What is Real Story on Default Passwords?

Is it really as bad as some say? People are not changing default passwords and thus hackers control their machines if remote access is enabled in some way.

i think it is VERY BAD – as people are really looking for ways to make bad decisions:

https://superuser.com/questions/106917/remote-desktop-without-a-password

\

My apologies to this person who maybe innocently was trying to make some administration easier for him, but the lack of security knowledge is apparent. One should NOT even think of creating a scenario where there is a blank password on a machine (ever – even worse for remote access).

If this machine was connected to a Credit Card Machine now you are in PCI compliance violation.

Ok, we know not to have default or blank passwords…

Or is it that people don’t need to change the default password as the system is not remote accessible?

Even then the default password should be changed, because physical access needs to thought of, and is not 100% foolproof.

Or is it that people think the system is not remote accessible but it really is in some way?

The last scenario may be likely if the level of sophistication is not good.

And the hackers are looking for these machines as a post from last year notes the Verizon data breach Investigations Report  http://oversitesentry.com/why-are-there-cyber-security-issues/

Mentions that Remote Command Execution was found on scanned machines more than at other times.

Human error is one of the main reasons for security failures. in 2014 IBM ‘s Cyber Security Intelligence index notes “95% of all security incidents involve human error”

 

So how does a stakeholder (the board, CEO, exec team) make sure that human error is minimized (as it will likely never be 100% gone). It is to obvious to most: Bring in outside help to get a second or third opinion, and perform tests to see where human error can be minimized.  The CISA (Certified Information Systems auditor) would review the potential risks and set up  an audit to methodically find security issues.

Contact us to discuss

#SmallBusinessWeek Fail on Cybersecurity

I apologize, but I see most small business do not have plans in place for disaster recovery and Cybersecurity because it does not help them run their companies.

True it does not help run the company but it allows you to run the company after a Cyber event happens.

I have written about this before in the past few posts and weeks/months. But there is a definite disconnect between the Decision makers and the current environment. Here is a past post where the mechanics of making money for the Cyber criminals only makes it clear in dollars and cents that the Criminals are making MORE money every year.

I don’t want to bore you with actual criminal dollar numbers, because they are low estimates since people do not report the actual amount.

This picture from a past post also explains the large problem of database breaches.

 

To come back to my initial post – if you never backup your files in a proper way then ‘when’ a problem occurs you will not have a business.

This isn’t even insurance, because if there are no files backed up then it is over. Insurance is “a thing providing protection against a possible eventuality”.

If you have cyberinsurance you can get some money back to rebuild your files. But you still have to rebuild.

IF small business would have had proper IT practices then there is no need for cyber insurance. Look around the world for others that perform good practices that will help you keep your information safe.

Saumil has presented 7 axioms of security at BlackHat Asia  online here: youtube video

7 axioms of security

Intelligence Driven Defense

  1. Defense doesn’t mean risk reduction
  2. CISO’s job is Defense
  3. Schrödinger’s hack – i.e. test realistically
  4. Can’t Measure? Can’t use it
  5. Identify your target users, and improve them
  6. The best defense is a creative defense
    1. create credit cards with no usage except to tell you when it is used.
  7. Make defense Visible, make defense count
  • Intelligence means collect everything!
  • Get creative, get organic (organic security=grow it yourself)

Contact me to discuss: tonyz”@”fixvirus.com

 

Changing Default Passwords: Too Hard?

Is changing the default password too hard on your devices?  For example the highest profile devices (not IoT Internet of things), but the ones that process money: POS(Point Of Sale) terminals.

Above is an Ingenico ISC250 with a stand. (from discountcreditcardsupply.com)

Are manufacturers making it easy or hard to change the default password?

 

Well, if you Google “hacking a point of sale terminal”, then several interesting links come through:

Old news stories are relevant as many businesses (small and large) do not make changes and purchase old equipment. Wired 2012 story of 63  breached POS systems using malware.

The story also mentioned 40 people arrested in Canada over a carding ring, which also tampered by stealing POS terminals and installing sniffers on them.  Which means they were able to modify the machines at will.

 

So this is why I mention the difficulty of changing the default password on these machines. Yet the password information is on the Internet, so if you are a hacker and wish to spend time to learn the password it is available for you to do so.

Helcim Support helpfully has the method of changing the password on their website:

Check the default password from manufacturer: ‘123456P’ not very sophisticated??? and the new password is to be 7 characters long with one letter. An amazing testament of password schema from the manufacturer Ingenico.

At oversitesentry we are dedicated to helping companies harden their security systems, including POS. Changing your default password is a must, and places you in compliance with PCI DSS (Payment Card Industry – Data Security Standard)

I don’t understand why owners and managers in charge of POS systems that depend on revenue from these systems have not understood the concept of changing the default password on their POS devices. Why am I mentioning this?

Because small businesses fail after a successful criminal cyber attack

(from a previous post among many on our blog)

The statistics are bad… but why is this? Is it that the default password is _REALLY_ that hard to change? Is it that difficult to make a Cyber policy?

I think that the managers and owners assume nothing will happen to them, because last month nothing happened.  Their education is based upon experiences and the news of companies being hacked is not a big deal.

VISA has stated in the past that the major problems (breaches) come from basic failures like not changing default passwords. Visa website to go for more information.

The following is a screenshot from a VISA presentation on PCI compliance challenges.

Card Present Vulnerabilities:

  • Insecure remote access used by attackers to gain access
  • Weak or Default passwords and settings commonly used
  • lack of network segmentation
  • malware deployed to capture card data
    • absence of anti-virus tools to detect malware

 

 

So I would like for you to contact me if you want to do something about this problem – tonyz”@”fixvirus.com or 314-504-3974 Tony Zafiropoulos.

What are the top 5 thoughts to keep in mind?

I was watching Feynman videos and saw this unique   list (10 times Feynman blew our minds) that has insight into what we should focus in Cybersecurity as well.

I wanted to distill this video into 5 top items and relate them to Cybersecurity.

#5 Asking How Things Work Can Start You on a path of discovery (the definition of a hacker), and keep asking how, make experiments etc.

#4 History is fundamentally irrelevant when trying to solve new problem. As the new problem will not have an old method solution. (Of course Feynman assumes you DO know the methods of the past). This is akin to TTP Tactics,Techniques, and Procedures in Cybersecurity.  We as humans tend to let our history guide our future, but if we want to solve new problems, we need to have new solutions.  In this arena we do not need history (fundamentals still need to be known).

#3 In trying to learn about the world, ask questions and doubt. Can you live with doubt and approximations? Not everything learned is exact. In cybersecurity there are many areas that we do not know – for example: ” How will the next attack come into our environment?” . Can you live with this knowledge? We have to learn how to perform risk management with an incomplete picture

#2 Naming things(xyz) does not give you knowledge (it allows you to talk to others about xyz). Fundamental knowledge is not about the name. Also analogies are also bad as they can mean different things to different people.

#1 Know that you don’t know – and what it is you don’t know (basic tenet of blue team defense).

As Rumsfeld has been known to say “There are known knowns and known unknowns” Things that you think you know that it turns out you did not.

 

With these 5 tenets we can develop Cybersecurity top5 tenets:

  1. Known unknowns – Keep searching for new methods to learn environment in new ways.
  2. Explain methods and reasons without technical jargon
  3. Always review your environment with a level of uncertainty
  4. Tactics, Techniques, and Procedures cause a certain mindset to develop, one must still try to think out of box to see the attacker’s viewpoint.
  5. Asking how things work is good beginning. And eventually it can build into being a subject matter expert.

 

Cybersecurity, Solved in 1 hour? Nope takes at least 1 Season..

Yes we are a nation of television watchers and expect everything to be solved quickly, since all TV shows end in 1 hour.

In the online book (in books.google) of “Television and Politics”

The problems solved in our shows apparently are remembered with ‘calls for action’ are the ones solved by individuals.

So maybe after a lifetime of watching these shows we have a predisposed subconscious notion to assume 1 person can solve most problems in a reasonable amount of time (1 hour or 2 hours).

So when a complex issue is placed in front of us such as

Red vs Blue  teams attackers vs defenders where a series of steps breach a server and then use more tools to keep access of the system without the defending teams knowledge.  The solution to this issue is not obvious.

So Why am I beating this horse again?  Because the principle will not go away. The attackers will find ways and use the systems we have to attack us.

For example… we want to defend our SQL servers, maybe by hiding them. But this will not work, as there are tools to ask our systems “what are the SQL servers”? And our computers dutifully answer this request.

 

Technical Example:  Do you have a domain controller? Which is automatically running Active Directory? The program that runs your network and username and password authentication.

Then how do you defend against a user asking various questions to your DC(Domain Controller) with some commands?

You can access Powershell from a command line, and then ask various questions (execute commands) like  get-service or get-process to find out what services and processes are running on the system.

Why is this important? Because you can pick a service running on the system and then try to see what users have access to this service with another tool PowerMemory for example (as the tool(RWMC) in this article is no longer supported)

Here is PowerMemory definition:

Exploit the credentials present in files and memory

PowerMemory levers Microsoft signed binaries to hack Microsoft operating systems.

So! you might say, how does one get command line access on a server?

Let’s say that you got the user to click on phishing malware and now a command line shell was opened, and connects back to one of the Command and Control servers.   techtarget.com explains this phenomena

 

Once the hacker has a command line opened (however they did it). Now they will try and get more access – by obtaining the passwords for administrator accounts.

How to do that?  Sean Metcalf in DEFCON 23 video discusses several methods.

Including using powershell tools created by hackers, tools like

PowerMemory  Exploit the credentials present in files and memory

kerberoast   a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.

The method of obtaining passwords from places on the Microsoft server is also useful: “Finding Passwords in SYSVOL & exploiting Group Policy preferences”  is a good article discussing the same topics as in the video.

The credentials can be taken from .xml files on any windows systems. If the system is in a domain then it will have a local user account and whoever logged into that particular system.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

So the hacker knows where to look and what to find… the .xml files with CPassword variable, which has the password stored in an encrypted format.

So now it only depends on how strong your password is…

What are your password schema characteristics?  Do you require long passwords? more than 14 digits? Because if you have less than 14 digits the hackers will have an even easier time to get your passwords.

So is it still easy? Can you depend on only your defense team (Blue team) to keep all of your assets without unauthorized access? It will take more than a single episode, a season of episodes.  It will take a marathon of binge watching to keep the hackers away. It will take red teams (ethical hackers) to attack.

 

we can help you with a plan of security policies and red team attacks.

Contact Us.