YousiCurity

Monday, August 16, 2010

What is Information Security? In search for a definition.

When googled, a long list of definitions will come up for information security. All are valid, but still don’t provide a satisfying answer. Some actually generate more questions than they answer. So here’s my attempt to find the best definition for information security; I’ll start by what information security is NOT.

Information security is not a product that can be bought and deployed: Information Security is not achieved by simply buying Firewalls, AV systems, or other security focused products. It is not a commodity that you can turn-on like electricity.

Information security does not eliminate risk: It can illuminate risk and then mitigate it or manage it, but it does not eliminate it. Nothing does, except perhaps closing down the business process inducing the risk in the first place.

Information security is not being in-compliance: It is more than being compliant with standards and regulations; compliance does not always equal security. You could be very good at defending your network against auditors, but do poorly when defending it against attackers. The goal should be being good at both.

Information security is not a milestone to be reached: It is neither that nor an objective to be achieved and then forgotten; it’s an ongoing process and a task that is never complete; similar to policing in this sense. You may be secure at a point in time, which is always in the past; but maintaining security in the present time and into the future requires ongoing effort and continuous adjustment to the changing risk.

In 2004, Richard Bejtlich defined information security something like this “The process with which we maintain an acceptable level of perceived risk”; which is the best definition I’ve seen so far. I’d like to add to it a bit to make it look like so:

The ongoing process with which we maintain an acceptable level of perceived risk.

The use of the word ‘ongoing’ signals that the process is not static and is always changing as the risk, or our perception of the risk, changes. Of course, the use of ‘perceived’ by Bejtlich is very relevant, as we can only address the risks that we imagine, all other risks are accepted by default. That is why it is so important to involve frontline security people in the risk assessment process, so we can imagine the right risks.

Give me your thoughts :)

Saturday, August 7, 2010

The Verizon Business Data Breach Report is out!

The Verizon Business 2010 Data Breach report was released last Wednesday, July 28. The report is the product of statistical data collected from client cases worked by Verizon’s RISK team; the data spans six years, 900+ breaches, and over 900 million compromised records. This year, the RISK team conducted the report in cooperation with the United States Secret Service and included their data set in the study. The report is a valuable read, and it can be found here

Below are some excerpts from the report findings; I underscored the ones that I thought were the most telling:

Who is behind Data Breaches?

70% resulted from external agents

48% caused by insiders

11% implicated business partners

27% involved multiple parties

What commonalities exist?

98% of all data breached came from servers

85% of attacks were not considered highly difficult

61% were discovered by a third party

86% of victims had evidence of the breach in their log files

96% of breaches were avoidable through simple or intermediate controls

79% of victims subject to PCI DSS had not achieved compliance

Where should mitigation efforts be focused?

Eliminate unnecessary data; keep tabs on what’s left

Ensure essential controls are met

Check the above again

Test and review web applications

Audit user accounts and monitor privileged activity

Filter outbound traffic

Monitor and mine event logs

This year, the report included appendices by the Secret Service discussing issues ranging from the online criminal communities’ culture to the street value of a stolen record. Read it if you can; it is packed with relevant information and is well written.

Sunday, May 30, 2010

Finally! the FBI is taking action.

For Immediate ReleaseMay 27, 2010

United States Attorney's Office
Northern District of Illinois
Contact: (312) 353-5300

U.S. Indicts Ohio Man and Two Foreign Residents in Alleged Ukraine-Based “Scareware” Fraud Scheme That Caused $100 Million in Losses to Internet Victims Worldwide

CHICAGO—An international cybercrime scheme caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million, according to a federal indictment returned here against a Cincinnati area man and two other men believed to be living abroad. The charges allege that the defendants, through fake advertisements placed on various legitimate companies’ websites, deceived Internet users into falsely believing that their computers were infected with “malware” or had other critical errors to induce them to purchase “scareware” software products that had limited or no ability to remedy the purported, but nonexistent, defects. The alleged scheme is widely regarded as one of the fastest-growing and most prevalent types of Internet fraud.
Two defendants, Bjorn Daniel Sundin, and Shaileshkumar P. Jain, with others owned and operated Innovative Marketing, Inc. (IM), a company registered in Belize that purported to sell anti-virus and computer performance/repair software through the internet and that operated a subsidiary called Innovative Marketing Ukraine, located in Kiev. The company appeared to close down last year after the U.S. Federal Trade Commission filed a federal lawsuit in Maryland seeking to end the allegedly fraudulent practices.
Jain, 40, who performed the functions of IM’s chief executive officer, is a U.S. citizen and is believed to be living in Ukraine. Sundin, 31, who performed the duties of IM’s chief technology officer and chief operating officer, is a Swedish citizen and is believed to be in Sweden.
The third defendant, James Reno, 26, of Amelia, Ohio, with others owned and operated the former Byte Hosting Internet Services, which operated call centers that provided technical and billing support to victim consumers on behalf of IM. Reno is expected to present himself for arraignment at a later date in U.S. District Court in Chicago.
Sundin and Jain were each charged with 24 counts of wire fraud, and Reno with 12 counts of wire fraud, and all three were charged with one count each of conspiracy to commit computer fraud and computer fraud in a 26-count indictment returned yesterday by a federal grand jury in Chicago. The indictment also seeks forfeiture of approximately $100 million and any and all funds held in a bank account in Kiev.
The charges were announced by Patrick J. Fitzgerald, United States Attorney for the Northern District of Illinois, and Robert D. Grant, Special Agent-in-Charge of the Chicago Office of the Federal Bureau of Investigation, which conducted the global investigation. The Justice Department’s Office of International Affairs and the Computer Crimes and Intellectual Property Section assisted in the investigation.
“These defendants allegedly preyed on innocent computer users, exploiting their fraudulently induced fears for personal gain. We will continue our efforts to identify and aggressively investigate similar schemes with the assistance of our law enforcement partners both at home and internationally,” Mr. Grant said.
According to the indictment, after causing a series of false error messages, Sudin, Jain and others caused Internet users worldwide, including throughout the United States, Sweden and Ukraine, to purchase software products bearing such names as “DriveCleaner” and “ErrorSafe,” ranging in price from approximately $30 to $70, which they falsely represented would rid the victims’ computers of purported defects, but actually did little or nothing to improve or repair computer performance, resulting in financial losses exceeding $100 million.
Sundin, Jain and others allegedly created at least seven fictitious advertising agencies that contacted multiple victim companies purporting to act as advertising brokers on behalf of known legitimate entities that wanted to place Internet ads on the unnamed victim companies’ websites, when in fact the ads were unauthorized. The victim companies allegedly were defrauded of at least $85,000 in unpaid fees promised by the fictitious ad agencies.
Unknown to the victim companies, the Internet ads that were placed on their websites by these fictitious agencies contained hidden computer code that “hijacked” the Internet browsers of individual victims, redirecting their computers without their consent to websites controlled by Sudin, Jain and others, the indictment alleges. The individual victims were then prompted with a series of error messages claiming that the user’s computer was experiencing a critical error and the victim needed to purchase an IM-distributed software product to remedy the problem.
Reno allegedly aided and abetted Sudin, Jain and others in creating and operating the fictitious ad agencies by providing support as a technical adviser for the computer servers and networks used to facilitate their operation. The fictitious ad agencies included “BurnAds,” “UniqAds,” “Infyte,” “NetMediaGroup,” and “ForceUp,” according to the indictment.
After the defendants caused a victim to be directed to an IM scareware website they controlled, the indictment alleges that the following events typically occurred:

the IM scareware site appeared not to be a website at all, but rather a warning message from the computer user’s operating system, falsely informing the user of an error and prompting the user to click on a box to address the purported error. Further error message prompts occurred regardless of whether the user clicked the box agreeing to or declining to proceed or attempted to close the error message window;
the IM scareware displayed an animated graphic image that gave the fake appearance that the computer was being scanned for various errors or viruses. Bogus results falsely showed that critical errors were detected by the fake scan; and
the IM scareware website then prompted the victim user to download a free trial version of an IM product, falsely promising that the software could repair the nonexistent critical errors.

As a result of the browser hijacking, multiple fraudulent scans, and false error messages the defendants and others allegedly deceived victims into purchasing the full paid versions of IM software products, such as “Malware Alarm,” “Antivirus 2008,” and “VirusRemover 2008.” At times, the defendants defrauded victims into purchasing multiple products through a deceptive order screen that kept hidden certain pre-checked option boxes which, when checked, increased the total number of products being purchased, the indictment alleges.
The proceeds of these sales, typically by credit card, were allegedly deposited into bank accounts controlled by the defendants and others throughout the world, and then were transferred to additional bank accounts located in Europe.
The defendants and others allegedly used Byte Hosting to deflect complaints from victims who purchased IM software products. Knowing the products to be fraudulent and distributed and sold under false pretenses, Reno and others caused call center representatives to be instructed to lie to customers about the products and persuade them to remove legitimate pre-existing anti-virus software, the indictment alleges. To persuade the Byte Hosting call center representatives to continue their employment, Reno and others falsely informed them that they were not involved in a fraud scheme because United States law did not apply to IM and its business practices because IM was based overseas. The call center employees were authorized to provide refunds to discourage victims from notifying their credit card companies or law enforcement that they were deceived into purchasing the fraudulent software products, according to the indictment.
Individuals who believe they are victims and want to receive information about the criminal prosecution may call a toll-free hotline, 866-364-2621, ext. 1, for periodic updates.
The government is being represented by Assistant U.S. Attorneys Michael Ferrara and William Ridgway.
Each count of wire fraud carries a maximum penalty of 20 years in prison and a $250,000 fine and restitution is mandatory. The Court may also impose a fine totaling twice the loss to any victim or twice the gain to the defendant, whichever is greater. If convicted, the Court would determine a reasonable sentence to impose under the advisory United States Sentencing Guidelines.
An indictment contains only charges and is not evidence of guilt. The defendants are presumed innocent and are entitled to a fair trial at which the government has the burden of proving guilt beyond a reasonable doubt.

Wednesday, February 3, 2010

gzippedNOT the applejuice

Here goes my answers/write-up to the 3rd network forensics puzzle:
----

I wrote two simple scripts for this contest, applejuice and gzippedNOT.

applejuice takes a pcap file as input and prints out the Apple Store searches and other information by IP.

gzippedNOT takes an http payload file (without the tcp/ip header info) and attempts to deflate/decode the gzipped content.

Here’s how I’ll use these two scripts to solve the puzzle:

ToyBox#./applejuice -r evidence03.pcap

2009-12-27 22:08:16.927407 192.168.1.10 searched-for: media=movie q=h

2009-12-27 22:08:19.732619 192.168.1.10 searched-for: media=movie q=ha

2009-12-27 22:08:22.981673 192.168.1.10 searched-for: media=movie q=hac

2009-12-27 22:08:26.544983 192.168.1.10 searched-for: media=movie q=hack

2009-12-27 22:08:36.244529 192.168.1.10 clicked-on: pageName=MoviePage-US-Hackers-IainSoftley-333441649

2009-12-27 22:08:56.054955 192.168.1.10 searched-for: media=movie q=s

2009-12-27 22:08:58.462018 192.168.1.10 searched-for: media=movie q=sn

2009-12-27 22:09:01.772845 192.168.1.10 searched-for: media=movie q=sne

2009-12-27 22:09:12.801213 192.168.1.10 searched-for: media=movie q=sneb

2009-12-27 22:09:20.894813 192.168.1.10 searched-for: media=movie q=snea

2009-12-27 22:09:25.013675 192.168.1.10 searched-for: media=movie q=sneak

2009-12-27 22:09:29.090745 192.168.1.10 clicked-on: pageName=MoviePage-US-Sneakers-PhilAldenRobinson-283963264

2009-12-27 22:09:41.074431 192.168.1.10 searched-for: media=movie q=i

2009-12-27 22:09:47.413934 192.168.1.10 searched-for: media=movie q=ik

2009-12-27 22:09:49.643774 192.168.1.10 searched-for: media=movie q=ikn

2009-12-27 22:09:51.285462 192.168.1.10 searched-for: media=movie q=ikno

2009-12-27 22:09:54.533797 192.168.1.10 searched-for: media=movie q=iknow

2009-12-27 22:10:00.757932 192.168.1.10 searched-for: media=movie q=iknowy

2009-12-27 22:10:05.286998 192.168.1.10 searched-for: media=movie q=iknowyo

2009-12-27 22:10:07.396247 192.168.1.10 searched-for: media=movie q=iknowyou

2009-12-27 22:10:11.954453 192.168.1.10 searched-for: media=movie q=iknowyour

2009-12-27 22:10:14.189430 192.168.1.10 searched-for: media=movie q=iknowyoure

2009-12-27 22:10:16.762757 192.168.1.10 searched-for: media=movie q=iknowyourew

2009-12-27 22:10:21.703075 192.168.1.10 searched-for: media=movie q=iknowyourewa

2009-12-27 22:10:23.968028 192.168.1.10 searched-for: media=movie q=iknowyourewat

2009-12-27 22:10:26.748082 192.168.1.10 searched-for: media=movie q=iknowyourewatc

2009-12-27 22:10:28.835105 192.168.1.10 searched-for: media=movie q=iknowyourewatch

2009-12-27 22:10:30.327520 192.168.1.10 searched-for: media=movie q=iknowyourewatchi

2009-12-27 22:10:31.963279 192.168.1.10 searched-for: media=movie q=iknowyourewatchin

2009-12-27 22:10:33.845427 192.168.1.10 searched-for: media=movie q=iknowyourewatching

2009-12-27 22:10:35.390023 192.168.1.10 searched-for: media=movie q=iknowyourewatchingm

2009-12-27 22:10:39.390800 192.168.1.10 searched-for: media=movie q=iknowyourewatchingme

This gave us answers 3, 4, 6, and 8.

Now we’ll ngrep for the movie IDs 333441649 (Hackers) and 283963264 (Sneakers) to identify the conversations that we need to further analyze, like so:

ToyBox#ngrep -I evidence03.pcap 333441649 dst host 192.168.1.10 | grep ^T

T 8.18.65.67:80 -> 192.168.1.10:49168 [A]

ToyBox#ngrep -I evidence03.pcap 283963264 dst host 192.168.1.10 | grep ^T

T 8.18.65.67:80 -> 192.168.1.10:49176 [A]

Now that we know the IPs and Ports for the right conversations to analyze for each movie, we use tcpflow to carve out the payload files like so:

ToyBox#tcpflow -r evidence03.pcap 'src host 8.18.65.67 and src port 80 and dst host 192.168.1.10 and dst port 49168'

ToyBox#cp 008.018.065.067.00080-192.168.001.010.49168 hackers

ToyBox#tcpflow -r evidence03.pcap 'src host 8.18.65.67 and src port 80 and dst host 192.168.1.10 and dst port 49176'

ToyBox#cp 008.018.065.067.00080-192.168.001.010.49176 sneakers

Now that we have the http payload files for ‘hackers’ and ‘sneakers’, we’ll use gzippedNOT to decode the content and grep for additional info like so:

ToyBox#./gzippedNOT -r hackers | grep preview-url

preview-urlhttp://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v

ToyBox#./gzippedNOT -r sneakers | grep price-display

price-display$9.99

rent-price-display$2.99

price-display$9.99

rent-price-display$2.99

This yielded answers 5 and 7.

We’ll use our trusty ngrep one more time to find answer 2, like so:

ToyBox#ngrep -I evidence03.pcap User-Agent

input: evidence03.pcap

match: User-Agent

######

T 192.168.1.10:49163 -> 8.18.65.67:80 [AP]

GET /WebObjects/MZStore.woa/wa/viewGrouping?id=39 HTTP/1.1..Accept: */*..Accept-Language: en..Accept-Encoding: gzip, deflate..Cookie: s_vi=[CS]v1|259C17

6A85010C29-6000010D80115D7F[CE]..User-Agent: AppleTV/2.4..If-Modified-Since: Fri, 25 Dec 2009 04:42:31 GMT..X-Apple-Store-Front: 143441-1,3..Connection:

keep-alive..Host: ax.itunes.apple.com....

And we got answer 2: AppleTV/2.4

And finally we’ll deduce answer number 1, like so:

ToyBox# tcpdump -nner evidence03.pcap -c 1

reading from file evidence03.pcap, link-type EN10MB (Ethernet)

22:08:01.139183 00:25:00:fe:07:c4 > 00:23:69:ad:57:7b, ethertype IPv4 (0x0800), length 79: 192.168.1.10.49174 > 4.2.2.1.53: 40605+ A? ax.itunes.apple.com. (37)

00:25:00:fe:07:c4 (APPLE) > 00:23:69:ad:57:7b (CISCO LINKSYS)

1. What is the MAC address of Ann’s AppleTV?

00:25:00:fe:07:c4

2. What User-Agent string did Ann’s AppleTV use in HTTP requests?

AppleTV/2.4

3. What were Ann’s first four search terms on the AppleTV (all incremental searches count)?

h, ha, hac, hack

4. What was the title of the first movie Ann clicked on?

Hackers

5. What was the full URL to the movie trailer (defined by “preview-url”)?

http://a227.v.phobos.apple.com/us/r1000/008/Video/62/bd/1b/mzm.plqacyqb..640x278.h264lc.d2.p.m4v

6. What was the title of the second movie Ann clicked on?

Sneakers

7. What was the price to buy it (defined by “price-display”)?

$9.99

8. What was the last full term Ann searched for?

iknowyourewatchingme

Wednesday, January 13, 2010

Google vs. China

An interesting read on Yahoo Finance; the part that caught my attention is that *it seems* that the accounts were compromised as follows:

Chinese dissident gets a Phish with a malicious link in it*.
Chinese dissident clicks on the link.
Chinese dissident’s PC is now owned by the red dragon.
Screenshots**, and possibly passwords, of e-mail accounts are shipped to China.

This is consistent with what we're seeing in the wild; keep your AV and OS updated, and do not click on any links in e-mails, especially if you are a Chinese dissident.

*”Google stumbled onto another scam that was more successful. Google said dozens of activists fighting the Chinese government's policies fell prey to ruses commonly known as "phishing" or malware. The victims live in the United States, Europe and China, Google said. Phishing involves malicious e-mails urging the recipients to open an attachment or visit a link that they're conned into believing comes from a friend or legitimate company. Clicking on a phishing link of installs malware -- malicious software -- on to computers”

**”Only two e-mail accounts were infiltrated in these attacks, Google said, and the intruders were only able to see subject lines and the dates that the individual accounts were created. None of the content written within the body of the e-mails leaked out, Google said”

Monday, November 23, 2009

smtpcat

OK…. time’s up for the second iteration of the Network Forensics Puzzle contest. I submitted my answers about a month ago; and this time, I decided to rely on third party tools NOT. So, inspired by Kristinn Gudjonsson's pcapcat, I wrote SMTPCAT to aid me in solving the puzzle. Since the deadline is up, I guess I can go ahead and publish some of my work.

SMTPCAT:

SMTPCAT will read a pcap file and attempt to do the following:

1. Identify all smtp conversations and print info about them in the following format:
   a. [INDEX] (Sender IP) --> (SMTP Server IP)
   b. [INDEX] (Sender e-mail) --> (Receiver e-mail) (Date)
   c. [INDEX] (SUBJECT)
   d. [INDEX] (AuthSMTP Passwd)                 <-- this is outputted only with the –p option

2. The tool will not buffer the output by default; this is done so the user can use grep and focus on a specific sender, receiver, date, subject, or any different grep-able combination. Optionally, you can buffer the output with the –b option.

3. The tool suppresses the output for the following smtp traffic by default as it sees it as noise and unhelpful, but again you can optionally instruct the tool to show all traffic:
   a. Handshakes with 0 payload. --> you can show these with the –a option.
   b. Completed smtp handshake with a quick QUIT, smtp scanners. --> can show with –q
   c. Smtp over TLS as it’ll be encrypted. --> can show with –t

4. After you read the pcap file, you can also use the –d [index] option to identify the index for the conversation that you need to dump and then use the –w [file] option to identify the output file.

5. The tool will assume tcp ports 25 and 587 by default as the smtp ports, but this can be changed to tcp 25 and [PORT] with the –c [PORT] option.

6. Usage examples:
   a. ./smtpcat –r [PCAPFILE]
   b. ./smtpcat –r [LARGE PCAPFILE] | grep [SUSPECT E-MAIL ADDY]
   c. ./smtpcat –r [LARGE PCAPFILE] | grep [E-MAIL SUBJECT]
   d. ./smtpcat –r [LARGE PCAPFILE] | grep [DATE] | grep [SUSPECT E-MAIL ADDY]
   e. ./smtpcat –r [PCAPFILE] –p
   f. ./smtpcat –r [PCAPFILE] –d [INDEX] –w [OUTFILE]

SMTPCAT can be downloaded from here.

Thursday, November 12, 2009

Network Forensics Puzzle Contest

The good folks running the the forensics puzzle contest have extended the deadline; it’s now the 22^nd of November. It is a fun and challenging contest; try your luck; I guarantee that you will learn something in the process. Go back and read the old puzzle and the winning solutions submitted; I guarantee that you will learn something there too.

I already submitted my solution, and I will post it here after the deadline; I am much interested in seeing how other contestants are going to solve the puzzle; it’s always revealing to see how smart minds think.

Friday, November 6, 2009

Tracking an anonymous e-mailer with senthound.

A while back, I was asked about the best way to attempt to unmask an anonymous e-mailer; here is the result of my work:

Sometimes people try to hide behind the free and *semi* anonymous webmail services like Yahoo, Gmail, or Hotmail. Often, anonymous e-mails CAN be tracked to the persons who sent them. Some providers make it more difficult than others do, but in the end, it can be done; and it can be done without having to subpoena the provider, which ultimately is an option for law enforcement if they really want to go after someone.

Yahoo and Hotmail voluntarily provide the IP address of the PC from which the webmail was sent! You just need to look at the ‘Full Header’ and do the following:

Scroll all the way to the bottom of the header and start moving up line-by-line.
Look for the first line that shows an IP address “x.x.x.x”, it will probably be shortly after you get to the “From:” line.
The x.x.x.x IP is the address of the PC from which the e-mail was sent.
A quick lookup on ARIN may reveal a business, location, or even a name.
Multiple e-mails, from multiple IPs, from the same anonymous address can reveal even more and can further confirm the identity of the sender.

This process also works on comcast, att, and sbcgloabl addresses.

Gmail, on the other hand, will not give away the address of the PC from which a webmail was sent. In addition, it is possible, that the sender is using a shared Internet address and is being very meticulous about sending only from public PCs. Therefore, a different approach has to be employed here.

What if we reverse the identification process by sending a *special* e-mail to our original anonymous sender that can identify the IP address of the PC on which it was read? This can be done by simply replying to one of the anonymous e-mails for example, or it can be sent from a completely separate e-mail depending on the circumstances. The goal is to social engineer our anonymous sender into opening it.

The idea of the special e-mail is simple:

It has to be written in a way that could trick the receiver into opening it.
It can be an HTML e-mail with an embedded link to a picture so it will open automatically. The picture could be blank or any image with zero dimensions; the tracking dots approach.
The picture is hosted on a unique path on our.server.com and logging is enabled on the server.
The reader opens the e-mail -> the picture is linked -> the reader IP logged accessing our unique path on our.server.com -> game over.

Senthound is a small script that I wrote to automate the above process. It can be invoked like so:

./senthound [html e-mail file]

Read the help comments for more on usage.

The concept of the identification of anonymous readers via their IPs when they access our webserver and show up in the log is a subject of research in its own right, but it is certainly possible, and it can be used beyond ‘tracker e-mails’.

I hope this helps, and if you have other ideas, I'd love to hear them :)

Monday, November 2, 2009

Access Control for the Windows Operating System

I wrote this paper for a class assignment in 2005. Reading through it, it's still relevant; here's the abstract section below and the complete text can be found here.

Abstract:

Why do we lock the office building at night? Who has the key to the front door and why? Who has the key to your office and why? Who has the master key and why? Is the building monitored via security CCTV systems and why? The answers to the above questions can be summed up in two words (Access Control), physical Access Control in this case. In the digital age, our valuable data no longer reside only in file cabinets behind locked doors; computers and digital storage facilities nowadays contain our most valuable data as well. Thus, Access Control in the digital context is as important as physical Access Control. Access Control is an integral part of the system security and it directly affects the three tenets of Information Security; Confidentiality, Integrity, and Availability. In this paper, we will attempt to explore the Access Control implementation in the Windows Operating System.

The complete paper is here.

Saturday, October 31, 2009

Malicious URLs

There are open-source intel websites that provide currently-active URLs, and IPs, where malware is hosted; I will list a few of them at the end of this post. The collection of the information from such sites, if used properly, can be a goldmine. One can break down the data collected from such sites into two categories:

Data helpful with the Detection of bad things.
Data helpful with the Protection from bad things.

How, you ask? Here goes:

Detection:

We start by automating the process of collecting all Malware IPs from those websites and generating one long list of ‘bad IPs’. Of course, you want to include processes to normalize the list, maybe remove some white-listed IPs etc. With the final list in hand, we automate, daily, a process with which any communication from our network to one of those ‘bad IPs’ is captured with full payload. The automation can all be done with Perl. Once the process is running, we will have a daily capture file that we know has some juicy stuff for us to investigate. Basically, if one of our IPs has started communicating with a ‘bad IP', out on the Internet, we’ll not only know about it, but we’ll have a complete record of the conversation with full payload.

This process is established in my current environment and we often discover 0 day threats in these capture files. The process used to be manual until I automated it with Perl. The code is available under the GPL, contact me if you would like it :)

Protection:

Instead of ‘bad IPs’, we collect the ‘bad URLs’. The ‘bad URLs’ list is then normalized and white-listed URLs are removed, etc; the final result is a list that can be used to protect our users from these bad URLs. A content filtering system can be fed the list to accomplish the blocking, or better yet, the list of URLs can be entered into the internal DNS servers with a null-ed pointer.

I also used Perl to automate the generation of the ‘bad URLs’ list, and we currently use the list to protect our users from about 38000 unique malware URLs. The list is generated daily and e-mailed to the people who can update the content filtering system.

** if you are interested in getting a daily copy of the list, contact me and I will add your e-mail address to the distribution list. I will need some basic info from you first :)
Here is today's list as an example.

Combining the Protection and the Detection processes in your environment can be very effective; as your false positive on the detection will be very low.

Further automated processing can be done on the output pcap files from the Detection phase. For example, one can look for all downloaded executables in those pcaps; those executables will most likely be malware.

Hope this helps :)

List of open-source intelligence sites:

http://www.malwaredomainlist.com/mdl.php?search=&colsearch=All&quantity=All

http://www.honeynet.cz/bl/WMD.txt.gz

http://www.malwareurl.com/export.php

https://zeustracker.abuse.ch/monitor.php

Friday, October 30, 2009

Firewall Log Analysis

Traffic analysis can provide valuable information about the state of your security posture, and one effective method of traffic analysis is firewall log analysis. With the right logging level, a good DB system to store the logs in, and a few good queries, it can tell you which of your hosts are compromised and when they got compromised.

Mark Stingley published a nice paper about the subject on his website. The paper is a must-read if you have checkpoint firewalls in your environment; it details the set-up of a complete system, using only open source software, to accomplish professional-grade firewall log analysis.

The paper goes beyond the set-up and lists example scripts that can be run against the logs to detect, near real-time, SPAM bots, DoS attacks, and other anomalous traffic. The work is really a platform upon which you can build other checks and balances that are specific to your network and traffic patterns.

Here is an example of what you could do with it:

Automate the collection of malware IPs from open source intelligence websites, zeus tracker and malware domain to list a couple of examples; they both publish text docs with confirmed malware IPs.
Normalize the list and run a query on daily basis, or maybe hourly basis, against your firewall logs to find out which of your hosts are talking back.
If you get any hits from the above, you further analyze the firewall logs for those hosts to all destinations, and you can pretty much tell when a host was compromised because the connections’ profile WILL change for that host after the point of the compromise.
This step is not related to traffic analysis, but you can start a full payload capture, aka wiretap, on the compromised host and see what 0 day sigs you can pick. <-- Hmmm... I'll start working on a post on this point :) stay tunned.

Monday, October 26, 2009

Security Analogies

A while back, I came across Scott Granneman’s security analogies’ wiki. The original wiki is now gone, apparently due to spammers taking over. Fortunately, Scott kept the content and mirrored it to his website.

I find the list to be very valuable, as I often rely on analogies to explain InfoTech concepts to a diverse audience; and it works.

Without further ado, here goes some of Mr. Granneman’s work below, with some editing. Feel free to comment, suggest edits, and post new analogies.

Disclaimer: This work is published under the GNU Free Documentation License 1.2.

Anti-Virus

Most Anti-Virus software packages are like flu shots.

They only protect against the known or more popular virus strains.
They are not replacements for other preventative actions.
They are updated regularly and must be current to be effective.
When there is an outbreak, it takes some time until the new virus can be identified and a vaccine is developed.

Denial of Service
Definition

A Denial of Service is an event, or series of events, which overwhelms part(s) of an infrastructure such that the infrastructure can no longer accomplish its intended function.

The Phone Analogy

It's equivalent to asking 1000 people to call the same individual's phone number, repeatedly and over. That person - let us call her Alice - would be unable to use her phone, as the volume of calls would overwhelm the line.

One comment I've gotten when using this analogy is "Why doesn't Alice just not answer the phone unless she recognizes the number? Or just turn the phone off?" so rather than stretch the analogy adding that caller ID doesn't work or that she can't turn it off I change it a bit: make Alice the receptionist at an office. She can't stop answering the phone without losing her job and not only is her phone useless she can't greet people who walk in the door, tell them where the bathroom is, file papers, notify her boss that an appointment is there, etc.

The Motorway Analogy

On a long-distance car journey, you probably start out on a small road, turn onto a main road, then join a motorway for most of your journey. When you get near to your destination, you repeat the pattern in reverse, turning onto successively smaller roads until you arrive at your destination. Your route starts along a narrow, low-capacity link, transfers to a high-capacity link, and then back to a low-capacity one near your destination. Normally, this is ok because although there are many cars on the motorway, they are all going to different places, so there are only a few cars using each of the smaller roads.

When there is a big music festival on, though, a large number of cars from the motorway all decide to leave at the same junction and take the same route along minor roads to the same destination, causing a traffic jam and preventing locals from reaching their homes in nearby villages. This convergence of traffic from many points on the network is like a distributed denial of service attack online. The problem comes at each point where a wide pipe (a motorway or internet backbone) feeds into a smaller one (a country road or an individual company's internet connection). If the wide pipe feeds the narrow one more traffic than it can accept, then congestion occurs. (On the road, the cars wait in queues, on the internet the packets will be discarded if they cannot be fed through in a reasonable time-frame).

This is why a DDoS attack can be so hard to prevent, because the problem occurs not just in one place, but also at multiple interfaces across the internet infrastructure, over which you as the victim have no direct control.

DoS: Intent or Accident?
It's important to note that DoS attacks are not only caused with malicious intent; denials of service can happen as a result of many otherwise benevolent causes as well. The "Slashdot Effect" is a well-known Web-DDoS problem. A traffic jam is a real-world example of a DDoS attack which is not caused (in most situations) by malicious activity, just an overwhelming of the roadway.

Wiping a drive
Definition
The act of securely overwriting data on a storage device so that it cannot be restored.

When a user wants to erase files on a storage device (such as a computer hard drive or memory card), she usually uses the "delete" command or "formats" the device, assuming that this will irretrievably remove the data stored therein. This is very much not the case. A regular erase operation only deletes the computer's reference to where the file is located on the storage device, not the data contained in the file itself. This data is then recoverable using widely available tools.

The Library Analogy

An analogy would be going into a library and destroying the card catalog; you have eliminated the common method people use to locate books, but have not touched the books themselves nor any content in them. Someone who went through the (admittedly laborious) task of looking at each book in sequence would eventually find the book and information she was looking for.

In order to "wipe" a drive a user should use a process that over-writes each piece of data one or more times. This would be the equivalent of going into the library, opening each book, overwriting every letter inside with a different character, and then tearing all the pages out of the book. You now have the equivalent of gibberish, with no organization.

Memory vs. Disk Space
Memory and Disk Space are not the same thing. Most computers have far more disk space than memory. Information in memory is information your computer is accessing right now. Information on the disk is information your computer can access when necessary.

The Office Analogy

This can also be compared to a tabletop and file cabinet. Ideally, the tabletop (memory) holds all the documents you are currently working on and reading. You save them to the file cabinet (hard disk) when you are done.

If you don't have enough room on your table top you are constantly putting documents in the filing cabinet to free tabletop space. This makes things slower as it takes more time to file and retrieve things from the cabinet than to just look at them on the tabletop.

Operating Systems
Construction Foremen Analogy

Operating Systems are like a construction foremen. Users, as the owner of the construction site, issue abstract orders such as Create this file, Open this application, or Browse this website. The operating system is then responsible for translating that abstract order into physical actions. To accomplish these actions, the operating system uses various hardware and software components (such as network controllers, hard drives, monitors, etc.) much like a construction foreman would work with carpenters, electricians, etc. to get the order accomplished.

In addition to taking responsibility for the completion of tasks, the Operating System is also responsible for 'behind the scenes' management tasks. The Operating System also defines system security, much like a construction foreman would say which workers were allowed into which areas of the construction site. Also, the Operating System is responsible for allocating resources in the same manner that the construction foreman would say who gets to use the one crane shared by the entire site, and when (or how) to distribute the limited number of workers to each process.

Firewall
Wall and Guards Analogy

A firewall is similar to a wall around a city or a wall around a building. It can help protect either a network or a specific computer. It can prevent traffic from going into or out of the city except through designated gates. Another term for these gates would be ports. For example, if you want someone to be able to send you email, you would open up a specific gate and email could get into your network. The gates do sometimes have guards (application gateways) that inspect the traffic as it goes back and forth. But of course the guard can also be attacked, if you're lucky an unconscious guard means the gate is locked because the guard won't open it.

Adware
Adware as Paparazzi

Hollywood superstars have to deal with intrusive reporters and photographers following them around, documenting where they shop, what they wear, what they had for breakfast, etc.

Other times, they may take part in a prescheduled interview only to be blindsided by inappropriate questions or personal attacks. Think of adware on your system in similar terms. Adware is typically invited in to your computer under the guise of a useful program. Buried in the legal notice that you agree to when you install it are stipulations that let the software track your habits. Adware follows you around the Internet and logs the websites you visit, the purchases you make, the ads you click on, the services you use. This information is sent to a third-party you can visualize as a newspaper publisher. This publisher determines what sells and what to toss away.

When your behavior matches with something the publisher is associated with, they publish ads to your system. Ad-supported software sounds harmless enough. Just like folks taking pictures of celebrities in public sounds harmless. The problem is that both activities can quickly become intrusive. You wouldn't want a reporter following you in to the bathroom to see what brand of toilet paper you choose. You don't want adware to bombard you with ads related to sites you inadvertently visited or clicked on only once. It gets worse. Reporters can doctor photos and make up things for articles they write. Adware can be used by unscrupulous businesses to send inappropriate ads to your system. Getting pop-ups about the best brand of cheese is one thing, getting pop-ups advertising pornography or prescription drugs on the cheap are something else entirely. The easiest way to avoid the Internet paparazzi is to deny them entrance in the first place. Slam the door in their face by not installing ad-supported software, by keeping your anti-virus software up-to-date, by running periodic scans for spyware on your system.

Sunday, October 25, 2009

How to do full packet capture on a Cisco Firewall, in 4 steps.

So, you want to get a pcap file, with full payload, out of your Cisco firewall? and you want to be able to capture on Cisco and then transfer the file to your local PC or Linux box so you can analyze the traffic with tcpdump or wireshark like-tool? Here is how to do it:

ONE: Create and fire up the packet capture:
#capture MYCAP interface IFNAME packet-length 1500 buffer SIZE
The above command will capture everything; if you want to filter your capture, add an access list, like so:

#capture MYCAP interface IFNAME packet-length 1500 access-list 777 buffer SIZE
Remember to define access-list 777 first. Of course, you can substitute 777 with any other number.
TWO: Stop the capture:
# no capture MYCAP interface IFNAME
Self explained; just be sure to type the command as is and don’t shorten it; you’ll loose your data if you just do ‘no capture MYCAP’.
THREE: Retrieve the captured data:
Point your browser to the firewall SSL URL like so:
https://FW-IP-address/capture/MYCAP/pcap
Download the pcap file, and open it with wireshark or a similar tool.
Note: you can also use tftp to get the pcap.
FOUR: Don’t forget to clean-up:
# no capture MYCAP
This will completely remove the capture and the pcap data off of Cisco.

I hope this helps.

Thursday, October 22, 2009

How to find the top talkers in a pcap file.

So you have a large pcap file and you want to filter out the one IP that is creating all the noise so you can focus on the rest of the stuff. But, how do you know the culprit? Here is how to look for the top talker:

tcpdump -tnr PCAPFILE | awk -F '.' '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -n | tail -n 5

Actually, the above command will yield the top 5 talkers along with the number of packets sent per each. Here is the explanation:

First we read the pcap file: tcpdump –tnr PCAPFILE. The –t option will omit the timestamp, which we don’t need here, and the –n option will cause the tool to not resolve hostnames & services but rather just print IPs and ports numerically.
We’ll pipe the output from tcpdump into awk, a powerful text processor. The -F ‘.’ option will tell awk to process each piped input line with the “.” character as the delimiter for fields. The input line will be broken into fields, and the fields will be assigned to $1, $2, $3, etc. respectively. Then we use the formatted print command '{print $1"."$2"."$3"."$4}' to print to output in this format: IP xx.xx.xx.xx, as xxs are the IP address parts. Despite the name, awk is not awkward, it’s rather graceful.
Now we pipe awk’s output into sort, for sorting :) so we can put the similar IPs one below another in a single long column.
We pipe the output from sort into unique with the -c option, which will eliminate all but one occurrence of each line in our column, AND print the count of the original occurrences of the eliminated lines next to the unique one that is left. So now we have a column of IPs and the count of their frequency in the pcap file in this format: [COUNT] IP [IPADDRESS]. COUNT and IPADDRESS are numeric values, so now we just need to sort the column numerically to find the top talkers.
Pipe the output from above into sort -n; the -n is, you guessed it, sort numerically, as the default behavior of sort is to sort alphabetically. That’s it; you got a list of talkers from the most quite to the chatter box.
Pipe the output from above into tail -n 5; the -n 5 option will chop off everything except the last 5 lines for you, which are your top 5 talkers.

This actually, depending on the situation, can be helpful in determining who’s SYN Flooding you as well; run tcpdump in live capture mode and then pipe the output, the rest is the same. You’ll need to use the -c option though so you can stop at a certain count of packets.

I hope this helps :)

More to come.

need InfoSec advice?