So I've had some issues with drivedroid being unreliable booting a Toshiba laptop into tails / kali / etc. recently. The BIOS would recognise the device as connected, but just would not boot, effectively skipping the emulated CD or USB and going straight to HD or LAN.
Turns out, something has to happen to kick the USB host into action. I'm still experimenting, but if you are having similar issues, try running the nethunter custom scripts for "WLAN1 monitor mode", Y-Cable Charging, or wifite... you don't have to have an external wifi connected, just run the script.
It will of course fail. But, try drivedroid after doing this and you might find it works, as it did for me.
Tuesday, 1 November 2016
Monday, 24 October 2016
Referer Spam
So I noticed some interesting referral URLs in my access stats that are serving malicious redirects. It seems that legitimate sites have been found to be vulnerable to open redirects, and that some bot or other is simply visiting websites while setting the referring URL to be the vulnerable page. Then when unsuspecting webmaster clicks through to see why their page is linked to from said site, they are greeted with some delightful porn, or maybe even some tasty malware. Example URL:
http:// www dot dolcifirme dot com dot au/scripts/redir dot asp?link=http:// dkmhab dot xyz
Nice one, spammer scum, and thanks for giving me something to write about, not to mention a great example to talk about next time someone asks why open redirects are such a big deal.
I owe you one!
http:// www dot dolcifirme dot com dot au/scripts/redir dot asp?link=http:// dkmhab dot xyz
Nice one, spammer scum, and thanks for giving me something to write about, not to mention a great example to talk about next time someone asks why open redirects are such a big deal.
I owe you one!
Saturday, 22 October 2016
Tao of Cyber Part I
Into a soul absolutely free
From thought and emotion
Even the tiger finds no room
To insert his fierce claws
Interpretation: The tiger in this case is the cyber criminal. Your personality is your vulnerability. Your likes, dislikes, interests, pet hates, your emotional response to events, emails, phone calls, physical interactions, incidents, and conversations. Even the people you know and care about, work with, or love, expose you to a potential for social engineering, either directly or by association.
Unless you are a recluse, hermit, self-loathing, bipolar, split-personality schizophrenic, or psychotic, drug addicted social reject, you will not be able to free yourself from this vulnerability. Even then no one is immune.
Taoism might be able to help, but true dedication to the path to enlightenment is incompatible and irreconcilable with modern day life. So how do you go about protecting yourself from social engineering while still having a "life", in the 21st century sense? For me, this is not always straightforward.
From my experience, there are likely several stages of a career in Cyber. These stages can be visualised as a diminishing sine wave, with an Y axis of "paranoia".
To begin with, you will no doubt see things in your line of work that open your eyes to the techniques that cyber criminals use. This will make you paranoid for a while.
Later, you will see how careless and dismissive the general population are in their online habits, without any negative repercussions. This will make you relax somewhat, perhaps too much. Perhaps you will rationalise the reduced security as operating appropriately within the current threat landscape, or level of risk.
Inevitably, you will see some bad shit go down, affecting real people, maybe some people that you know, maybe even you. This will send your sine wave back up to a heightened level of security again.
Over time, you might realise that actually, the repercussions of that last incident didn't really affect people too badly. Within a few months, everyone stopped talking about it. And no one died. This will help you to relax again.
Eventually, you will find a baseline of secure practices that are not so difficult to live with, that you can get used to and make part of your daily operations. This might include the use of multi-factor wherever possible, a password manager with unique passwords on all sites, using pseudonyms on facebook, sticking camera lens covers on your devices, using Tor for sensitive browsing or security research, regularly checking your credit report, signing up to haveibeenpwned, etc.
You will still be wondering if you are doing enough... should you also be using a VPN with Tor? Should you configure a VPN gateway at home for streaming video sources? Should you encrypt your disks at the expense of performance? Do you establish and regularly test an emergency secure data destruction procedure?
If you're not buying or selling drugs, viewing or distributing illegal porn, offering DDoS or hitman services, then the extra effort of such measures is probably unnecessary.
But you must still be aware of these procedures, because you might find that you do need them one day and, of course, they are also the methods that your adversaries will be using.
To conclude with a real life rationalisation of the opening poem excerpt: we are only human. Very few of us go to the extremes necessary in the pursuit of enlightenment, thus sacrificing what makes us human. You must do what you feel is right to protect yourself in your world. Not everyone becomes celibate, carries a gun, or studies martial arts to extreme levels in order to defend themselves against a gang of drug dealers, or a state-sponsored hitman. Likewise, not everyone implements secure online practices to a level that would protect them from a determined cyber attacker or opportunistic cyber thief.
You only need to be secure to the extent that makes you feel comfortable, and that is the end of the matter. When you, or someone you know suffers a cyber attack, you might decide to up your game a little bit. And so your sine wave of paranoia propagates.
Of course, working and researching in cyber leads to an increased risk profile, and increased baseline level of paranoia. You really should practice what you preach, because it doesn't look great for a security professional to suffer a security breach.
Sweet dreams!
From thought and emotion
Even the tiger finds no room
To insert his fierce claws
Interpretation: The tiger in this case is the cyber criminal. Your personality is your vulnerability. Your likes, dislikes, interests, pet hates, your emotional response to events, emails, phone calls, physical interactions, incidents, and conversations. Even the people you know and care about, work with, or love, expose you to a potential for social engineering, either directly or by association.
Unless you are a recluse, hermit, self-loathing, bipolar, split-personality schizophrenic, or psychotic, drug addicted social reject, you will not be able to free yourself from this vulnerability. Even then no one is immune.
Taoism might be able to help, but true dedication to the path to enlightenment is incompatible and irreconcilable with modern day life. So how do you go about protecting yourself from social engineering while still having a "life", in the 21st century sense? For me, this is not always straightforward.
From my experience, there are likely several stages of a career in Cyber. These stages can be visualised as a diminishing sine wave, with an Y axis of "paranoia".
To begin with, you will no doubt see things in your line of work that open your eyes to the techniques that cyber criminals use. This will make you paranoid for a while.
Later, you will see how careless and dismissive the general population are in their online habits, without any negative repercussions. This will make you relax somewhat, perhaps too much. Perhaps you will rationalise the reduced security as operating appropriately within the current threat landscape, or level of risk.
Inevitably, you will see some bad shit go down, affecting real people, maybe some people that you know, maybe even you. This will send your sine wave back up to a heightened level of security again.
Over time, you might realise that actually, the repercussions of that last incident didn't really affect people too badly. Within a few months, everyone stopped talking about it. And no one died. This will help you to relax again.
Eventually, you will find a baseline of secure practices that are not so difficult to live with, that you can get used to and make part of your daily operations. This might include the use of multi-factor wherever possible, a password manager with unique passwords on all sites, using pseudonyms on facebook, sticking camera lens covers on your devices, using Tor for sensitive browsing or security research, regularly checking your credit report, signing up to haveibeenpwned, etc.
You will still be wondering if you are doing enough... should you also be using a VPN with Tor? Should you configure a VPN gateway at home for streaming video sources? Should you encrypt your disks at the expense of performance? Do you establish and regularly test an emergency secure data destruction procedure?
If you're not buying or selling drugs, viewing or distributing illegal porn, offering DDoS or hitman services, then the extra effort of such measures is probably unnecessary.
But you must still be aware of these procedures, because you might find that you do need them one day and, of course, they are also the methods that your adversaries will be using.
To conclude with a real life rationalisation of the opening poem excerpt: we are only human. Very few of us go to the extremes necessary in the pursuit of enlightenment, thus sacrificing what makes us human. You must do what you feel is right to protect yourself in your world. Not everyone becomes celibate, carries a gun, or studies martial arts to extreme levels in order to defend themselves against a gang of drug dealers, or a state-sponsored hitman. Likewise, not everyone implements secure online practices to a level that would protect them from a determined cyber attacker or opportunistic cyber thief.
You only need to be secure to the extent that makes you feel comfortable, and that is the end of the matter. When you, or someone you know suffers a cyber attack, you might decide to up your game a little bit. And so your sine wave of paranoia propagates.
Of course, working and researching in cyber leads to an increased risk profile, and increased baseline level of paranoia. You really should practice what you preach, because it doesn't look great for a security professional to suffer a security breach.
Sweet dreams!
Sunday, 15 May 2016
Paranoid Ramblings One : ISP Monitoring
Working in Information Security opens your eyes to some of the questionable activities that are undertaken by a range of threat actors. The most difficult thing is to not become a nervous wreck as a result.
This is the first in a (probably) ongoing series of thought experiments to rationalise some of these threats and what they mean for me, and maybe also for you.
To understand the techniques that malicious entities might try to use against me, my employer, or people that I know, I inevitably like to try these things out for myself sometimes. This includes playing with tools such as nmap, zmap, nping, recon-ng, the social engineering toolkit, metasploit, Mana, Karma, BDFProxy, WiFite, Tor, SQLMap, etc. etc. etc. the list is simply too long. Most recently, thanks to my MSc final year project, I have been increasingly experimenting with Tor, scapy, and MITMProxy.
All of this toying and experimenting has never resulted in a complaint, although it has always occurred to me that my ISP might find some of the traffic emanating from my location increasingly questionable. I have read stories online of people's internet being disconnected due to using nmap too aggressively, for example, and so the possibility that this could happen to me has always been at the back of my mind. I do make use of Tor and various VPN's when testing out certain tools, but I have never made an all-encompassing effort to go completely "dark".
Two weeks ago, my internet connection slowed right down. It's never been that amazing, typically achieving between 8-14Mbps down and 2Mbps up. Around 2 weeks ago it slowed down to around 3Mbps down. I didn't have the time or energy to take this up with my ISP. Around a week ago, my download speed dropped again to around 1Mbps. Today I thought enough was enough so I called them. They were incredibly helpful and ran a number of line tests, and stated that they had found a fault on the line, which would require an engineer to visit somewhere (not my house) later in the week to correct the problem.
Immediately, my line speed increased to 3Mbps.
So, with my tin-foil hat lying somewhere else in the house, my paranoia metre begins to register some activity.
I suppose it is possible that my IP address has been flagged as sending suspicious packets for a long enough time now that I have ended up on some kind of "high risk" list. And perhaps the ISP process is to, rather than just disconnect their users, throttle their connection until the customer gets in touch to report a problem, thus getting confirmation that they have the correct customer. Maybe they occasionally take the step of sending an engineer to physically separate the high risk users from the main customer base to make their monitoring easier and reduce noise from lower risk customers. Perhaps, nah, surely not... perhaps they alert suspicious activity to higher authorities so that they can have their agents patch high risk users through to other monitoring systems for closer inspection, with minimal noise.
Perhaps it was just a fault on the line.
This certainly isn't the only thing that I wonder about. Trying to guess what other people's intentions are (mostly at work) takes up an increasing amount of my thought time these days, which can be exhausting. I wonder, do all Information Security professionals have this same level of paranoia?
In any case, I have spent enough time pondering this now. Any excuse for a distraction from wrestling with shadow-tor, python, graphml generation, and pcap inspection! I'm sure I have enough evidence that I'm a researcher and not a criminal in case I ever get a knock on the door.
Back to work!
This is the first in a (probably) ongoing series of thought experiments to rationalise some of these threats and what they mean for me, and maybe also for you.
To understand the techniques that malicious entities might try to use against me, my employer, or people that I know, I inevitably like to try these things out for myself sometimes. This includes playing with tools such as nmap, zmap, nping, recon-ng, the social engineering toolkit, metasploit, Mana, Karma, BDFProxy, WiFite, Tor, SQLMap, etc. etc. etc. the list is simply too long. Most recently, thanks to my MSc final year project, I have been increasingly experimenting with Tor, scapy, and MITMProxy.
All of this toying and experimenting has never resulted in a complaint, although it has always occurred to me that my ISP might find some of the traffic emanating from my location increasingly questionable. I have read stories online of people's internet being disconnected due to using nmap too aggressively, for example, and so the possibility that this could happen to me has always been at the back of my mind. I do make use of Tor and various VPN's when testing out certain tools, but I have never made an all-encompassing effort to go completely "dark".
Two weeks ago, my internet connection slowed right down. It's never been that amazing, typically achieving between 8-14Mbps down and 2Mbps up. Around 2 weeks ago it slowed down to around 3Mbps down. I didn't have the time or energy to take this up with my ISP. Around a week ago, my download speed dropped again to around 1Mbps. Today I thought enough was enough so I called them. They were incredibly helpful and ran a number of line tests, and stated that they had found a fault on the line, which would require an engineer to visit somewhere (not my house) later in the week to correct the problem.
Immediately, my line speed increased to 3Mbps.
So, with my tin-foil hat lying somewhere else in the house, my paranoia metre begins to register some activity.
I suppose it is possible that my IP address has been flagged as sending suspicious packets for a long enough time now that I have ended up on some kind of "high risk" list. And perhaps the ISP process is to, rather than just disconnect their users, throttle their connection until the customer gets in touch to report a problem, thus getting confirmation that they have the correct customer. Maybe they occasionally take the step of sending an engineer to physically separate the high risk users from the main customer base to make their monitoring easier and reduce noise from lower risk customers. Perhaps, nah, surely not... perhaps they alert suspicious activity to higher authorities so that they can have their agents patch high risk users through to other monitoring systems for closer inspection, with minimal noise.
Perhaps it was just a fault on the line.
This certainly isn't the only thing that I wonder about. Trying to guess what other people's intentions are (mostly at work) takes up an increasing amount of my thought time these days, which can be exhausting. I wonder, do all Information Security professionals have this same level of paranoia?
In any case, I have spent enough time pondering this now. Any excuse for a distraction from wrestling with shadow-tor, python, graphml generation, and pcap inspection! I'm sure I have enough evidence that I'm a researcher and not a criminal in case I ever get a knock on the door.
Back to work!
Friday, 6 May 2016
Password Auditing - A Word of Advice
Here is a piece of free advice:
Next time you decide to run a password audit against your company out of the goodness of your own heart to try and educate users or the organisation about password practices in the org, do yourself a favour: run as fast as you can face-first into a brick wall instead and remind yourself that this was less painful than convincing users to not do stupid things. Then ask yourself if you still want to proceed.
If the answer is still "yes", then consider taking this approach:
Only look for the truly daftest of passwords. Don't try and put any actual effort into guessing what users passwords are, because [spoiler alert] you will succeed.
Two-factor is the only way to save the general populace from their own laziness / stupidity / ignorance / stubbornness. If someone wants their password to be "Jessica1987!", then maybe you should let them. At least it is not "Pa55word". Combine their shitty password with MFA and you are probably doing the best you can to protect your organisation, unless you work for the bank or government.
Even taking this simplified approach, be prepared for a world of pain while you try and find someone to take ownership of the several hundred or more accounts that no one remembers what they are for.
Happy hunting!
Friday, 22 April 2016
Tuesday, 19 April 2016
Covering Your Webcam
Of course it's also easy to create malware that can send back screenshots from a victim machine, so not just spy agencies that we should be worried about.
http://thehackernews.com/2016/04/tape-webcam.html?m=1
Security Challenge
Try to think of a security incident or challenge that doesn't boil down to human behavioural problems as its root cause. Looking forward to my first comment as the tumbleweeds drift on by...
Wednesday, 13 April 2016
Password Cracking Top Tip!
Maintain your own wordlist of previously guessed passwords. In follow up audits, you can then use JTR rules against user's old passwords. You'll be amazed (or maybe not) at how many users that have been asked to change their passwords will think it's OK to simply put a "1" or yesterday's date at the end of their old password.
Tuesday, 12 April 2016
Nethunter on Cyanogenmod 13 and oneplus one
Caution: nethunter can swallow up large amounts of valuable time. Only use it if you have time to spare and don't mind hacking (as in close to the true sense of the word) in order to fix issues that arise. Having reached a stable state now, I will think twice about changing anything anytime soon!
I've used nethunter for fun stuff on my oneplus One for around a year now. There were a very small number of minor niggles that annoyed me a little, but that I chose to just live with, and everything was fine. The user interface wasn't amazing, but the tools mostly worked as intended. It was awesome, running on CM 11 and nethunter 2.x. BDFProxy did what it said on the tin, BEeF worked nicely with MITMProxy injecting hooks, I could run vulnerability scans with openVAS, and it generally rocked my world. The Swiss army knife for ethical hackers and script kiddies alike.
Around January this year I spotted that a new version of nethunter had been released, and I was pretty excited. As soon as I was able to, I followed the upgrade instructions on the nethunter site through CM 12 and installed nethunter 3.0. Things have been far less awesome since then. I'll describe some of the issues and then the resolution at the end of this post.
Issue number 1: drivedroid just stopped working. Drivedroid is great because it allows you to host an ISO or other disk image from your phone, over a USB cable and make it appear as though it is a CD drive, writeable USB stick, or read only USB. It's amazing knowing that you can boot into tails, kali, DEFT, or any other favourite live CD distro or tool of your choosing, even konboot. With CM12, none of this worked. In CM 13 it does.
Issue number 2: The phone crashed randomly and frequently. It could happen overnight while I was asleep, meaning that my alarm wouldn't go off. It could happen when I disabled WiFi tethering. Rebooting the phone would sometimes fix, but sometimes required 3 or 4 reboots. Clearing the cache would increase the chance of success but was still not full-proof. CM 13 fixed this.
Issue number 3: Sound and video playback would just stop. Again, rebooting didn't always help. CM 13 fixed this.
Issue number 4: If you are running the TWRP recovery manager, you cannot apply over the air updates for your OS. There is no fix for this that I have found.
Resolution: Most of the issues above have been fixed by upgrading to CM 13, and now things are much more awesome again. It was a painful upgrade process, but worth it. Some advice if you are about to embark upon this endeavour:
Make sure you have backed up your precious data. You don't want to lose those pictures of your cat or mum or whatever.
Clear the cache, and preferably factory-reset the device before every step. Failing to do so can lead to crashing applications, failed startups and other such delights.
Rough guide:
Download the latest stable CM 13 and store it in the root of your device. This may appear as /sdcard in TWRP. Do the same with the latest nethunter build, openGapps, and SuperSU.
With TWRP, first install CM 13, then openGapps. Boot up and make sure everything seems OK. If things don't seem good, then go back into recovery and factory reset.
Next, install SuperSU, and then boot up and download and install busybox from the play store.
Finally, go back into recovery and install nethunter.
If all has gone well then you should have a stable installation.
Happy scripting, kiddie!
Monday, 11 April 2016
Four Truths
There are four basic truths in security, infosec, cyber, or whichever buzz word you wish to use today. Understanding these truths and how to balance them is key to success. Balancing them may mean planning your own time or the size and structure of your team, depending on where you work.
Firstly, security is fun. It's fun because you get to learn about and sometimes play with the methods that attackers use. You might even start to feel like someone from Mr Robot, or Wargames at times. Some might call this ethical hacking, some penetrating testing, and some may think it's just an excuse to have fun. In any case it is valuable. The key is to not spend too much time or resource on the fun stuff otherwise other areas may suffer.
Secondly, security is easy. By that, I mean it is much easier to look at a system or process and find fault with it than it is to do it right yourself. This is a basic truth in life and recognising it is a differentiating factor when dealing with others. They will feel threatened because you are criticising they way they work or pointing out mistakes that they have made in the past. The key is to make sure they understand that in this respect, their job is harder than yours and they deserve some credit for that.
Thirdly, security is hard. The main reasons for this are twofold. Firstly, related to the second truth, you will often have to overcome the inertia of cultural and behavioural change. This is one of the hardest things to accomplish unless your organisation is prepared to take harsh action against offenders (which in itself can be morally difficult). You will likely make more adversaries than allies. Secondly, when it comes to protecting your organisation from attackers, they have the upper hand. In this setting you have the same challenge that your non-security colleagues have, in that it is easier for someone else to find fault in your security measures than it is for you to get them right. You could easily blame this on your internal challenges, but this is part of your job so you need to suck it up and get on with it. Dealing with these challenges will take constant readjustment of your strategy as you discover more about the organisation's technology, processes, structure, and culture. The key is to not become disheartened when a particular strategy fails. You must be objective and analytical and find out why it failed. Sometimes you are best off to take a step back or some time out to relax and think about something else. Get some exercise and fresh air, or spend some time on your favourite pastime. Sometimes new potential solutions come to me while I'm walking the dog, climbing, or playing the guitar. Of course not all challenges will afford you this luxury of time for problem solving, but some certainly will.
Finally, security is rewarding. By that I mean the harder you have to work at something, the more satisfaction you get when you achieve even small successes. Would it be more fun if security was easy and you had more time to experiment and learn new and exciting techniques? Maybe... But the rewards from winning small battles in this ongoing conflict make it extremely worthwhile and satisfying. The key is to have patience and enjoy the smaller successes that you achieve along the way, because if you want to achieve too much too quickly, you will become frustrated, disheartened, and doubtful. Trust me, I've been there and got the scars to prove it.
I hope this gives some insight into what it is like to be a security officer at a medium-sized international enterprise. Maybe your own experience is different to mine, in which case I would love to hear from you!
Thursday, 7 April 2016
Securitopia
What does good security look like? I'll describe it, or my understanding of it at least. towards the end of this post.
In a perfect world, it would be possible to have the proper security controls in place everywhere, and people would respect why they are necessary, and get used to them to the point that they are just second nature. People would understand that technical controls and user policies and processes are there for the protection of all.
In the real world, security costs money in itself and also slows down the way your average worker... works. Technology isn't perfect and your average worker gets things wrong resulting in calls to the help desk for support. Technology requires teams of people to manage it. Users need training, audits need to be carried out, enforcement needs to happen, alerts need to be responded to, and the evolving threat needs to be observed and adapted to. The lower the historical culture of security in an organisation, the more people will inevitably see security as a threat instead of protection.
Strong security is only suitable for organisations with high risk and large budgets for technology and trained security staff. All other organisations need to constantly watch the threat indicators and adapt to address them. This tends to result in excessive levels of policy or controls being put in place, which either turn out to be unenforceable or too costly when or comes to implementing new technology.
Eventually over several iterations of change (or attempted change), enforcement (sometimes with a healthy side of conflict and confrontation), and measurement, an organisation with a good security team will reach a point where things are relatively stable. Users start to come to terms with the processes and accept them. Depending on the baseline security culture, this might take 6 months or 2 years, perhaps more.
Why can't we just perform risk assessments and set policy accordingly, and then start firing people who don't comply? Well maybe in some companies this will work, but probably not in most. Certainly, if two or three people lost their jobs or bonuses due to stubbornness and refusal to comply, the message would spread fairly quickly. But unless a business is clear on taking this kind of approach from the beginning, you will need a more subtle strategy.
You will need allies. You need to find who in the business "gets it". You need to filter out the people who say the right things with no genuine intentions, and the people who just don't want to engage for whatever reason. Possible reasons include other work pressures, or the emotional response that comes about when you try to force behavioural change. This is a very tangible thing, although it might not sound like it.
Once you've figured out who your allies are, and convinced them that you know what you are doing, you can begin making progress. Progress in security has to be collaborative with input from stakeholders. This has two main benefits in that the resulting policies will be more appropriate, and the people providing input will be aware of the new policy and feel as though they have contributed to it.
I'm an idealist and I despise politics. I hate having to second guess what people's intentions are when we're all supposed to be on the same side. The security of the organisation is paramount yet there are sometimes people in the organisation who see it as a threat to them getting things done, changing the way they work, or just making them look bad.
To do security, you need to start to recognise what people's agendas are. What are their objectives? What affects them getting their bonus? What is their history and what are their aspirations? What are their favoured vendors and suppliers? Who are their mentors and allies?
You have to sharpen your tools in strategy and diplomacy, or at least spotting where politics is at play. You must be unrelenting in your vision of protection for the business and everyone in it, even when they fight against you. When someone knocks you back, sometimes you have to let them win that battle and regroup to consider how you will approach the problem from a different angle. I don't claim to be a master strategist, politician or diplomat, quite the opposite. But I've started to appreciate how much of a factor this is in business, and identify when it is blocking progress. In the absence of an actual appetite for politics, my strategy is instead resilience, tenacity, honesty, transparency, and integrity. It is these qualities, and not the alternatives that get an organisation where it needs to be.
So where does it need to be?
Some aspects are so common sense that they should be set in stone. Others require establishing the appropriate level of control, which will look different for each of MI5, a bank, a private company, a public company, a membership organisation, or a creative house, etc. This is what the vision of good security that I mentioned to begin with looks like:
Firstly, employees understand the risks to their personal lives as a result of bad security practices. They spend the time to protect themselves, which in turn reduces risk in the business. They also understand that if the business fails, it is not just they who lose their income, but also their colleagues and their families. This moral obligation results in an increased sense of ownership and responsibility for individual security. It also eliminates the politics that get in the way of good security.
Secondly, the policies and processes are correct and appropriate for the risk profile of the business.
Thirdly, because the policies and processes are correct, the business understands exactly how much spend is required on technology and team members. Server and client operating systems and applications are patched. Alerting systems are fit for purpose and response is timely and appropriate.
Fourth, security gates are embedded at the correct points in all business processes. This includes recruitment, projects, procurement, as well as day to day operations, payment handling, firewall requests, new users, leavers, visitors, etc.
Finally, for now, security teams have responsibility and time set aside to analyse the changing internal and external threats to an organisation and develop defences. Sometimes this includes learning and practicing what the bad guys do in a safe environment.
This list may evolve over time. Future posts will provide some examples of how to achieve successes towards this utopia so keep your eyes peeled for those.
Monday, 4 April 2016
Rainbow Tables
I often see people talking about rainbow tables in lectures and seminars and just getting it wrong. If you have a dictionary of words and their precomputed hashes, then this is a hash lookup table, and there are plenty of free services that will allow you to check the hash that you have obtained against their database to see if it has been cracked before.
A rainbow table, on the other hand, consists of precomputed "chains" of hashes, where a reduction function is repeatedly performed on each output hash along the chain to create a new password candidate according to the desired length and complexity. Once a chain is complete, which is typically thousands of hashes long, only the start and end hash are stored in the rainbow table.
There are instructions online for generating your own rainbow tables or for downloading or purchasing precomputed rainbow tables. This effectively allows any password within a given character set and length to be cracked in a very short space of time, as long as it has not been salted, and as long as you have the storage available for your rainbow table.
When you have a hash for which you wish to find the password, you begin by running the same reduction function on it repeatedly until you match the end hash for one of your chains. You then start the repeated reductions again from the start of that same chain until you find the hash that matches the one you wish to crack. At this point you have successfully guessed the password, if all has gone according to plan. Software such as rtgen will do all of this for you and it is much quicker than a standard brute force, and will take far less storage space than a complete hash table for a character set.
A rainbow table, on the other hand, consists of precomputed "chains" of hashes, where a reduction function is repeatedly performed on each output hash along the chain to create a new password candidate according to the desired length and complexity. Once a chain is complete, which is typically thousands of hashes long, only the start and end hash are stored in the rainbow table.
There are instructions online for generating your own rainbow tables or for downloading or purchasing precomputed rainbow tables. This effectively allows any password within a given character set and length to be cracked in a very short space of time, as long as it has not been salted, and as long as you have the storage available for your rainbow table.
When you have a hash for which you wish to find the password, you begin by running the same reduction function on it repeatedly until you match the end hash for one of your chains. You then start the repeated reductions again from the start of that same chain until you find the hash that matches the one you wish to crack. At this point you have successfully guessed the password, if all has gone according to plan. Software such as rtgen will do all of this for you and it is much quicker than a standard brute force, and will take far less storage space than a complete hash table for a character set.
Soft Security is Hard
When I was first asked if I wanted to do security as my main job, I was warned that it would be highly policy based and governance focused; very different to my hands on technical background. I was also told that it would be a great challenge. Having done this for a (little) while now, I can firmly say that those initial warnings were a huge understatement.
Further to this, I noted at pretty much every security seminar or conference that I go to that the recurring theme was that people were the biggest risk. Or more precisely, people are the biggest challenge.
All of this has started to sink into place. You can have the best technology in the world but if the people who use it want to circumvent technical security controls then they will find a way, whether it be to steal data, or just out of pure laziness. Does any of the below ring any bells?
"We've always done it this way...", "...we're not a bank...", "...it's the only password I can remember...", "...we're too busy..." "... we've never had a breach before...", "...yada, yada, yada...".
Setting policy to match the risk profile and appetite of a business is one thing. Overcoming cultural and organisational change in order to implement policy is something else altogether. It requires complete buy in and sponsorship from the top. Even with this advantage, it takes phenomenal time, effort, patience, and resilience. Amongst the success and progress there are many setbacks and obstacles to overcome whether they be due to competing for resources with commercial projects, or general politics, egos, and bullshit.
Apart from a good technical understanding of threats, vulnerabilities, risk, and treatment options, I would say that the most important attribute for a full time security manager is a healthy balance between resilience and patience. To paraphrase the quote: you must have the courage to change the things that you can, grace to accept the things that you can't, and wisdom to know the difference.
I would add to this "...and the resilience and patience to recognise those things that must be changed but have to wait".
Of course, if you are lucky enough to have a great mentor and an energetic and enthusiastic team, then the odds are more in your favour!
It also helps, in more ways than one, to keep that hands on time whenever possible. In developing defences it is essential to have an understanding of the attacks. This means getting involved with incident responses, finding out what malware is doing in safe environments, simulating your own MITM attacks in a variety of situations, running your own phishing campaigns against your organisation, and cracking passwords, for example.
Understanding the technical and social engineering methods in use by external attackers and insiders allows you to prioritise treatments in your mitigation strategy, and understand where your vulnerabilities are when organisations push back on recommendations due to time, budget, or politics.
The saying is that security is a journey and not a destination. This is true because of two factors: the ever evolving threat landscape, and users' defiant urge to do things their own way and ignore policy and process.
So, good luck on this journey because we are all going to need it! This isn't intended to sound as pessimistic or defeatist as it may. If you enjoy a challenge then you are in the right place! And there will always be a job to do.
I'll be posting some of the tips, tricks, and strategies that have resulted in success in this space in the future, so keep yourself posted.
AD Password Auditing Workflow
I'll come back in the future and add more detail on some of the below steps and useful powershell and bash scripts that can help to reduce effort, and password dictionary resources. I like to use docker for the linux work as it provides a means to access a known state environment in seconds with all the correct tools installed.
For now, this is a high level overview:
- Acquire your AD backup NTDS.dit, and SYSTEM file.
- Remember to tidy up files as you go, leave no trail.
- Extract the hashes using 2014 version of libesedb and latest esedbextract.py.
- Filter the accounts and hashes to only show active user accounts that have not expired.
Once you have the list of accounts you want to crack, use John the Ripper:
- For the worst offenders, just use the worst password lists freely downloadable from the net, in NT format, and no rules.
- For slightly less bad offenders, use more wordlists such as rockyou from previous breaches.
- For more offenders, use a dictionary containing company names and usernames, etc. and start adding rules.
- For users who do at least make some effort to choose their own password, use a dictionary containing months, days, seasons, town names, countries, etc. with rules.
This should be as far as you need to go for a typical password audit. If you want to go further for companies with higher risk profiles or smaller risk appetites, then consider using one or more of the following methods:
- Crack in LM mode and use the output passwords to create a new dictionary for NT mode
- Larger dictionaries with harder rules
- Incremental mode
- Another tool such as rainbow tables.
When your audit is over, run the list of passwords through pipal to report on password usage and trends in the organisation.
Sunday, 3 April 2016
Easy Nethunter Creds Hunting
Simple tip for Kali Nethunter:
You don't have to run any mana or karma, hostapd or use an external WiFi adapter for credential harvesting. Just openly share your normal WiFi access point and run the net-creds.py tool that comes with mana. Any unencrypted creds will be caught and stored.
Important: don't do this in public unless you are willing to risk being arrested. Also be aware that when you share your WiFi for open tethering, you may be incriminated for the actions of anyone who connects.
Network Security Journal Publication
For my first post on this blog, I'm pleased to share that I had a piece of work published in Network Security Journal: "Anonymity networks and the fragile cyber ecosystem".
The discussion is informed by a review of recent literature focusing on attacks against anonymous systems such as Tor, i2p, and Freenet and can be found here http://www.sciencedirect.com/science/article/pii/S1353485816300289
Quite a change in direction from my previous publication on performance enhancing substances in Freediving but then my career took a sharp change in direction circa 15 years ago.
This blog is going to be a place for me to share my personal experiences and adventures into the world of cyber. If that sounds like your bag then welcome on board, friend!
The discussion is informed by a review of recent literature focusing on attacks against anonymous systems such as Tor, i2p, and Freenet and can be found here http://www.sciencedirect.com/science/article/pii/S1353485816300289
Quite a change in direction from my previous publication on performance enhancing substances in Freediving but then my career took a sharp change in direction circa 15 years ago.
This blog is going to be a place for me to share my personal experiences and adventures into the world of cyber. If that sounds like your bag then welcome on board, friend!
Subscribe to:
Posts (Atom)