Tag Archives: mobile device

March 18, 2013

Situational Awareness For Cyber Threat Defense

Aamir Lakhani did a great post on Situational Awareness. The original post ca be found HERE

Illustration Kekai Kotaki Red Dragon 992x712 Situational Awareness For Cyber Threat Defense

Illustration by Kekai Kotaki

Problem

Cisco Systems in their Cyber Security Threat Defense white papers outlines how the network security threat landscape is evolving. They describe how modern attacks are stealthy and evade traditional security perimeter defenses.

Traditional monitoring and reporting tools are no longer sufficient in detecting true threats on the network. Modern security tools and hardware devices such as firewalls, anti-virus, patch management solutions, IPS, and other solutions can only provide a small amount of relief against attacks. Most of these tools seem to be really implemented to fulfill some sort of checkmark for an auditor on a compliance form. Security professional know these tools, although very important, alone don’t provide a full security defense architecture.

Furthermore, as security threats and malware invade systems, security administrators are having trouble understanding the nature of attacks, how they occur, and how to defend against them. Remember you can’t fight what you don’t understand.

“It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”

- Sun Tzu, The Art of War (source: http://en.wikiquote.org/wiki/Sun_Tzu)

Cisco ISE 1024x617 Situational Awareness For Cyber Threat Defense

Image Source: Cisco Identity Services Engine

Cisco Identity Services Engine provides true network identification, profiling, and access controls.

Combined as a center piece for Cisco’s TruseSec Solution, Cisco ISE creates a secure ecosystem treating security as a holistic solution.

Federal Cyber Initiatives

New mandates are making cyber security front and center of the news. President Obama recently challenged the nation and the Federal government in the United States to increase its cyber defense capabilities. As Federal IT budgets are getting slashed back in 2013; however, spending for cyber security appears to be increasing in the eyes of the casual on-looker.

Cisco Systems, in their Cyber Threat Defense White Paper discusses how “with increasingly sophisticated cyber attacks like WikiLeaks on the rise, federal agencies require more innovative solutions for maintaining a strong security posture. Additionally, with the evolution of the CNCI (Comprehensive National Cybersecurity Initiative), federal agencies are being required to take a more holistic and collaborative approach to analyzing threat information across the totality of government networks for improved incident response and forensic investigation.”

Being constantly bombarded with continuous threats, how can security professionals even guadge they are being attacked or a threat is posing a clear and present danger (yes that was a Harrison Ford shout out).

NetWitness Situational Awareness For Cyber Threat Defense

RSA NetWitness Logo

Image Source: RSA

How To Solve The Problem

I recommend creating a conceptional framework for Threat Defense Visibility and Awareness program. The goal of program should be to (1) provide a framework that can be built by using products, technologies, and methodologies that are available today, (2) provide network visibility on network health and status in real-time, (3) provide real-time network posture and attack risk baselines, (4) provide a training facility for attack analysis and defense.

What Is Network Visibility?

According to Lancope (source: http://www.lancope.com/), “network visibility focuses on the most complex and dangerous information security threats – threats that lurk in networks for months or years at a time stealing vital information and disrupting operations. This type of solution provides visibility into these threats and context to decipher their targets and potential damage”. Lancope further states on their website, security analysts gain visibility into advanced cyber threats such as:

  • Network reconnaissance
  • Network interior malware proliferation
  • Command and control traffic
  • Data ex-filtration

Lancope Situational Awareness For Cyber Threat Defense

Lancope Stealwatch provides network visibility

Understanding trends, anomalies, and threats of the network

Image Source: Lancope

Network visibility gives security administrators the ability to detect problems because they highlight changes in baseline behavior. Did traffic spike a 100%, did outbound traffic suddenly increase, are more requests being transmitted to new domain on the Internet? All these occurrences can indicate an attack. Network visibility shows network security professionals exactly what is different about today’s traffic patterns than what is normally looks like. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Security Management & Analysis

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

February 20, 2013

PART 2 “The Attack” – THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

PART 2 “The Attack” THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Last year Aamir Lakhani and Joseph Muniz developed a fake identity known as Emily Williams with the purpose of compromising a specific target using social media. We created Emily Williams based on research from Robin Sage, which showcased how a fake identity could obtain sensitive information from social media resources. We wondered if a similar approach could be used for targeted attacks and developed Emily Williams for that purpose. More information on developing Emily Williams via Part 1 of this project can be found HERE.emily1 new PART 2 “The Attack” THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Emily Williams and Robin Sage

This Part 2 post explains WHY the Emily Williams project is important to understand. Yes, it was humorous watching people endorse a fake person’s technical abilities and receive job offers based on a posted IT background (or possibly just because Emily is attractive) however those are not the worst outcomes from social media threats. Part 1 concluded with our lovely Emily Williams having friends with multiple parties from our target such as Human Resources, IT Support, Engineering and Executive Leadership. People were sharing information and considering Emily Williams an employee based on the profile we created. The information alone was very valuable however that was just the beginning.

Stage 3 focused on obtaining access to host systems through social media. There are many options to do this such as the very popular Blackhole exploit kit however we did not want to use any method that could potentially harm our target’s system based on personal ethics. Blackhole is the most prevalent web threat seen today leveraging a malicious payload that we felt wasn’t safe for our target’s systems. We chose to use The Browser Exploitation Framework (BeEF) based on our feeling that compromising browsers was not as evil as using malware.

blackhole PART 2 “The Attack” THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target 

Blackhole Exploit Kit Screenshot

BeEF 2 PART 2 “The Attack” THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Browser Exploitation Framework (BeEF) Screenshot 

BeEF leverages browser vulnerabilities to assess the security posture of a target. BeEF “hooks” targets as beachheads for launching direct command modules.  Different browsers have various vulnerabilities, which means the more vulnerable a browser is, the more unique attack vectors become available to the hacker. We installed Backtrack 5R3 on a server and developed a BeEF hooking server that was public facing. We tested systems by accessing our BeEF server, hooking systems and launched commands such as taking a screen shot capture. More on building a BeEF system can be found HERE.

The next step was luring employees of the target to our BeEF system. There are many methods hackers accomplish this such as offering free media sites (IE download music, movies, etc. … see more on why this is risky behavior HERE), phishing emails and fake URLs designed to look and feel like something else. We decided to post virtual holiday cards on Emily William’s social media pages and direct invites to specific targets. The goal was having a user click the holiday card, wait for the card to pop up and have our system probe the browser for vulnerabilities during the waiting period. Once we hooked the target, we would look for passwords and insider information to gain access to the target agency. We launched three campaigns targeting systems during Thanksgiving, Christmas and New Years. We were able to figure out domain credentials to create an inside email address for Emily Williams, VPN passwords to gain internal access and other methods to compromise our target.Screen Shot 2013 02 19 at 10.03.57 AM PART 2 “The Attack” THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Our research demonstrated a few points. First off, people are trusting and male dominated industries like IT are even more trusting of women. Second, social media can be used as a means to compromise targets if users are not educated on common attacks and proper use of public facing network resources. The risk extends beyond data leakage since many people that use social media also use the same systems for internal use while at work. Finally, we demonstrated how easy it is to carry out what many consider an advanced persistent threat (APT) meaning we chose our target and bypassed standard security technology. We believe our methods were not very sophisticated compared to the real threats that target people using today’s public Internet yet we were very successful with our goal of compromising a specific target. Security is an extremely important investment and needs to include education around proper use of social media (more on this HERE) as well as protection from insider threats.

I hate to drop a plug however I recently took a job at Lancope based on their technologies’ ability to detect insider threats. 

VN:F [1.9.22_1171]
Rating: 4.7/5 (3 votes cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

February 14, 2013

The Importance of a BYOD Policy for Companies

Here is a guest post from Pierluigi Paganini. He is a security researcher for InfoSec Institute. InfoSec Institute is an information security training company now offering a mobile computer forensics course.

The IT landscape is dominated by the rise of paradigms such as cloud computing, mobile networking, and social networking, three concepts that have totally revolutionized the daily user’s experience on the web.

Users, in a more or less conscious way, have now become slaves of the concepts of mobility and connectivity, technological change has been rapid and has involved masses of people as never before. There are a billion people, acting as nodes in a global network and exchanging an unimaginable quantity of data, while ignoring the basic concepts of information security.

-        Which means are used for the data transfer?
-        Are the communications channels secure?
-        Where is the user’s information hosted?
-        What is the impact on user’s private and what is the impact of technological innovation for business?

All of these questions need careful reflection to avoid serious consequences for our data, for our digital identities, for our business.

Every day we read the world “BYOD” in many articles, but how much we know about it?

BYOD is an acronym for “bring your own device” and it refers to the fact that employees, business partners, and other users bring their own mobile computing devices, such as laptops, tablets, and smartphones, to the workplace for use and connectivity on the corporate network and for access to business data. The repercussions, from the security perspective, are extremely serious, because the absence of proper policies regulating the use of these devices exposes user and company to risk of data leak and cyber attacks.

These policies have to address the ways in which employees could use the devices once out of workplace, the mechanisms of access protection to be adopted, data encryption, data accessible by the mobile platform, and limiting the execution of applications that can be run outside the company (e.g., email client or data mining applications).one The Importance of a BYOD Policy for Companies

Suggestions for a secure BYOD policy

The proper management of mobile devices and their use by employees when outside is a critical aspect for the security of enterprises. Companies today may choose to be compliant to different standards and regulation; the majority of them, such as ISO 27001, already cover many aspects that could improve a BYOD policy.

Because the presence of mobile devices inside companies and government agencies has increased at an impressive rate, ordinary business relationships with other enterprises, such as clients and providers, require the definition and the adoption of a proper BYOD policy. Sophos proposed a document titled “BYOD Risks and Rewards” that reports that one in four devices used today for work are either smartphones or tablets.two The Importance of a BYOD Policy for Companies

Figure 1 – Sophos BYOD Survey

The SANS (SysAdmin, Audit, Networking, and Security) Institute in March 2012 published the whitepaper “SANS Mobility/BYOD – Security Survey.” The survey found that “only 9 percent of respondents felt completely aware of all mobile devices accessing their enterprise infrastructure and applications. At the same time, nearly 40 % felt they were fully aware of their devices, while nearly half did not have the level of awareness that they should.”three The Importance of a BYOD Policy for Companies

Figure 2 – SANS Institute -State of Mobile Devices Awareness

Continue reading

VN:F [1.9.22_1171]
Rating: 2.0/5 (1 vote cast)

Leave a Comment

Filed under General Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , ,

February 11, 2013

THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Disclaimer: This post has been modified to exclude specific subjects not approved for public viewing


emily1 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Emily Williams and Robin Sage

Emily Williams and Robin Sage don’t exist in the real world. They are fake social network accounts designed to obtain sensitive information. Robin Sage was created in late 2009 to obtain information from intelligence on US military personnel. Her story was presented at the Black Hat hacker conference upsetting many people by exposing the type of sensitive data provided over social networks. Joey Muniz and Aamir Lakhani decided to go one-step further and ask the hard question: “what else can happen outside of data being leaked over social networks”. We decided to find out using Emily Williams.

NOTE: The research presented is real. Many people reading this are friends with Emily and probably mad at us. We have informed anybody attacked so if you haven’t heard from us, you are just social network friends with Emily.

 

emily2 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Emily’s Real Employer 

Emily Williams was created in November 2011 for Facebook and LinkedIn. Our goal was to pick a specific target and see how far we could penetrate the target using social networks as the entry point for infiltration. The plan was to build up a social network with key personal and launch attacks from Facebook and LinkedIn that compromised systems using social networks. From there, we could gain entry into the network and more or less capture the flag. The research was made public with the goal of educating employees about security around social networks as well as the current potential threats that could target people like you. We had executive approval before conducting the experiment.

Social Network Findings

The first step was creating the Facebook and LinkedIn accounts. We found a non technical female employee from the restaurant industry (that happened to be a few blocks from our target) to volunteer pictures for Emily’s appearance. We developed a fake social security number, residence and other areas that may be searched to make Emily seem real. We gave Emily an IT background from the University of Texas and updated her profile with a matching employment background.

 

emily3 new THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

 Social Engineer Using Facebook Profile Info

 

conversation3 THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

User Flags Emily

Step two was building up friends prior to networking with our target audience. We decided to pick on Joey Muniz’s friends figuring if they flagged her as fake, they wouldn’t inform anybody from our target audience. Within hours we had over 100 friends using manual adding methods. We found very little resistance to accepting her as a friend however one individual not only denied her friend request but also posted to his friends a warning about Emily without actually calling her out. Another funny story was a friend ask “Do I know you?” and by simply replying with information from his social profile, we had him say he remember her. The lesson learned is think about what you post because it could be used against you!

job2 THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Job Offer Based On Profile Info

Once we had a decent number of friends, we updated her status as a new employee to our target with a technical engineering title. From there, we start adding potential targets starting with sales and mid level technical staff as well as our partners with the target. We not only grew our friends from the organizations, we also started receiving job offers, meeting requests and congratulations on the new job with our target. As our target audience friend number grew, we started moving up the rank eventually capturing people from Human Resources and Engineering who would be responsible for hiring Emily if she existed. We moved all the way up to executive leadership and happy to say our President denied her friend request based on looking for her name is the corporate directory. We have a lot of respect for his diligence.

endorse THE SOCIAL MEDIA DECEPTION PROJECT : How We Created Emily Williams To Compromise Our Target

Can You Trust LinkedIn Endorsing?

At this point we have networked with our target audience and have enough key members linked to perform attacks. Part 2 of this story will feature how we leveraged the social network to obtain access to the network. Consider part 2 the answer to WHY Robin Sage and Emily Williams are a risk for organizations. Stay tuned for part two and again for those involved, don’t worry we didn’t do anything bad to you unless we told you. Oh and thanks for helping us prove our point about the dangers of social networks!

Article written and research conducted by:

Joey Muniz

Blog: www.thesecurityblogger.com

Aamir Lakhani

Blog: www.cloudcentrics.com

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

1 Comment

Filed under Penetration / Hacking, Scams and Social Engineering

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 15, 2013

How To Educate Your Employees About Social Engineering

How To Educate Your Employees About Social EngineeringA common saying is ” Amateurs Hack Systems, Professionals Hack People”.  Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.

Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.

Explain Why Policies Exist

How To Educate Your Employees About Social Engineering

It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.

Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.

Provide Examples Beyond The Intranet

How To Educate Your Employees About Social Engineering

Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

2 Comments

Filed under Scams and Social Engineering

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 28, 2012

Protect Your Communication Using Free Tools: Secure E-mail and Hiding Messages with Steganography

es66715 coversecret Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

Is There More To This Image?

How we communicate has become extremely easy in today’s digital society.  Most mobile devices offer software that integrates with social networks, business applications and e-mail. People share anything from where they are eating to what they are about to eat in near real-time (personally I find it annoying). This convenience makes securing communication more difficult since most digital messages leave a digital fingerprint as well as usually transmitted over nonsecure sources. My team has demonstrated how hackers can steal data in transit using man-in-the-middle attacks with tools like the Pine Apple (more HERE), BeEF (more HERE), and compromising mobile devices to pull up old text messages and e-mails.

How can you protect your communication? Best practice is investing in multifactor authentication to trusted systems, VPN technology for communication outside of a secure network, data loss prevention monitoring what data is permitted to leave a secure network, internal network security products and host based security to stop key loggers and other threats. Communication solutions should offer a mix of confidentiality (protecting the information), integrity (can’t modify the message), availability, authenticity (message is genuine) and non-repudiation (guarantee sent and received).

Meeting best practice typically requires investments in multiple technologies however what about the average user looking to send a sensitive message? There are methods to send messages securely using free tools. One option is using a secure e-mail solution. Hushmail offers free PGP-encrypted e-mail and file storage. If you look at the image below, you will see the checkbox for encrypting the outgoing message as well as how Hushmail enforces a strong passphrase promoting secure e-mail standards. The downside of Hushmail is it doesn’t offer some of the flashy features other e-mail services include such as chat or customizable backgrounds.

Screen Shot 2012 12 26 at 7.46.40 PM Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

Setting up a Hushmail account

Screen Shot 2012 12 26 at 7.47.54 PM1 Protect Your Communication Using Free Tools: Secure E mail and Hiding Messages with Steganography

 Sending Encrypted E-mails Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

7 Comments

Filed under Data Loss Prevention, General Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 3, 2012

Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

“My buddy Aamir Lakhani is developing a iOS security class and recently posted about hacking iOS devices. This is a very popular subject and want to share this. Also shout out to Tom Bedwell for his assistance with the research. You can find the original posting at www.cloudcentrics.com”

iOS devices can be booted with their own  kernel  and micro operating systems instead of approved Apple firmware. When iOS devices are loaded with a micro kernel, you can run attacks such as bypassing the passcode, decrypting passwords, copying file systems, viewing emails and much more. The following guide describes how to create a RAM DISK, however it may not function precisely as a step-by-step instruction set, since each system is unique and requires some level of customization.

Note: If you run in to trouble when creating a RAM DISK due to unique OS configurations and code versions, don’t despair.

If you want to take the easy way

Download: http://cloudcentrics.com/wp-content/uploads/2012/11/iphone-dataprotection-modifed.zip 

-       and then complete step 11 then proceed to step 20.

Now let the real fun begin

IMPORTANT: Watch the word wrap. Many commands are single line and may be wrapped on multiple lines.

Step 1: Uninstall file system readers

If you have a system tool such as MacFuse or Tuxera, uninstall the program before starting and reboot your machine.

Step 2: Install Xcode from the Mac App Store

Xcode Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

Step 3: Download and install Xcode Command Line Tools:

1. Download Xcode from the Apple App Store
2. Launch Xcode and go to preferences
3. Install Xcode Command Line tools and Simulators

Command Line Tools Hacking the iPhone : Breaking Pins and Passcodes : Booting without approved Apple Firmware

Step 4: Open the Terminal App.

Make sure you are in your home directory. In my case the home directory is /Users/alakhani
Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

1 Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security, Penetration / Hacking

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 15, 2012

Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

Zenprise recently released an upgrade to their flagship mobile device management MDM solution. My team has been showcasing a previous version 6.6 and went through the upgrade to Zenprise 7.01 this week. The Zenprise ZDM upgrade took around 15- 20 minutes, which steps included upgrading the software and java on the hosting server. Here is a comparison of both versions of Zenprise ZDM.

Dashboard: Zenprise 7.01 now includes a dashboard or centralized landing page. From a visual perspective, it’s a great way to quickly identify the state of the system and managed endpoints. The picture below is customized for 6 different reports. Functionality wise, the previous version of Zenprise could accomplish the same things by clicking around.

Screen Shot 2012 10 10 at 12.23.00 AM1 Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS and Android Enrollment: The new 7.01 version of Zenprise offers a dedicated section for device enrollment that includes options such as  MDM server discovery, email or SMS notification. We felt enrollment was a weak spot for Zenprise however this release dramatically simplifies the process. The group enrollment features makes it much easier to deploy the Zenprise MDM software to a larger number of users at once. Furthermore, Zenprise 7.01 can import a CSV file to populate its database for bulk enrollment.

Screen Shot 2012 10 10 at 12.17.26 AM Zenprise 7.01 Out Now : What’s New From Previous Version 6.6

iOS Location Services, Geo-tracking and Geo-fencing: This is a huge feature. Admins can set location service policies to located devices at any given time. Geofencing allows admins to define a geographic perimeter and perform a selective or full wipe upon perimeter breach. We have had requests for Geofencing that range from stopping students from walking off with school issued mobile devices to military secured facilities wiping any device that leaves the controlled area. In high security areas it it possible to wipe a device on-demand as it exists a “safe” zone. Continue reading

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Leave a Comment

Filed under Bring Your Own Device BYOD, Host And Mobile Device Security

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 2, 2012

Defending Against Google Hacking : Know What Can Be Found On Search Engines

Its shocking how organizations are compromised due to administration carelessness such as using default passwords or advertising sensitive information on public sources. Many companies purchase top dollar security solutions however fail at addressing the most common security weakness; enforcing thorough security policies. One popular reconnaissance technic known as Google Hacking (however can use other search engines) can expose confidential information, vulnerabilities and login credentials using Internet search engines. Here are some tips to avoid being abused by Google Hacking or other reconnaissance techniques.

Strong Passwords:

Defending Against Google Hacking : Know What Can Be Found On Search EnginesAnything facing the Internet should have very strict security policies implemented to defend against hackers. For starters, all default passwords should be changed using a strong policy. Strong password formats do not contain words found in spoken languages including changing letters to other characters (IE: Ex@mp1e would be considered weak). An example of a good password format is using the first or last letter of a sentence plus numbers and special characters (IE: This Blog Talks About Many Crazy Things CONVERTED WITH FIRST LETTER OF EACH WORD = tbtamct135@!). Also length, expiration time and number of factors impact password security strength. More on passwords can be found HERE

HERE is an example list of default passwords for popular network devices. It’s common to uncover default logins on small neighborhood wireless networks however my team finds default information on large corporate systems as well using targeted Google Hacking queries. Some examples are searching #-Frontpage- inurl:administrator.pwd or  inurl:odbc.ini ext:ini –csv for Microsoft and ODBC passwords. Some automated hacker tools use Google Hacking queries to gather system information prior to launching exploits and password cracking efforts. Don’t be a victim to weak passwords!

Know What Is Public Facing:

It is key to protect sensitive information such as vulnerability reports, employee information and confidential records. There are great tools available to audit for sensitive information such as data loss prevention products and compliance tools (more on DLP HERE). Crazy enough, sometimes administrators unknowingly let audit results for confidential information leak to public search engines. One example is searching for audit report headers (IE “This Report Was Generated By Nessus”) to identify vulnerable targets without setting off alarms using penetration testing techniques. Another example is searching for phases such as Classified via intext:classified COMPANY to find sensitive corporate information. Its shocking what is out there.

Some fun search terms are looking for cameras using queries such as Linksys inurl:main.cgi or ViewerFrame?Mode= . Be careful, some people don’t know they are in front of a live camera. Seriously, try it! You can move around cameras and see different parts of the world icon smile Defending Against Google Hacking : Know What Can Be Found On Search Engines Screen Shot 2012 10 01 at 1.40.05 PM Defending Against Google Hacking : Know What Can Be Found On Search Engines

Continue reading

VN:F [1.9.22_1171]
Rating: 3.0/5 (2 votes cast)

3 Comments

Filed under Internet Defense

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 23, 2012

Configuring On-Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1Cisco recently updated their flagship access control solution Identity Services Engine ISE label 1.1.1 or ISE 1.1MR (Maintenance Release). See more on ISE HERE. My team has received lots of questions around on-boarding new devices with ISE. This post will focus on this feature and assumes a standard ISE design is enabled for wireless access.

On-boarding simply means brining a new device onto the network for the first time. This process includes certificate enrollment and profile provisioning without involving IT as well as little interaction with the end user. ISE 1.1MR accomplishes these goals levering an existing Certificate Authorityuser database such as Active Directory and ISE frameworkScreen Shot 2012 07 24 at 4.24.42 PM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

The ISE on-boarding process can vary however will be explained as having a new device connecting to a SSID specified for on-boarding new devices (can be open or secured with PEAP). Devices that connect to the on-boarding SSID will be redirected to a guest registration portal.  The user will authenticate, which will trigger the certificate enrollment and profile provisioning process. Parameters to connect to the internal secure SSID will be included with the configuration profile that is provisioned to the mobile device post authentication. From that point on, the device will use the internal SSID for network access, which may have different ISE authorization rules depending on the design. Devices that fail to complete the on-boarding process will default to ether a guest SSID or be denied access depending on the desired policy.Screen Shot 2012 07 24 at 4.26.32 PM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

WIRELESS: On-boarding can be designed many ways however for this post we will use two SSIDs called Provisioning_Wireless for new devices and Employee_Wireless for existing approved devices.  An accesslist limiting access to ISE, DHCP and DNS will be enabled to prevent devices from staying on the provisioning SSID.  A possible configuration for both SSIDS could be as follow

Attribute: Provisioning_Wireless / Employee_Wireless
Broadcast SSID: Enable / Enable
Layer2 Security: None / WPA+WPA2
MAC Filtering: Enable / Disabled
WPA+WPA2 Parameters: None / WPA2 Policy, AES, 802.1x
Layer 3 Security: None / None
AAA Server: ISE / ISE
Advanced: AAA Override Enabled / AAA Override Enabled
Advanced: NAC State – Radius NAC / NAC State – Radius NAC

To build this, go to WLANs > Create New > Go and fill out the profile details. Use NONE for the layer 2 settings so it’s OPEN. For AAA, set the Radius server for ISE. Under advanced, enabled Allow AAA Override and change the NAC state to Radius NAC. Go to Controller > General > Fast SSID change and enabled Fast SSID to help speed up the SSID changing.

ISE: (1) First in ISE setup Active Directory by going to Admin > External Identity Sources > Active Directory and join ISE to an AD system.

(2) Next go to Admin > External Identity Sources > Certificate Authentication Profile > ADD to define the certificate authentication profile (name it and choose Common Name for X509).

(3) Next define an Identity Source Sequence by going to Admin > Identity Source Sequences > Add.  Give it a name, enabled and select the certification profile you just created then add AD for the authentication search list.

(4) Next configure ISE to act as a Simple Certificate Enrollment proxy server (SCEP). Go to Admin > Certificates > SCEP CA Profiles > Add. After defining your SCEP server, ISE will download the RA and root CA certificates of the CA server (this can be verified uner the certificate store via SYSTEM > Certificate > Certificate Store).

For this scenario, we will configure ISE authentication to use MAB for on-boarding new devices.  It many cases, ISE will not know the MAC address in advance so it must be configured to continue the authentication process via redirection regardless.

This is done in ISE:

(1) Going to Policy > Authentication, choose your MAB wireless policy, click the carrot after allow protocols to show the user options and click the + sign for use.

(2) Select IF USERS NOT FOUNDCONTINUE. As a reminder, ISE Authentication policies are verified top down so make sure your MAB policy used for BYOD is at the top and open for all identity stores. You should lock down the 802.1x wireless to only wireless certificates.

Client provisioning is based on how ISE classifies the client machine. There are customized packages in ISE available that include a software-provisioning wizard, which configures 802.1x settings and ability to obtain digital certificates on the endpoint.

To download wizard packages in ISE, go to Policy Elements > Results > Client Provisioning > Resources > Add. Common mobile devices such as iOS typically have these settings enabled natively so a wizard is not needed.

To configure client provisioning in ISE:

(1) Go to Policy Elements > Results > Client Provisioning > Resources > Add.

(2) Create a native suppliant profile by giving it a name, selecting the Wireless Checkbox, your on-boarding SSID, WPA2 for security, TLS for allow protocals and key size 2048.

(3) Next go to Policy > Client > Provisioning to build your provisioning resources. Create one for native devices and select the mobile profile you just created for the results (example RULE = IOS, Identiy Group = Any, Operating systems MAC IOS ALL and your new mobile profile for results).

(4) Create another that is similar however use Android for the operating systems. Create a third for generic MacOsX devices and use the downloaded wizard. You may also want to create a separate one for Wired and Wireless. The same goes for two more to cover wireless and wired Windows devices. Here is an example of my Client PolicesScreen Shot 2012 08 23 at 12.17.38 AM Configuring On Boarding Using Identity Services Engine ISE 1.1MR / 1.1.1

The final steps are verifying profiling for wireless is working as well as your authorization profiles are setup for redirection, employee and guest access (see previous postings for these configs). These can vary depending on how you want to restrict devices that pass and fail your polices.

Written by Joseph Muniz and Aamir Lakhani

Reviewed by Aman Diwakar and Brian Trulove

VN:F [1.9.22_1171]
Rating: 5.0/5 (1 vote cast)

4 Comments

Filed under Bring Your Own Device BYOD, Network Admission Control

Tagged as , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,