Linux Rootkits Hard to Detect

First of all what is a rootkit?

A collection of software that runs and tries to hide from the computer user and administrator while also allowing the attacker access to the computer.

It does this by connecting as ‘root’ to the Operating System kernel.  In Linux ‘root’ is the administrator.

If you can masquerade as root and hijack system calls then there is a way software can be written to get  root access allowing the software to hide itself in the Linux system.

I am not going to tell you how to create rootkits, as there are many a people on the Internet who have done so and show you what they have done.

Marcus Hodges at Thotcon had a 1 hour presentation about how to hide from the operating system. To hijack operating system calls that then are used to create the rootkit.

Once system calls are hijacked the attacker can create hidden areas on the file system to stow and stay quiet until more objectives are to be pursued.

In the Cyber Kill chain the rootkit performs the function of persistence – keeping a presence on the attacked network.

A decent command to find out what different commands do on a system: strace – commands for troubleshooting and debugging Linux

Contact Us to discuss a strategy to defend your computer networks

How About Adversary Based Threat Analysis?

Another Thotcon presentation was very good, unique and moves the industry forward.

Julian Cohen presented This idea:

“Understanding Your Adversaries”

In his talk: “Adversary-Based Threat Analysis”

He explained that in the traditional Threat modeling Process  the following 6 items happen.

  1. Identify Assets
  2. Create Architecture Overview
  3. Decompose an Application
  4. Identity the Threats
  5. Document the Threats
  6. Rate the Threats

 

But his method includes rating the adversaries.

He gave some examples that are well documented (the PLA or Peoples Liberation Army) in Mandiant’s report. The report is now in a “new” mandiant web location with all of their reports.   Here is an updated link: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

This famous report is explained as APT1 (Advanced Persistent Threats), the fame of this report is that Mandiant did a thorough analysis how and who did the attacking from China(PLAUnit61398), down to learning where exactly the attacks came from(which building).  You can search under APT1 in any search engine and the term is attributed to the report.

Julian discusses the adversary as they have a say (or should) in how you defend.

A discussion of the intrusion Kill Chain ensued (by Lockheed Martin) i.e.  below is the action and tools that are used.

  1. Recon: Email harvesting
  2. Weapon: Office Macros
  3. Delivery: Phishing
  4. Exploit: target runs macro
  5. install: Poison Ivy
  6. C2 – Command and Control: Poison Ivy
  7. Actions: Pivot to active directory

Here is where Julian discussed “what” the adversary is using as to how effective they actually are.  The adversary is not going to do ‘everything’ , as they will do stuff that works.

There is another matrix which reviews Attacker Cost (Likelihood) focusing on these

  1. Weapon- office macros
  2. Delivery – phishing
  3. Install – Poison Ivy
  4. C2 – Poison Ivy

We all know Phishing works for them, since we are getting inundated with spam that tries their hardest to trick and get access to their machine.

Then also reviewed what is effective for defenders

  1. Delivery – Phishing
  2. Install – Poison Ivy
  3. C2 – Poison Ivy

He also mentioned this comment:

“Adversaries don’t think about winning once. They build repeatable, scalable playbooks that are cost effective at achieving their objectives over and over again against a series of targets. Adversaries don’t think about winning at all, they think about a steady stream of targets.”

Attacker efficiency: Attackers determine the least costly and most valuable attacks based on

  • Who are the targets
  • Required success rate
  • Speed of conversion

Defenses to APT1 are the following

Detect, Deny, Disrupt, Degrade, Deceive, Destroy.

All attackers are resource constrained and all attackers have a boss and a budget.

Likelihood versus Input   (in a risk calculus)

In most cases issues should be treated on likelihood alone

Do not make impact  High.

Get the most up-to-date research data to drive the likelihood information in your matrix

He is talking about this matrix I have shown in the past(in this graph likelihood = probability):

In the presentation this is the matrix he showed:

Notice the similarities even though the impact and likelihood were switched in axis, which does not actually mean much.

There is a profound meaning in this realization.

The reality is that since the attackers are not just going after you, but templates of defenders, you have to have a profile that makes you more difficult to crack. With a focus on phishing defenses, and defending against Poison Ivy the tool.

You should not just create a threat model of your systems and software, also pay attention to the attackers which are doing specific things, so that you can focus on high risk items and the likelihood of attacks on your infrastructure.

 

 

Burnout in Infosec Means All is Lost?

Thotcon (Chicago’s Hacking Conference)  thoughts…

Saw several good Cybersecurity presentations while one of the keynotes “Josh Corman” discussed the burnout of the infosec opsec community.  This is a problem for our industry as I have discussed before in past posts.  It has to do with the 3 following topics:

1. Workload  to most infosec people is 50-60 hours minimum on a regular week, and more during emergencies.  Josh mentioned 80 hours as a regular work week for many  this high workload leads to exhaustion.

2. What happens when there is no relief and it is a constant way of life to say you will work 80 hours a week forever???   Now we get to a negativity or cynicism. The constant pressure is creating a kind of relief psychology of defense by cynicism.

3. Efficacy or reduced effectiveness due to constant pressures.

What was really on Josh’ mind was the increasing number of suicides by a number of his friends.

Picture is a moment during Josh’ lecture on White hat motivations.

So Josh would like to do something about this phenomenon.  He gave an example of a Psychologist saying that the other profession with similar characteristics is nursing (high workload, and cynicism leads to lower efficacy).

He also said to not follow the herd and do not put down your fellows/ colleagues.

Above is a picture of the beginning of the second day where the Thotcon organizer was having some fun in a Wookie costume.

The main problem is to get more help so that infosec people will not burn out completely and do things that we all will regret.  Another problem is that infosec people are hard to find (or at least competent ones).

So the true issue is to get resources and eyeballs, attention of the C-suite, and generally a different level of attention.

Believe it or not for companies this is taken care of in GRC – Governance, Risk, and Compliance.

GRC – Governance, Risk, Compliance

Governance is different than just IT department run by CFO, or the CEO. The issue with Governance is that the goals of the organization are kept in mind (which is not just the mind of one person). It is the codification of the goals. WRITTEN goals and thus the group of people in charge of GRC can work toward this written goal using Risk and compliance as a way to manage things. So, the staffing of the IT department (which includes opsec or infosec) is a risk to be measured. You should not have a single person running the IT department, nor should you have 80 hours of work for 1 person. For 80 hours of work, there should be 2 people.

Setting up GRC in an organization might take a while, but once set up it can help an organization manage the compliance and regulatory risks by giving a proper Governance controlled by the people who are supposed to run the company with proper human resource goals as well.

Internet Cameras Vulnerable to Attacks With No Fix

If there is no way to fix a vulnerability what do you do if you have a camera with a vulnerability?

Here is the quote on Threatpost (from the engineer that found the flaw):

“Over 2 million vulnerable devices have been identified on the internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM,” said Paul Marrapese, a security engineer who discovered the flaws  setup the hacked.camera website

So the key from Paul’s website is the following two CVE’s:

What is CVE-2019-11219?

CVE-2019-11219 refers to an enumeration vulnerability in iLnkP2P that allows attackers to rapidly discover devices that are online. Due to the nature of P2P, attackers are then able to directly connect to arbitrary devices while bypassing firewall restrictions.

What is CVE-2019-11220?

CVE-2019-11220 refers to an authentication vulnerability in iLnkP2P that allows attackers to intercept connections to devices and perform man-in-the-middle attacks. Attackers may use this vulnerability to steal the password to a device and take control of it.

So mostly iLnkP2P  with many companies potentially affected.

This problem has just been relesed to the public, with initial advisories to vendors by Mr. Marrapese  1/15/19.

 

so in theory the vendor should have been working on this issue, but they did not respond. So vulnerability sent to CERT/CC and then the 2 official CVEs were setup by MITRE:

CVE-2019-11219 and CVE-2019-11220

Devices that use the following Android apps may be vulnerable:

  • HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
  • VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
  • Wanscam: E View7
  • NEO: P2PIPCAM, COOLCAMOP
  • Sricam: APCamera
  • Various: P2PCam_HD

Time to start to make people aware and get their vendors on fixing these problems, because some vendors are foot draggers on security.

So real bad news is that the hackers now definitely  know the problems so attacks coming soon???

Coming back to original question… How can you protect cameras with this flaw? Have to put a New NGFW system in front of it to protect it.  Kind of like how one protects a WindowsXP machine, or a system that is no longer getting updates.

Here is my old post on NGFW : https://oversitesentry.com/what-is-an-advanced-firewall-utm-ngfw/

 

Contact us to discus this with you.

Review of “Anon” movie

In the spirit of a lighter fare this Sunday.

Watching Anon (again) it is an interesting futuristic movie with a video recording of everything. Apparently everyone has a recording method and Clive Owen the actor, playing Sal Frieland is an investigator that needs to find a murderer. Apparently there is a hacker that goes into other peoples recording devices to kill some people.  This hacker(a woman) also has no digital record.

<<<Lots of Anon spoilers here in this post.>>>

The digital recording of this hacker is apparently so good that digital recordings of this woman are edited out of the library. As Sal sees the woman on the street, later the image is removed from the record.  The main library seems to be hacked by this uber hacker.  As more and more actions occur Sal notices this anomaly  more frequently.

Apparently the hacker built an algorithm to erase all images and recordings of herself in all other people as they walked by and saw her.

The Uberhacker also can edit real life records and add moving images (a train) into events as they happen.

To catch the hacker Sal has to try and hire her .

Sal’s colleagues perform a sting operation and are able to find all of her proxies (12 of them) to handle  all of the ways she covers her tracks. The Uberhacker tries to have an anonymous life, and does not go out unless having to.

 

There is a lot of sex and violence(lesbian, regular) in this movie,  Shooting with a revolver point blank and the  hacker does not seem to have any remorse. Also the interesting thing is the victims do not defend themselves, as they have no guns or any other weapons.

Later the commissioner is more upset of the uberhacker anonymizing rather than the murders themselves. Quote” I don’t care the victims no longer exist” I care that she doesn’t.

Another colleague:” Anonymity is the enemy”, we have to find out how she does it.

 

Sal has to meet her again(uberhacker) and she explains that she started erasing her life at eighteen.  (more sec scenes)

— Stopped midway —

First thoughts, it is an interesting Sci-fi movie with some new ways of running the future using video embedded in all people.   It seems that sex and violence is too easy to insert in these movies. I wonder if there isn’t a better way to make a murder and investigation more interesting. Less blood and certainly less sex scenes might actually invoke more thoughts as to what could be happening.  Anyway it starts out ok, as a murder-investigation-hacking.

why is this important? Because movies sometimes become reality, ever heard of:” Life is stranger than fiction?”

—-

The tale gets a bit strange when Sal sleeps with the uberhacker. she of course now looks closer at Sal while deleting all the just created sex scenes.

But most interesting the guy who was keeping an eye on Sal (Lester) she killed him.

She then records a messge for him saying that if you try and find me I will kill you.

His other colleague came in and said that Sal let her escape and kill his buddy.

“Go home” take some time off.

When Sal is in his apartment uberhacker really goes to work, after he has a short conversation with her (via text) she now oroceeds to create a nightmare scenes for him, starting with a guy punching him, a dog attacking, and then she does something even worse by erasing all of Sal’s memories of his son’s accident and all memories of his son.

Now things really get interesting when Sal’s building is on fire (in his head only)

Then  she starts to add scenes where there is no traffic in a busy intersection. Which creates an accident.

Now his boss comes back to discuss the situation, and while he is in the neighborhood Sal gets arrested for shooting his neighbor and gets placed under house arrest.

Sal has to go outside and punch his overwatch agent with his eyes closed.

His boss said they will hire more hackers.

then as Sal finds the uberhackers apartment she claims that she did not kill Lester.

He claims the hacker was hacked, and his boss says you can’t prove this.

That is the problem – nothing proves anything since it can be manipulated.

Sal us placed under double house arrest now.

She placed a loop in his eyes while creating a false officer down, allowing Sal to get back to her apartment while noone is looking and following.

Except the hacker(Cyrus) that hacked the uberhacker was there too, once a shootout happens Sal kills Cyrus.

Sal’s boss was mad that the uberhacker was released.

uberhacker explains that she created an algorithm that creates microfractions of her life and stores it in everyones record. so that no one sees her.

Near the final scene uberhacker(Anon) explained this to Sal and said that the killer had to find him and her so that Sal could help her kill him. “That was close” says Sal.

What do you have to hide?  Anon said nothing in particular, I just don’t want to be seen.

So this movie makes an interesting twist of a standard murder mystery which happens to show corruption in the government and police forces (a recurring theme in many movies).

While also setting up an interesting Sci-fi  of the recording and hacking methods. Of course making a movie which pretends all of these things happened is easier than actually making a world that records everyone’s movements everywhere.

Thankfully we were not subjected to hours and hours of monotony in most people’s lives in this movie. Cooking and using lavatories were not important in a short movie that had to flip through the scenes quickly.  Besides the storage requirements for all, and the actual privacy  concerns of all seems to have been glossed over.

My most interesting point for this movie was when the bureaucrats decided it was better to control people than find out who performed blatant crimes. Also in this system they did not audit themselves, so the system was rife with corruption.

Auditing yourself may have its uses.