Hi, Can I have your password please?

Whilst many people might suspect and consequentially defend against physical and system based attacks, one facet of security that is often overlooked is Social Engineering.

Social engineering as the name suggests is a highly involved and developed field that plays on the engineering of human psychology to provoke results such as information that can be used in an attack. Sometimes the entire attack can be carried out through social engineering.

Social engineering in part plays on peoples propensity (especially in the UK!) to be helpful and go out of their way to ensure that the ‘customer’ has a good experience.

From an objective point of view, social engineering is a wonderful blend of science, creativity, art and psychology, a good social engineer doesn’t need to force his victim to hand over information – he makes the victim *want* to give away the information.

In a world where many systems are becoming ever more secure, the ROI of spending weeks and months plotting an attack against a system vs making a phone call or gaining physical access to the building is a thought worth considering – especially since many employees don’t get specific training to deal with the threats posed by social engineering.

Social engineering is everywhere, sales men want to elicit information to clinch a sale, media wants to persuade you to think a certain way and politicians want to make you believe in them.

One of the most common methods of attack is via phone, it has the benefit of being untraceable to the attacker (if intelligently performed) and the attack can be carried out over any distance. Often the victims are help desk operators due to the nature of their roles. Their malleable mind is trained to be of utmost assistance and to please the caller in anyway they can, so when I ring and ask them to reset a password or pretend I’m a fellow employee they act on instinct.

Personal attacks are also popular too, especially those in which people will ring or text and pretend to be from your bank and ask you to read your card and pin/password.

Whilst we as security practitioners might wonder how people ever fall for these ploys it’s important to remember that the ‘general’ public simply don’t have security and suspicion in their mind all of the time, and tend to want to believe in the good of those they are interacting with.

Social engineering is a vast and creative exploit, however defense is not so vast and the right conscious choices can make all the difference.

Whilst training employee’s is a great idea, it’s important to note that many attacks actually occur from with inside the company; disgruntled employee’s for example.

In these cases the training will be known and can be exploited. The old ‘something you are something you know’ practice is good here – if you can ensure that verification of identity is at least a two step reliant on something you are as well as a unique code or PIN then you can at least ensure a deeper level of security.

As with any system you can never make it completely secure, however a comprehensive security policy and commitment to personal and corporate education can make the difference. The fact is that social engineering can and does happen and the better educated you are the better you can deal with it.

You can read more about how social engineering happens, and an in depth look at the tactics here. In addition this paper from sans.org showcases some of the best ways to prevent social engineering here.

 

 

 

 

 

 

Advertisements

Sweet32- A personal look.

So recently news broke about the attack dubbed ‘Sweet32’ that can potentially decrypt session cookies from an estimated 1% of of the Internets HTTPS traffic and potentially effects 600 of the most visited websites.

You can read more about it here.

Now of course even the news sources aren’t getting too hyperbolic over this because not only is it effecting an estimated 1% of the traffic (although that’s not negligible) it’s also not the easiest of attacks to carry out as it requires several conditional steps, and has never been tested outside of the lab.

Conditional steps are never good in an exploit because it often means a lot of variables, for example in this attack you have to sniff the traffic, then control the JavaScript on the victims page in their browser. It’s not unfeasible but it’s a fairly verbose and also directed attack.

Which is fine if the attacker is sniping  particular target(s), but it’s also quite resource heavy, needing 38 hours to collect 785GB of data to get to the (sadly inedible) cookie.

Regardless of the efficacy of the attack in a live situation, the fact remains that this exploit is a great opportunity to learn more about vulnerabilities.

Now the main vulnerability here, or rather the source that enables this to work is old 64 bit block ciphers. Larger cipher blocks like AES (128 bit) are immune to this attack because it negates collisions.

Collisions, which we talked about earlier in the post titled ‘Security Fundamentals; Cryptography’ can be used to return plain text.

So if you are using protocols that can be vulnerable to collisions, then you have an insecure system. Even hash functions like SHA1 which don’t as-of-yet have any live collisions shouldn’t be used because we know computational power will eventually break that barrier – probably sooner rather than later.

The real takeaway however is that you should never be surprised at how many companies, both large and small will use insecure protocols. As with the recent impetus on rolling out  HTTPS for example, companies really struggle to balance peoples conflicting needs with security, and often compromises are made.

 

 

 

 

 

Information security

Information security as the name implies is the act of keeping information secure.

What many people fail to realise is that this goes beyond the powers of personal security measures, and into the realms of corporate and state security policies.

As soon as you give any information away, as soon as you use a credit card in a shop or sign up to a website you are placing your data in their hands. Your email and password is stored onto their system and you are completely reliant upon their security to keep it safe.

Now in utopia, where trees are ever green and your car never breaks – these people would safely handle your data and do every single thing they can to ensure they follow data protection laws and keep you safe.

However unfortunately we know that’s simply not the case. Over the recent years we have heard countless stories regarding the encroachment of peoples privacy and data, both from maliciousness and plain foolishness.

The sad truth is that as one recently apprehended Russian hacker would tell you, many companies still store sensitive data (like credit card details) in plain text files, completely open to anyone with the knowledge to grab them.

Security is hard, and that is why being a security expert grants such a high demand and wage. Many simply don’t want to – or are fearful of implementing the security required to protect your data. Often it’s a case of trying to meet everyone’s needs, which leads to compromise.

Then, of course is the government aspect which can’t go unmentioned with what we know today. The government are a bit like over protective parents, their intent is somewhere in the right place, yet the methods and tactics they have used in the past to protect you have been completely irresponsible and a real genuine invasion of privacy.

The problem we have however – is that if we are to live in society, and to function in what constitutes as a ‘normal’ life, then we are going to have to end up placing trust into all of these people. But you can choose what you share, and more importantly the damage that would be done should those you trust fail to keep your information safe.

This is why using an arbitrary email address and password for superficial things (not business) is a great idea, as is having separate credit cards with differing limits and I would go as far as to suggest using a VPN and ensuing a private browsing session, as you would be amazed how much telemetry and tracking goes on as you nonchalantly browse the web. There’s far more you can do too. Being selective with who you give your information to is the most obvious of course – an ounce of prevention is worth a pound of cure.

The good news – (if you can call it that) is that as a security practitioner you will always be needed. As we enter the precarious wasteland of IOT devices and their glaring flaws in security; often from manufacturing – your skills will always be required. And on another level, whilst you won’t be receiving any knighthoods from the queen, your role in security really can prevent peoples lives from being torn apart.

It’s a brave new world, and the more information we have the better we will be to deal with it; and even come to embrace it.

 

 

 

 

 

Security Practical – Exploit task 2

So now we have the first flag we can move on to level01 in which we receive some code that has a vulnerability in that it constantly runs arbitrary programs.

So getting right into it we can try calling flag01 which will return this – Nebu01

Now this flag assumes you know a little about coding, because if you did you would realise that usr/bin/env is not a good way to find the location of echo. In fact usr/bin/env is a fixing path commonly seen in Python, and it runs through all of the directories specified in the PATH, thus provoking arbitrary programs.

So if we want to get the flag we know we should be looking to add the flag to the path so that it runs when the search for the echo is invoked.

Neb0101

Once that is completed we now need to create a symbolic link between home/level01 and bin/getflag

Level0101010

Once that is done it’s important that you remember not to getflag from the level01 account.

Level0101

And then simply execute the /flag01

Level0101010101

And there we have it. We have been given the task of finding out why this program is executing arbitrary programs and have then discovered the vulnerability with the path. We then proved this by making a link between the home and the flag and executing the program, thus exploiting the vulnerability.

Security Practical – Exploit task 1

Whilst theory is important, there is only so much information you can absorb before you need to start practicing it. Theory is the underpinning and practical the execution.

One of the first things you will need to install for the vast majority of exercises on the net is a virtual machine player, you can grab a copy of VM ware Here.

You’ll also want to install Kali Linux which is set up with security tools from the go, and used in the vast amount of text based examples.

In the future we will be working from Georgia Weidmans Pentesting book but for today we will be working through a simple exploit which you can find here At exploit exercises

Download the first nebula task and load the ISO into your VM player.

Nebu

You will then see something like this.

Our task is to find a set user ID service that will allow you to set the user as “flag00”

From here it would really help if you have experience in Ubuntu, especially simple commands like finding man pages or changing directory. It would be worth spending an hour or so just familiarising yourself with the basics as it will be invaluable experience.

Essentially you are looking to run an application under the user flag00, as with most things there plenty of ways to go about this, the easiest is to search the user, find the bin and run the exe..

 

Security Fundamentals; What is hacking?

As anyone with passing interest in security (or even just common sense) will know – hacking is not like in the movies where our action hero types at 100 WPM and hacks into the ‘main frame’ of the network and takes it over.

Movies represent hacking in this way because security experts staring at screens of code or typing commands in terminals is not anywhere near exciting.

But alas, the reality is that ‘hacking’ as a broad term, tends to involve quite a bit of genuine hard work and knowledge. Which is why it commands such a high price. Unless of course you are just running ready made exploits, which requires much less skill.

Hacking in it’s purest form is not just constricted to computing, any type of technical tinkering and tweaking of hardware/software or engineering is hacking. But most only know hacking of the nefarious kind.

However for the purpose of this post we will be specifically focusing on hacking of the technology kind, and especially infiltration and attacking foundations.

We will take a common example of an attacker infiltrating a companies network.

First the attacker will want to set up a strategy for the attack, the most efficient attackers will have the entire play planned out, some however will adjust as they go.

A good way for the attacker to do this is to test for vulnerabilities on the network.

One of the main ways an assess this is to sniff the traffic between the company’s internal network and the outside network. By inspecting the data a knowledgeable attacker can inspect the packets and gain more knowledge of the target.

It is important to do this so as build up an idea of the network and then choose the right tool for the job. It is also important to remain hidden during this stage, It is definitely recommended that you use a tool like TOR to route your traffic somewhere else and ideally not use a connection linked to your home name and address.

You can read more about that Here at leak source

Once the network has been assessed it is then time to choose what attack method to deploy, as well as the attack vectors available to you based on the information gathered during the reconnaissance.

One common method would be to continue the reconnaissance from behind the firewall which will illuminate a much deeper breadth of services, additionally we may wish to simply use distributed denial of service. It is here that you might want to run scripts and often hear the term ‘script kiddies’. The more experienced attackers will develop their own scripts for use, where as the novices are best to use tried and tested exploits.

Whilst this guide has shown the general gist of how an attack is deployed, There’s no use rehashing the valuable and bountiful information available on the net.

For example –

Hack Back! A DIY Guide for Those Without the Patience to Wait for Whistleblowers

So now we have seen what hacking is, we have a general idea of what we might do if we wanted to attack a local company for example.

But we also have an idea of what attackers do, and can begin to think about how we might go about securing a network or organization.

For example we know that attackers really desire poorly-configured services or old/ unpatched software/hardware. Even the best firewall will struggle to stop an attacker once they are client side of it. So we know that one step is to remove the discoverable services, and those that can be discovered by whois attempts are secure, and not open with no authentication.

You can also set up fake services or servers that alert you if any suspicious activity is discovered on them.. as well as this you obviously want to ensure all the staff in the clients organization are following secure practices and that inside network escalation is limited, as often attacks are carried out from the inside.

As we go forward in this fascinating journey we can begin to map out the process of both attacking and defending. Next we will focus on something more practical.

 

 

 

 

 

Security Fundamentals; SS7

Even though SS7 has been covered in the media many people still haven’t even heard about it, let alone realised how it can effect their lives.

The problem with these stories is that the news gets hold of them and for a short time people become embroiled in the paranoia. Images of nefarious attackers waiting at their laptops like dogs at the post enter the imaginations, ready to strike anyone at any time.

But once the show is over, the message is lost, leaving many wondering what all the fuss was about.

SS7 is interesting from a security practitioners point of view, because as you will see it highlights that any system of infrastructure can be vulnerable, and knowing how it’s exploited helps you to build up the knowledge base.

To provide the information on SS7 I have copied in a piece I wrote for a university module.

Security holes in the mobile networking technology Signaling System Seven (SS7) have been found after research was carried out by German researchers.
SS7 was developed in 1975 and is the backbone to services such as call forwarding/ending, SMS(Short Message Service) messaging and prepaid billing as well as other mass marketing services.
It consists of dedicated channels known as signaling links which interact with the three signal points – Service Switching Points, Signal Transfer Points and Service Control Points. The traffic is routed by packet switches whilst the SCP’s and STP’s tend to be mated so service can resume if one network suffers downtime.
Essentially the entire mobile network is vulnerable to the exploit which is similar to a man in the middle attack between network signals that exploits the top level authentication and communication vulnerabilities.
The exploit allows attackers a multitude of attacks which include eaves dropping on calls, location tracking as well as fraud and exploits in the billing systems, it was even suggested that the right request could force the operator to hand over the crypto keys for the session.
The vulnerability – whilst a pressing issue is not a new find, and has been widely known about since 2012 when German researchers demonstrated the attacks at a security conference.

In February 2015 AdavaptiveMobile launched a project to survey and secure the traffic traveling via SS7 over operator networks. By combining a firewall and advanced reporting and intelligence gathering they protect an estimated one fifth of the worlds subscribers.
However the flaw in SS7 remains a threat to personal security and with the infrastructure being so pervasive in nature there is little one can do to ensure personal security against the inherent vulnerabilities in SS7.
For organizational security Adaptivemobile offers a dedicated firewall;’AdaptiveMobile SS7 Protection secures the network against privacy & fraud attacks by combining SS7 Firewall
capability to block suspicious traffic with our Advanced Analytics algorithms that automatically identify and report on threats to the network in real time, and our unparalleled Threat Intelligence services to discover new and emerging vulnerabilities’

So as we can see SS7 was known to vulnerable around four years ago(probably longer) and it took three years for to proactively come up with a solution.

The problem with SS7 is that there is no broken handle just swinging around in the wind, the entire protocol is old and developed based on the principle of hard wires, and whilst it could have potential fixes (such as layer 2 authentication over the top of the protocol) you would then need all of the carriers, the people involved to be on board with this.

So as it stands, the mobile networks are completely open to this and whilst a personal attack on you isn’t likely, you can be sure there are powerful people or bodies of people who will be both victims and attackers.

It’s interesting from a security practitioners standpoint though because you get to see how long it actually takes to fix something as high risk as this. An attack vector that has the capability to track your movements and steal all of your SMS messages. It’s been widely known about for four (if not more) years now and the protocol is still vulnerable.

Often times it is bureaucracy that stands in the way for many reasons. Often it can just be an unwillingness to implement secure procedures, especially collaboratively. As with IPv6 or HTTPS, it appears to be a lot of work to bring change, and it’s not like any handles are physically broken off and swinging in the wind, so why bother?

As a security practioner it also offers a great chance to ponder how you would defend from this? what could you implement or do that would make you able to continue using your phone?