Hack Back

One extremely enjoyable read and a succinct example of a complete and effective attack, with some great background on the phases of a breach, ethical or otherwise. Hack Back.

Covering Your Webcam

Of course it's also easy to create malware that can send back screenshots from a victim machine, so not just spy agencies that we should be worried about.

http://thehackernews.com/2016/04/tape-webcam.html?m=1

Security Challenge

Try to think of a security incident or challenge that doesn't boil down to human behavioural problems as its root cause. Looking forward to my first comment as the tumbleweeds drift on by...

Password Cracking Top Tip!

Maintain your own wordlist of previously guessed passwords. In follow up audits, you can then use JTR rules against user's old passwords. You'll be amazed (or maybe not) at how many users that have been asked to change their passwords will think it's OK to simply put a "1" or yesterday's date at the end of their old password.

Nethunter on Cyanogenmod 13 and oneplus one

Caution: nethunter can swallow up large amounts of valuable time. Only use it if you have time to spare and don't mind hacking (as in close to the true sense of the word) in order to fix issues that arise. Having reached a stable state now, I will think twice about changing anything anytime soon!

I've used nethunter for fun stuff on my oneplus One for around a year now. There were a very small number of minor niggles that annoyed me a little, but that I chose to just live with, and everything was fine. The user interface wasn't amazing, but the tools mostly worked as intended. It was awesome, running on CM 11 and nethunter 2.x. BDFProxy did what it said on the tin, BEeF worked nicely with MITMProxy injecting hooks, I could run vulnerability scans with openVAS, and it generally rocked my world. The Swiss army knife for ethical hackers and script kiddies alike.

Around January this year I spotted that a new version of nethunter had been released, and I was pretty excited. As soon as I was able to, I followed the upgrade instructions on the nethunter site through CM 12 and installed nethunter 3.0. Things have been far less awesome since then. I'll describe some of the issues and then the resolution at the end of this post.

Issue number 1: drivedroid just stopped working. Drivedroid is great because it allows you to host an ISO or other disk image from your phone, over a USB cable and make it appear as though it is a CD drive, writeable USB stick, or read only USB. It's amazing knowing that you can boot into tails, kali, DEFT, or any other favourite live CD distro or tool of your choosing, even konboot. With CM12, none of this worked. In CM 13 it does.

Issue number 2: The phone crashed randomly and frequently. It could happen overnight while I was asleep, meaning that my alarm wouldn't go off. It could happen when I disabled WiFi tethering. Rebooting the phone would sometimes fix, but sometimes required 3 or 4 reboots. Clearing the cache would increase the chance of success but was still not full-proof. CM 13 fixed this.

Issue number 3: Sound and video playback would just stop. Again, rebooting didn't always help. CM 13 fixed this.

Issue number 4: If you are running the TWRP recovery manager, you cannot apply over the air updates for your OS. There is no fix for this that I have found.

Resolution: Most of the issues above have been fixed by upgrading to CM 13, and now things are much more awesome again. It was a painful upgrade process, but worth it. Some advice if you are about to embark upon this endeavour:

Make sure you have backed up your precious data. You don't want to lose those pictures of your cat or mum or whatever.

Clear the cache, and preferably factory-reset the device before every step. Failing to do so can lead to crashing applications, failed startups and other such delights.

Rough guide:

Download the latest stable CM 13 and store it in the root of your device. This may appear as /sdcard in TWRP. Do the same with the latest nethunter build, openGapps, and SuperSU.

With TWRP, first install CM 13, then openGapps. Boot up and make sure everything seems OK. If things don't seem good, then go back into recovery and factory reset.

Next, install SuperSU, and then boot up and download and install busybox from the play store.

Finally, go back into recovery and install nethunter.

If all has gone well then you should have a stable installation.

Happy scripting, kiddie!

Four Truths

There are four basic truths in security, infosec, cyber, or whichever buzz word you wish to use today. Understanding these truths and how to balance them is key to success. Balancing them may mean planning your own time or the size and structure of your team, depending on where you work.

Firstly, security is fun. It's fun because you get to learn about and sometimes play with the methods that attackers use. You might even start to feel like someone from Mr Robot, or Wargames at times. Some might call this ethical hacking, some penetrating testing, and some may think it's just an excuse to have fun. In any case it is valuable. The key is to not spend too much time or resource on the fun stuff otherwise other areas may suffer.

Secondly, security is easy. By that, I mean it is much easier to look at a system or process and find fault with it than it is to do it right yourself. This is a basic truth in life and recognising it is a differentiating factor when dealing with others. They will feel threatened because you are criticising they way they work or pointing out mistakes that they have made in the past. The key is to make sure they understand that in this respect, their job is harder than yours and they deserve some credit for that.

Thirdly, security is hard. The main reasons for this are twofold. Firstly, related to the second truth, you will often have to overcome the inertia of cultural and behavioural change. This is one of the hardest things to accomplish unless your organisation is prepared to take harsh action against offenders (which in itself can be morally difficult). You will likely make more adversaries than allies. Secondly, when it comes to protecting your organisation from attackers, they have the upper hand. In this setting you have the same challenge that your non-security colleagues have, in that it is easier for someone else to find fault in your security measures than it is for you to get them right. You could easily blame this on your internal challenges, but this is part of your job so you need to suck it up and get on with it. Dealing with these challenges will take constant readjustment of your strategy as you discover more about the organisation's technology, processes, structure, and culture. The key is to not become disheartened when a particular strategy fails. You must be objective and analytical and find out why it failed. Sometimes you are best off to take a step back or some time out to relax and think about something else. Get some exercise and fresh air, or spend some time on your favourite pastime. Sometimes new potential solutions come to me while I'm walking the dog, climbing, or playing the guitar. Of course not all challenges will afford you this luxury of time for problem solving, but some certainly will.

Finally, security is rewarding. By that I mean the harder you have to work at something, the more satisfaction you get when you achieve even small successes. Would it be more fun if security was easy and you had more time to experiment and learn new and exciting techniques? Maybe... But the rewards from winning small battles in this ongoing conflict make it extremely worthwhile and satisfying. The key is to have patience and enjoy the smaller successes that you achieve along the way, because if you want to achieve too much too quickly, you will become frustrated, disheartened, and doubtful. Trust me, I've been there and got the scars to prove it.

I hope this gives some insight into what it is like to be a security officer at a medium-sized international enterprise. Maybe your own experience is different to mine, in which case I would love to hear from you!

Securitopia

What does good security look like? I'll describe it, or my understanding of it at least. towards the end of this post.

In a perfect world, it would be possible to have the proper security controls in place everywhere, and people would respect why they are necessary, and get used to them to the point that they are just second nature. People would understand that technical controls and user policies and processes are there for the protection of all.

In the real world, security costs money in itself and also slows down the way your average worker... works. Technology isn't perfect and your average worker gets things wrong resulting in calls to the help desk for support. Technology requires teams of people to manage it. Users need training, audits need to be carried out, enforcement needs to happen, alerts need to be responded to, and the evolving threat needs to be observed and adapted to. The lower the historical culture of security in an organisation, the more people will inevitably see security as a threat instead of protection.

Strong security is only suitable for organisations with high risk and large budgets for technology and trained security staff. All other organisations need to constantly watch the threat indicators and adapt to address them. This tends to result in excessive levels of policy or controls being put in place, which either turn out to be unenforceable or too costly when or comes to implementing new technology.

Eventually over several iterations of change (or attempted change), enforcement (sometimes with a healthy side of conflict and confrontation), and measurement, an organisation with a good security team will reach a point where things are relatively stable. Users start to come to terms with the processes and accept them. Depending on the baseline security culture, this might take 6 months or 2 years, perhaps more.

Why can't we just perform risk assessments and set policy accordingly, and then start firing people who don't comply? Well maybe in some companies this will work, but probably not in most. Certainly, if two or three people lost their jobs or bonuses due to stubbornness and refusal to comply, the message would spread fairly quickly. But unless a business is clear on taking this kind of approach from the beginning, you will need a more subtle strategy.

You will need allies. You need to find who in the business "gets it". You need to filter out the people who say the right things with no genuine intentions, and the people who just don't want to engage for whatever reason. Possible reasons include other work pressures, or the emotional response that comes about when you try to force behavioural change. This is a very tangible thing, although it might not sound like it.

Once you've figured out who your allies are, and convinced them that you know what you are doing, you can begin making progress. Progress in security has to be collaborative with input from stakeholders. This has two main benefits in that the resulting policies will be more appropriate, and the people providing input will be aware of the new policy and feel as though they have contributed to it.

I'm an idealist and I despise politics. I hate having to second guess what people's intentions are when we're all supposed to be on the same side. The security of the organisation is paramount yet there are sometimes people in the organisation who see it as a threat to them getting things done, changing the way they work, or just making them look bad.

To do security, you need to start to recognise what people's agendas are. What are their objectives? What affects them getting their bonus? What is their history and what are their aspirations? What are their favoured vendors and suppliers? Who are their mentors and allies?

You have to sharpen your tools in strategy and diplomacy, or at least spotting where politics is at play. You must be unrelenting in your vision of protection for the business and everyone in it, even when they fight against you. When someone knocks you back, sometimes you have to let them win that battle and regroup to consider how you will approach the problem from a different angle. I don't claim to be a master strategist, politician or diplomat, quite the opposite. But I've started to appreciate how much of a factor this is in business, and identify when it is blocking progress. In the absence of an actual appetite for politics, my strategy is instead resilience, tenacity, honesty, transparency, and integrity. It is these qualities, and not the alternatives that get an organisation where it needs to be.

So where does it need to be?

Some aspects are so common sense that they should be set in stone. Others require establishing the appropriate level of control, which will look different for each of MI5, a bank, a private company, a public company, a membership organisation, or a creative house, etc. This is what the vision of good security that I mentioned to begin with looks like:

Firstly, employees understand the risks to their personal lives as a result of bad security practices. They spend the time to protect themselves, which in turn reduces risk in the business. They also understand that if the business fails, it is not just they who lose their income, but also their colleagues and their families. This moral obligation results in an increased sense of ownership and responsibility for individual security. It also eliminates the politics that get in the way of good security.

Secondly, the policies and processes are correct and appropriate for the risk profile of the business.

Thirdly, because the policies and processes are correct, the business understands exactly how much spend is required on technology and team members. Server and client operating systems and applications are patched. Alerting systems are fit for purpose and response is timely and appropriate.

Fourth, security gates are embedded at the correct points in all business processes. This includes recruitment, projects, procurement, as well as day to day operations, payment handling, firewall requests, new users, leavers, visitors, etc.

Finally, for now, security teams have responsibility and time set aside to analyse the changing internal and external threats to an organisation and develop defences. Sometimes this includes learning and practicing what the bad guys do in a safe environment.

This list may evolve over time. Future posts will provide some examples of how to achieve successes towards this utopia so keep your eyes peeled for those.

Rainbow Tables

I often see people talking about rainbow tables in lectures and seminars and just getting it wrong. If you have a dictionary of words and their precomputed hashes, then this is a hash lookup table, and there are plenty of free services that will allow you to check the hash that you have obtained against their database to see if it has been cracked before.

A rainbow table, on the other hand, consists of precomputed "chains" of hashes, where a reduction function is repeatedly performed on each output hash along the chain to create a new password candidate according to the desired length and complexity. Once a chain is complete, which is typically thousands of hashes long, only the start and end hash are stored in the rainbow table.

There are instructions online for generating your own rainbow tables or for downloading or purchasing precomputed rainbow tables. This effectively allows any password within a given character set and length to be cracked in a very short space of time, as long as it has not been salted, and as long as you have the storage available for your rainbow table.

When you have a hash for which you wish to find the password, you begin by running the same reduction function on it repeatedly until you match the end hash for one of your chains. You then start the repeated reductions again from the start of that same chain until you find the hash that matches the one you wish to crack. At this point you have successfully guessed the password, if all has gone according to plan. Software such as rtgen will do all of this for you and it is much quicker than a standard brute force, and will take far less storage space than a complete hash table for a character set.

Soft Security is Hard

When I was first asked if I wanted to do security as my main job, I was warned that it would be highly policy based and governance focused; very different to my hands on technical background. I was also told that it would be a great challenge. Having done this for a (little) while now, I can firmly say that those initial warnings were a huge understatement.

Further to this, I noted at pretty much every security seminar or conference that I go to that the recurring theme was that people were the biggest risk. Or more precisely, people are the biggest challenge.

All of this has started to sink into place. You can have the best technology in the world but if the people who use it want to circumvent technical security controls then they will find a way, whether it be to steal data, or just out of pure laziness. Does any of the below ring any bells?

"We've always done it this way...", "...we're not a bank...", "...it's the only password I can remember...", "...we're too busy..." "... we've never had a breach before...", "...yada, yada, yada...".

Setting policy to match the risk profile and appetite of a business is one thing. Overcoming cultural and organisational change in order to implement policy is something else altogether. It requires complete buy in and sponsorship from the top. Even with this advantage, it takes phenomenal time, effort, patience, and resilience. Amongst the success and progress there are many setbacks and obstacles to overcome whether they be due to competing for resources with commercial projects, or general politics, egos, and bullshit.

Apart from a good technical understanding of threats, vulnerabilities, risk, and treatment options, I would say that the most important attribute for a full time security manager is a healthy balance between resilience and patience. To paraphrase the quote: you must have the courage to change the things that you can, grace to accept the things that you can't, and wisdom to know the difference.

I would add to this "...and the resilience and patience to recognise those things that must be changed but have to wait".

Of course, if you are lucky enough to have a great mentor and an energetic and enthusiastic team, then the odds are more in your favour!

It also helps, in more ways than one, to keep that hands on time whenever possible. In developing defences it is essential to have an understanding of the attacks. This means getting involved with incident responses, finding out what malware is doing in safe environments, simulating your own MITM attacks in a variety of situations, running your own phishing campaigns against your organisation, and cracking passwords, for example.

Understanding the technical and social engineering methods in use by external attackers and insiders allows you to prioritise treatments in your mitigation strategy, and understand where your vulnerabilities are when organisations push back on recommendations due to time, budget, or politics.

The saying is that security is a journey and not a destination. This is true because of two factors: the ever evolving threat landscape, and users' defiant urge to do things their own way and ignore policy and process.

So, good luck on this journey because we are all going to need it! This isn't intended to sound as pessimistic or defeatist as it may. If you enjoy a challenge then you are in the right place! And there will always be a job to do.

I'll be posting some of the tips, tricks, and strategies that have resulted in success in this space in the future, so keep yourself posted.

AD Password Auditing Workflow

I'll come back in the future and add more detail on some of the below steps and useful powershell and bash scripts that can help to reduce effort, and password dictionary resources. I like to use docker for the linux work as it provides a means to access a known state environment in seconds with all the correct tools installed.

For now, this is a high level overview:

1. Acquire your AD backup NTDS.dit, and SYSTEM file.
2. Remember to tidy up files as you go, leave no trail.
3. Extract the hashes using 2014 version of libesedb and latest esedbextract.py.
4. Filter the accounts and hashes to only show active user accounts that have not expired.

Once you have the list of accounts you want to crack, use John the Ripper:

1. For the worst offenders, just use the worst password lists freely downloadable from the net, in NT format, and no rules.
2. For slightly less bad offenders, use more wordlists such as rockyou from previous breaches.
3. For more offenders, use a dictionary containing company names and usernames, etc. and start adding rules.
4. For users who do at least make some effort to choose their own password, use a dictionary containing months, days, seasons, town names, countries, etc. with rules.

This should be as far as you need to go for a typical password audit. If you want to go further for companies with higher risk profiles or smaller risk appetites, then consider using one or more of the following methods:

1. Crack in LM mode and use the output passwords to create a new dictionary for NT mode
2. Larger dictionaries with harder rules
3. Incremental mode
4. Another tool such as rainbow tables.

A future post will go into the elegance of rainbow tables and try to explain in simple terms how neat this solution is, plus describe the pros and cons. Watch this space.

When your audit is over, run the list of passwords through pipal to report on password usage and trends in the organisation.

Easy Nethunter Creds Hunting

Simple tip for Kali Nethunter:

You don't have to run any mana or karma, hostapd or use an external WiFi adapter for credential harvesting. Just openly share your normal WiFi access point and run the net-creds.py tool that comes with mana. Any unencrypted creds will be caught and stored.

Important: don't do this in public unless you are willing to risk being arrested. Also be aware that when you share your WiFi for open tethering, you may be incriminated for the actions of anyone who connects.

Network Security Journal Publication

For my first post on this blog, I'm pleased to share that I had a piece of work published in Network Security Journal: "Anonymity networks and the fragile cyber ecosystem".

The discussion is informed by a review of recent literature focusing on attacks against anonymous systems such as Tor, i2p, and Freenet and can be found here http://www.sciencedirect.com/science/article/pii/S1353485816300289

Quite a change in direction from my previous publication on performance enhancing substances in Freediving but then my career took a sharp change in direction circa 15 years ago.

This blog is going to be a place for me to share my personal experiences and adventures into the world of cyber. If that sounds like your bag then welcome on board, friend!