Sunday, 15 May 2016

Paranoid Ramblings One : ISP Monitoring

Working in Information Security opens your eyes to some of the questionable activities that are undertaken by a range of threat actors. The most difficult thing is to not become a nervous wreck as a result.

This is the first in a (probably) ongoing series of thought experiments to rationalise some of these threats and what they mean for me, and maybe also for you.

To understand the techniques that malicious entities might try to use against me, my employer, or people that I know, I inevitably like to try these things out for myself sometimes. This includes playing with tools such as nmap, zmap, nping, recon-ng, the social engineering toolkit, metasploit, Mana, Karma, BDFProxy, WiFite, Tor, SQLMap, etc. etc. etc. the list is simply too long. Most recently, thanks to my MSc final year project, I have been increasingly experimenting with Tor, scapy, and MITMProxy.

All of this toying and experimenting has never resulted in a complaint, although it has always occurred to me that my ISP might find some of the traffic emanating from my location increasingly questionable. I have read stories online of people's internet being disconnected due to using nmap too aggressively, for example, and so the possibility that this could happen to me has always been at the back of my mind. I do make use of Tor and various VPN's when testing out certain tools, but I have never made an all-encompassing effort to go completely "dark".

Two weeks ago, my internet connection slowed right down. It's never been that amazing, typically achieving between 8-14Mbps down and 2Mbps up. Around 2 weeks ago it slowed down to around 3Mbps down. I didn't have the time or energy to take this up with my ISP. Around a week ago, my download speed dropped again to around 1Mbps. Today I thought enough was enough so I called them. They were incredibly helpful and ran a number of line tests, and stated that they had found a fault on the line, which would require an engineer to visit somewhere (not my house) later in the week to correct the problem.

Immediately, my line speed increased to 3Mbps.

So, with my tin-foil hat lying somewhere else in the house, my paranoia metre begins to register some activity.

I suppose it is possible that my IP address has been flagged as sending suspicious packets for a long enough time now that I have ended up on some kind of "high risk" list. And perhaps the ISP process is to, rather than just disconnect their users, throttle their connection until the customer gets in touch to report a problem, thus getting confirmation that they have the correct customer. Maybe they occasionally take the step of sending an engineer to physically separate the high risk users from the main customer base to make their monitoring easier and reduce noise from lower risk customers. Perhaps, nah, surely not... perhaps they alert suspicious activity to higher authorities so that they can have their agents patch high risk users through to other monitoring systems for closer inspection, with minimal noise.

Perhaps it was just a fault on the line.

This certainly isn't the only thing that I wonder about. Trying to guess what other people's intentions are (mostly at work) takes up an increasing amount of my thought time these days, which can be exhausting. I wonder, do all Information Security professionals have this same level of paranoia?

In any case, I have spent enough time pondering this now. Any excuse for a distraction from wrestling with shadow-tor, python, graphml generation, and pcap inspection! I'm sure I have enough evidence that I'm a researcher and not a criminal in case I ever get a knock on the door.

Back to work!

Friday, 6 May 2016

Password Auditing - A Word of Advice

Here is a piece of free advice:

Next time you decide to run a password audit against your company out of the goodness of your own heart to try and educate users or the organisation about password practices in the org, do yourself a favour: run as fast as you can face-first into a brick wall instead and remind yourself that this was less painful than convincing users to not do stupid things. Then ask yourself if you still want to proceed.

If the answer is still "yes", then consider taking this approach:

Only look for the truly daftest of passwords. Don't try and put any actual effort into guessing what users passwords are, because [spoiler alert] you will succeed. 

Two-factor is the only way to save the general populace from their own laziness / stupidity / ignorance / stubbornness. If someone wants their password to be "Jessica1987!", then maybe you should let them. At least it is not "Pa55word". Combine their shitty password with MFA and you are probably doing the best you can to protect your organisation, unless you work for the bank or government.

Even taking this simplified approach, be prepared for a world of pain while you try and find someone to take ownership of the several hundred or more accounts that no one remembers what they are for.

Happy hunting!