defense, Enterprise Security Manager, Federal Cyber Initiatives, GRC, Home, Identity Services Engine, ISE, ISE1.0, Joey, Joey Muniz, joseph, joseph muniz, Lakhani, LanCope, McAfee, McAfee ESM, mobile, mobile device, Muniz, NAC, NAC appliance, netflow, NetWitness, network access control, Network reconnaissance, network security, network visibility, RSA, Security, Security Logging Events, situational awareness, Stealth Watch, StealthWatch, Symantec, Threat Defense Visibility, World Wide Technology, world wide technology inc., wwt

March 4, 2013

Cisco’s Cyber Solutions – What Is Happening In Your Network

Today’s threat landscape is loaded with malicious websites, malware and other risks that attack users every nanosecond of the day. There isn’t a single product available that can guarantee protection from cyber threats. Older solutions leveraging static technologies such as signatures are not good enough. The best approach for dealing with advanced threats is continuously monitoring the entire network through layering security technologies.

Cisco is known for network and collaboration products however Cisco also has a very strong security catalog that extends beyond traditional firewalls and IPS appliances. If I had to summarize Cisco’s core visibility technologies for cyber threats, I would highlight Cisco’s capabilities around Access Control, Web Security and partnership with Lancope for Insider Threats.

Access Control is critical for knowing who and what is accessing your network regardless if it’s the LAN, Wireless or remotely using VPN technology. Cisco Identity Services Engine ISE accomplishes visibility of users accessing the network by leveraging how people authenticate along with profiling what types of devices are being used. The screenshot below shows two users with mobile devices obtaining different levels of wireless access. Cisco ISE can also verify if devices meet specified polies by enforcing posture prior to providing network access meaning ensure Joey’s windows 7 laptop has the latest updates and security applications installed.

Cisco ISE showing Android with Contractor access and iPhone with Employee mobile access

Profiled devices in my home lab. “Apple-Device” is a MACMINI hosting ISE via “VMWare-Device”

Some default profiles for Cisco ISE.

Web Security is crucial for protecting internal users from threats while surfing the public Internet. Cisco Web Security Appliance WSA (previously Ironport) provides visibility of Internet usage as well as security through layered technologies. Network use policies such as denying gambling web content during work hours can easily be enforced through Cisco WSA’s categorized content classes.

Cisco WSA Content Dashboard

The real value of Cisco WSA is going beyond average web content filtering by offering layers of security options that protect users accessing approved content. The first layer is verifying if the web source is a known evil location based on reputation. Reputation can be factors such as where it’s located, how long it’s been up or if it has been marked as a source for malicious activity. If the web source has a safe reputation, WSA scans traffic with a combination of Sophos, McAfee and Webroot engines along with other intelligence looking for malicious behavior. There is also a botnet scanner that sits on a spam port designed to capture users that happen to get compromised and have malware phone home activity from their devices. The botnet scanner is a first step towards identifying insider threats but not good enough.

Cisco WSA Main Dashboard

Cisco WSA Threat Dashboard

True insider threat visibility can only be accomplished by monitoring all internal traffic for threats that can compromise your network through email, web, infected devices or other means. Cisco has partnered with Lancope to give network wide forensic visibility leveraging capabilities that exist within networking products such as routers, switches and firewalls as well as in the datacenter. Administrators can use Lancope’s Steathwatch to see the top 10 threats that range from Data Loss to Botnet infections.

Main Lancope Cyber Security Dashboard

(Top 4 machines infected with botnets)
Ethel’s Windows 7 Workstation With Botnet

Ethel’s Workstation communicating with malicious source

Lancope identifies threats using a combination of reputation and behavior regardless if the threat attempts to hide by throttling, encryption or interact through multiple compromised systems. Some examples are flagging a user dumping large amounts of data to dropbox, communication with known malware web sources, host-to-host reconnaissance and use of obscure ports. Lancope can zero in on a threat by stitching together the entire communication chain meaning an administrator will see a map of all infected devices, how the infection started, who the users are (including Cisco ISE integration), where its spreading and how its sending traffic off the network. Lancope also gives visibility into abusing network resources, unauthorized tunneling and problems in network performance.

Lancope Dataloss Diagram
Malware Propagation Diagram

Purple IP has infected green IP which is probing other systems
Known Botnet Sources via Reputation

Combing Access Control, Web Security and Insider Threat technology gives administrators complete visibility of what is happening on the network. There is a lot of power having reports showing every user and device on the network, how those devices access the public Internet and near real-time analytics on if any of those devices have been compromised. This information can dramatically improve identification and reaction to cyber threats saving time, money and other problems caused by network breaches.

Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Internet Defense, Network Admission Control, Security Management & Analysis

Tagged as 802.1x, Access Control, anti-virus, botnet, botnets, Cisco, cisco cyber, Cisco NAC, cisco security solutions, cisco web security appliance, Clean Access, Compliance, computer threats, content filter, cyber threat defense, Flow, Guest Server, Home, Identity Services Engine, insider threats, iPad, iPhone, ironport, ISE, ISE.1.1, ISE1.0, ISE1.2, Joey, Joey Muniz, joseph, joseph muniz, LanCope, malicious websites, malware, McAfee, Muniz, NAC, NAC appliance, netflow, network access control, network security, network threats, network visibility, prime, Profiler, reputation security, Security, security with NetFlow, Sophos, Stealth Watch, StealthWatch, top network threats, virtual wsa, virus protection, web reputation, web security, webroot, wsa

February 20, 2013

PART 2 “The Attack” – THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Last year Aamir Lakhani and Joseph Muniz developed a fake identity known as Emily Williams with the purpose of compromising a specific target using social media. We created Emily Williams based on research from Robin Sage, which showcased how a fake identity could obtain sensitive information from social media resources. We wondered if a similar approach could be used for targeted attacks and developed Emily Williams for that purpose. More information on developing Emily Williams via Part 1 of this project can be found HERE.

Emily Williams and Robin Sage

This Part 2 post explains WHY the Emily Williams project is important to understand. Yes, it was humorous watching people endorse a fake person’s technical abilities and receive job offers based on a posted IT background (or possibly just because Emily is attractive) however those are not the worst outcomes from social media threats. Part 1 concluded with our lovely Emily Williams having friends with multiple parties from our target such as Human Resources, IT Support, Engineering and Executive Leadership. People were sharing information and considering Emily Williams an employee based on the profile we created. The information alone was very valuable however that was just the beginning.

Stage 3 focused on obtaining access to host systems through social media. There are many options to do this such as the very popular Blackhole exploit kit however we did not want to use any method that could potentially harm our target’s system based on personal ethics. Blackhole is the most prevalent web threat seen today leveraging a malicious payload that we felt wasn’t safe for our target’s systems. We chose to use The Browser Exploitation Framework (BeEF) based on our feeling that compromising browsers was not as evil as using malware.

Blackhole Exploit Kit Screenshot

Browser Exploitation Framework (BeEF) Screenshot

BeEF leverages browser vulnerabilities to assess the security posture of a target. BeEF “hooks” targets as beachheads for launching direct command modules. Different browsers have various vulnerabilities, which means the more vulnerable a browser is, the more unique attack vectors become available to the hacker. We installed Backtrack 5R3 on a server and developed a BeEF hooking server that was public facing. We tested systems by accessing our BeEF server, hooking systems and launched commands such as taking a screen shot capture. More on building a BeEF system can be found HERE.

The next step was luring employees of the target to our BeEF system. There are many methods hackers accomplish this such as offering free media sites (IE download music, movies, etc. … see more on why this is risky behavior HERE), phishing emails and fake URLs designed to look and feel like something else. We decided to post virtual holiday cards on Emily William’s social media pages and direct invites to specific targets. The goal was having a user click the holiday card, wait for the card to pop up and have our system probe the browser for vulnerabilities during the waiting period. Once we hooked the target, we would look for passwords and insider information to gain access to the target agency. We launched three campaigns targeting systems during Thanksgiving, Christmas and New Years. We were able to figure out domain credentials to create an inside email address for Emily Williams, VPN passwords to gain internal access and other methods to compromise our target.

Our research demonstrated a few points. First off, people are trusting and male dominated industries like IT are even more trusting of women. Second, social media can be used as a means to compromise targets if users are not educated on common attacks and proper use of public facing network resources. The risk extends beyond data leakage since many people that use social media also use the same systems for internal use while at work. Finally, we demonstrated how easy it is to carry out what many consider an advanced persistent threat (APT) meaning we chose our target and bypassed standard security technology. We believe our methods were not very sophisticated compared to the real threats that target people using today’s public Internet yet we were very successful with our goal of compromising a specific target. Security is an extremely important investment and needs to include education around proper use of social media (more on this HERE) as well as protection from insider threats.

I hate to drop a plug however I recently took a job at Lancope based on their technologies’ ability to detect insider threats.

Rating: 4.7/5 (3 votes cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as Aamir Lakhani, Access Control, BeEF, blackhat, blackhole, Cisco, cloudcentrics, Compliance, Data Loss Prevention, digital life, DLP, emily, Emily Williams, facebook, facebook hacking, fake facebook, hacking, hacking people, Home, Joey, Joey Muniz, joseph, joseph muniz, LanCope, linkedin, linkedin endorsing, mobile, mobile device, Muniz, netflow, part 2, part2, pen testing, Penetration Testing, Robin Sage, Security, social engineering, Social Engineering Training, social network secuirty, social pentest, Stealth Watch, The Browser Exploitation Framework, williams

February 14, 2013

The Importance of a BYOD Policy for Companies

Here is a guest post from Pierluigi Paganini. He is a security researcher for InfoSec Institute. InfoSec Institute is an information security training company now offering a mobile computer forensics course.

The IT landscape is dominated by the rise of paradigms such as cloud computing, mobile networking, and social networking, three concepts that have totally revolutionized the daily user’s experience on the web.

Users, in a more or less conscious way, have now become slaves of the concepts of mobility and connectivity, technological change has been rapid and has involved masses of people as never before. There are a billion people, acting as nodes in a global network and exchanging an unimaginable quantity of data, while ignoring the basic concepts of information security.

-        Which means are used for the data transfer?
-        Are the communications channels secure?
-        Where is the user’s information hosted?
-        What is the impact on user’s private and what is the impact of technological innovation for business?

All of these questions need careful reflection to avoid serious consequences for our data, for our digital identities, for our business.

Every day we read the world “BYOD” in many articles, but how much we know about it?

BYOD is an acronym for “bring your own device” and it refers to the fact that employees, business partners, and other users bring their own mobile computing devices, such as laptops, tablets, and smartphones, to the workplace for use and connectivity on the corporate network and for access to business data. The repercussions, from the security perspective, are extremely serious, because the absence of proper policies regulating the use of these devices exposes user and company to risk of data leak and cyber attacks.

These policies have to address the ways in which employees could use the devices once out of workplace, the mechanisms of access protection to be adopted, data encryption, data accessible by the mobile platform, and limiting the execution of applications that can be run outside the company (e.g., email client or data mining applications).

Suggestions for a secure BYOD policy

The proper management of mobile devices and their use by employees when outside is a critical aspect for the security of enterprises. Companies today may choose to be compliant to different standards and regulation; the majority of them, such as ISO 27001, already cover many aspects that could improve a BYOD policy.

Because the presence of mobile devices inside companies and government agencies has increased at an impressive rate, ordinary business relationships with other enterprises, such as clients and providers, require the definition and the adoption of a proper BYOD policy. Sophos proposed a document titled “BYOD Risks and Rewards” that reports that one in four devices used today for work are either smartphones or tablets.

Figure 1 – Sophos BYOD Survey

The SANS (SysAdmin, Audit, Networking, and Security) Institute in March 2012 published the whitepaper “SANS Mobility/BYOD – Security Survey.” The survey found that “only 9 percent of respondents felt completely aware of all mobile devices accessing their enterprise infrastructure and applications. At the same time, nearly 40 % felt they were fully aware of their devices, while nearly half did not have the level of awareness that they should.”

Figure 2 – SANS Institute -State of Mobile Devices Awareness

Continue reading →

Rating: 2.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as Access Control, Airwatch, bring your own device, bring your own technology, byod, BYOD policy, BYOD research, Cisco, Compliance, Data Loss Prevention, good technologies, Home, InfoSec Institute, Joey, Joey Muniz, joseph, joseph muniz, LanCope, mobile, mobile device, mobile device management, mobile device security, Mobile Iron, Muniz, network security, Pierluigi Paganini, Security, Zenprise

Tag Archives: Joey

SSL Strip – Breaking Secure Websites

How Hackers Crack Weak Passwords

Verizon’s 2013 Data Breach Investigations Report

5 Steps to Take Right After Suffering a Cyber Security Breach

Defining The Difference Between A Penetration Test, Vulnerability Assessment and Security Audit

Installing Lancope StealthWatch on a Mac mini for Small Lab

Situational Awareness For Cyber Threat Defense

Cisco’s Cyber Solutions – What Is Happening In Your Network

The Importance of a BYOD Policy for Companies

Search

Topics

Cisco ISE Documentation

Subscribe

Blogroll