Famous Pete Wood Security

Cloud Security Alliance UK & Ireland

2011-03-29T19:36:00.002+01:00

I am delighted to have been appointed to the executive board of the new UK & Ireland chapter of the Cloud Security Alliance. I'm Chair of the Advisory Board which will give me plenty to work on over the next few months! I gave the keynote at our inaugural chapter meeting last week and really enjoyed the feedback and audience participation. Our next event is on Thursday 21 April when we are hosting a summit in London, inside Infosecurity Europe 2011.

Cyber Security In Real-Time Systems and CNI

2011-03-03T07:21:00.000Z

I'm going to be speaking at an event focused on cyber security threats and protection strategies for real time and critical national infrastructure (CNI) systems in Reading on 18 March. This subject area is finally getting some attention since the Stuxnet worm and I'm keen to help give some pragmatic advice.

09:30 - Coffee reception
10:00 - Welcome address
10:15 - CSIRS Threat Analysis and Actions
11:00 - Security Testing in Critical Systems
12:00 - Q&A Panel discussion
12:30 - Closing remarks
13:00 – Lunch

For more information contact David Spinks, Chairman of CSIRS at dspinks41@gmail.com

Cloud Security Alliance UK and Ireland

2011-02-12T14:23:00.000Z

Good news for those of us involved in cloud security in this part of the world: the UK & Ireland Chapter of the CSA is now up and running. As an executive board member I'm keen to spread the word of course. If you are interested in cloud security, follow this link to the LinkedIn group - it's free to join. Go on - you know you want to :-)

A Software Engineer, a Hardware Engineer and a Departmental Manager ...

2011-01-18T08:38:00.001Z

A Software Engineer, a Hardware Engineer and a Departmental Manager were on their way to a meeting in Switzerland. They were driving down a steep mountain road when suddenly the brakes on their car failed.

The car careered almost out of control down the road, bouncing off the crash barriers, until it miraculously ground to a halt scraping along the mountainside. The car's occupants, shaken but unhurt, now had a problem: they were stuck halfway down a mountain in a car with no brakes. What were they to do?

"I know", said the Departmental Manager, "Let's have a meeting, propose a Vision, formulate a Mission Statement, define some Goals, and by a process of Continuous Improvement find a solution to the Critical Problems, and we can be on our way."

"No, no", said the Hardware Engineer, "That will take far too long, and besides, that method has never worked before. I've got my Swiss Army knife with me, and in no time at all I can strip down the car's braking system, isolate the fault, fix it, and we can be on our way."

"Well", said the Software Engineer, "before we do anything, I think we should push the car back up the road and see if it happens again."

(With thanks to John Mitchell)

Festive Greetings

2011-01-01T17:47:00.000Z

Season's greetings dear readers - it been a while, thanks to a combination of overwork and illness, but here at last is a new posting from FPWS. I'll make it simple and festive:
http://www.youtube.com/watch?v=CDTjXjQJ75o

Happy New Year to everyone!

Fighting malware in your browser

2010-10-26T14:27:00.000+01:00

I've mentioned Team Cymru before. Now I want to draw your attention to their Malware Hash Registry (MHR) project and in particular their add on for Firefox. This must be the simplest and most effective way of ensuring your downloads are free of malware - and it's free. Just check it out.

Vote for us!

2010-08-27T12:01:00.000+01:00

Exciting news for First Base Technologies - we've made the final in the "Security Service Provider of the Year" category of the Computing Security Awards based on volume of on-line nominations. Voting is now underway.

Please consider voting for us at www.computingsecurityawards.co.uk - use the drop down menu under Security Service Provider of the Year and cast your vote!

Thanks!

Personal mobile devices

2010-08-05T16:43:00.000+01:00

I was recently invited to a roundtable event to discuss the results of some research sponsored by Sourcefire. Part of the survey results concerned the use of personal mobile devices, which seems to be a hot topic with many of our clients. Here's a summary of the findings:

69 percent of UK employees use their own personal devices for work-related purposes, and 71 percent move data on and off the corporate network via these devices, and almost all carry out activities that could put company data at risk. 96 percent of senior managers and directors use personal devices for work tasks.

83 percent of employees admit such actions pose a risk to their organisation’s IT security, but if banned, 1 in 3 would just carry on using them regardless. In fact, 27 percent believe the company should be grateful that they are so conscientious.

63 percent of senior managers / directors use their personal devices to move information off the corporate network and 95 percent of people use their personal devices to carry out activities that could put data at risk – such as Internet shopping and social networking.

98 percent of employees also have a personal email account and during the last 12 months, 1 in 4 employees have used it to achieve work-related tasks. The most common being to send urgent emails when the corporate email has been down (18 percent) whilst 12 percent have used it to receive legitimate work documents that were being blocked by the company firewall.

It looks like we'll all be in the security business for a long time to come!

May 2010 ramblings

2010-06-01T19:21:00.003+01:00

I see it's been almost two months since my last blog entry. What poor discipline - sorry. Things have been really hectic here at First Base Technologies, which is my only excuse.

This year's Infosecurity Europe was the best for many years - we invested in a new and larger stand and more staff and the results speak for themselves. Lots of visitors with a better appreciation of what penetration testing is all about and how it fits into PCI-DSS. Better informed discussions about penetration testing as part of Governance, Risk and Compliance too.

Today I had an excellent meeting with Claranet who provide secure hosting in a private cloud. Just what we need - a guarantee of where our data resides for compliance with Data Protection coupled with a cast-iron SLA. And they provide secure networking too. Great stuff.

Hot topics for 2010 - discuss!

2010-03-04T11:41:00.000Z

I've just been asked for my "hot topics" in infosecurity for 2010, so I thought it would be interesting to throw these out at you and see what you think, so here goes:

1. Security awareness
It's increasingly obvious that technical controls alone are not providing organisations with the security they need. Staff education and awareness, delivered in a creative and imaginative way, is critical to managing information security in 2010.

2. Cloud computing
Few organisations are giving serious consideration to the security risks inherent in the cloud computing model. Whilst day-to-day operations can be outsourced in this way, the responsibility for security cannot. A combination of technical, legal and audit skills are required to ensure the security of data in the cloud.

3. Defense against cybercrime
Organisations continue to underestimate the devious nature of cyber criminals and have little or no commitment to "thinking like a hacker". This mind set is critical in order to apply budget and resources to the areas where criminals are most likely to attack and to counter their methods effectively.

Opinions anyone?

A Happy New Year for data protection?

2010-01-18T17:23:00.000Z

UK readers may have noticed that the Information Commissioner’s Office (ICO) will have new powers to fine organisations responsible for security breaches from 6 April 2010. Fines of up to £500,000 can be imposed for serious breaches of the Data Protection Act. The ICO press release is here.

Jonathan Armstrong of Duane Morris, with whom I've shared several conference platforms, thinks this will make CEOs and other senior people take more notice and should make some IT security budgets less prone to cuts. As he says, "If the ICO can levy some decent fines early on, people may take more notice." His article is here.

We can only hope that tougher UK legislation will start to make a difference to the lackadaisical attitude of some senior people towards security!

BCS ELITE annual dinner

2009-11-27T14:40:00.001Z

Last night I attended the BCS ELITE annual dinner - the first for several years, but well worth the wait. It was a black tie event at the Landsdowne Club, where the food and wine was excellent, and the latter flowed in quantity (hence feeling rather fragile today). I was really pleased to find that I was sharing a table with the always entertaining Lord Renwick and his lovely Lady, as well as several other intelligent and erudite folk. What a good start to the festive season :-) This post isn't really much to do with security, but I would recommend ELITE to anyone interested in good conversation and networking with IT people.

ISACA European ISRM Conference

2009-11-13T18:50:00.003Z

I just spent three extremely useful and enjoyable days at the ISACA Information Security and Risk Management conference in Amsterdam. A great selection of speakers and topics, plus terrific networking opportunities. If you are able to attend next year (in Vienna I believe) it could be a good investment. For US readers, the conference is also held Las Vegas - this year's event was just as stimulating as the European version.

Facebook bugs galore

2009-10-11T13:43:00.002+01:00

I'm an enthusiastic Facebook user, unlike some in the security community. I find social networking rewarding on a personal level and as a musician and am prepared to go the extra mile to limit my exposure as a result.

I was therefore, fascinated to find The Month of Facebook Bugs - a series of reports on vulnerabilities in Facebook applications. Well worth a read, especially if your personal information on Facebook is genuine and you enjoy using lots of Facebook apps!

Global crime networks

2009-09-22T14:46:00.003+01:00

Today I was sent a link to an excellent video of journalist Misha Glenny, who spent several years investigating organized crime networks worldwide. If you watch one security-related video this week, this should be it!

Skype hack (at last?)

2009-09-03T14:48:00.003+01:00

I'm conscious that my blog postings now resemble a London bus - you wait for ages, then three come along at once - but I had to share this with you.

Ruben Unteregger wrote a Skype phone call Trojan three years ago, then a few days ago he released the source code. Now, unsurprisingly, something very similar has appeared in the wild. I continue to be pleased that we don't allow Skype (or any real time protocols in fact) in our business.

Defending the Enterprise webcast

2009-09-03T11:51:00.003+01:00

My recent webcast "Defending the Enterprise with more than Silver Bullets" is now available to view in recorded format here

How safe is your online bank?

2009-08-29T13:35:00.004+01:00

When Which? Computing asked me to help evaluate online banking services, I expected to find very similar results amongst the ten banks they selected. However, as their press release says, there were some pretty big differences. Although we only looked at the visible security measures in place, some banks appeared to offer little to help defend against simple keyloggers.

I know that there are some sophisticated banking Trojans around, using man-in-the-browser attacks, but surely that's not an excuse to ignore defending against simpler malware and physical keyloggers?

Obviously banks need to balance good security against usability, being concerned that consumers may be put off by complex authentication processes. But with the vast increase in the number of Trojans, and more and more people using public WiFi and shared computers, Barclays' approach of using a PINsentry device seems like the most secure option.

A day off

2009-05-17T11:45:00.002+01:00

Having decided to have a day off, I find myself browsing the National Museum of Computing web site. I first met Tony Sal e about ten years ago and his enthusiasm was infectious. If you haven't visited Bletchley Park then I strongly recommend it - not only to learn about the history of computing but also the incredible work done by the code breakers during World War II. If you've got a few quid (or dollars or Euros) to spare, then consider a donation to either of these excellent organisations.

The show is over ... and web authentication bypass

2009-05-02T12:15:00.005+01:00

Well, that's Infosecurity Europe over for another year - our 7th as exhibitors and my 11th as a speaker (I think). The new venue at Earls Court seemed to be viewed by most people as a big improvement and I have to agree - the show felt more relaxed yet more alive.

Our press conference on web authentication bypass was well received, with Computer Weekly and Infosecurity Adviser reporting the story. We'll be explaining more about this problem, which stems from poor web site configuration, at our next white-hats.co.uk meeting on 15 May. The fact that the problem affects web portals as well as e-commerce sites and that even two-factor authentication is no protection makes this an important issue for discussion.

It's that time again!

2009-04-21T18:37:00.003+01:00

Once again it's almost time for Infosecurity Europe and this year I seem to have a very full diary for all three days!

On Tuesday 28th April at 12:00 I'm giving a talk on "Cloud Computing: 50 Ways to Lose Your Data" closely followed by a press conference on a nasty new trend in compromising e-commerce sites.

On Wednesday 29th at 15:00 I'm wearing my white-hats.co.uk and ISACA hats and chairing a security expert panel on "Social Engineering: Techniques and Mitigation", a topic very close to my heart!

Then finally on Thursday 30th, again wearing my white-hats.co.uk hat, I'm facilitating two different discussions in the new Security Cafe one on "Laptop Security - Understanding The Threats & Countermeasures" and the second on "Wireless Security - The Real State Of Play" which is about threats to corporate security through insecure home wireless networks.

I'll be ready for the long weekend after all that!

Excellent podcasts

2009-03-15T12:24:00.004Z

I was recently introduced to podcasts by finux on Hacker Public Radio

finux is a very talented guy who I met during a trip to the University of Abertay in Dundee. His podcasts are well worth a listen. You can also find him on his Linux Society blog

Fame at last

2009-03-11T18:19:00.004Z

OK - it had to happen, someone finally posted a video interview of me to YouTube. It's all about blended attacks and was recorded at the Combating Cybercrime in Betting & Gaming conference in January this year. I'm quite pleased with the interview, but I hate to imagine what the YouTube viewers are going to say! :-)

Gary McKinnon

2009-01-20T18:30:00.003Z

As someone who works to combat cybercrime and cyberterrorism you may be surprised that I am very much against the extradition of Gary McKinnon. However, I am also someone with intimate knowledge of Asperger's syndrome in two members of my immediate family. As a result, I had the privilege of meeting and discussing Asperger's with the UK's foremost authority, Dr. Simon Baron-Cohen during a diagnosis some years ago. Dr. Baron-Cohen has lucidly explained the condition and the potential impact of incarceration on Gary here. I have no doubt that if he believes Gary has Asperger's then that will be the case.

The IT industry not only contains more than its fair share of people with Asperger's, it also benefits significantly from their intelligence and intense focus. If you work in IT you probably know several people with this condition, although you (and they) may not realise it. We need to try to understand them, to celebrate their positive contributions and to make allowances for some of their apparently obsessive behaviours. You may even be interested to test your own Autism-Spectrum Quotient or to support the National Autistic Society.

Identifying compromised credit cards

2008-12-10T11:01:00.004Z

I just received news of a new Team Cymru no-cost service for worldwide Financial Institutions.

Their BIN ('Bank Identification Number') feed comprises a near real time list of accounts and credit cards that have been identified as being compromised. This data comes from Team Cymru's unique insight into the Underground Economy.

Representatives of Financial Institutions can email outreach@cymru.com with details of their BIN/IIN numbers. Team Cymru will provide access to a secure web portal where Financial

Institutions can obtain a regularly updated list of their own compromised accounts. Details of the compromised accounts of other Financial Institutions will not be available.

See http://www.team-cymru.org/Services/BINFeed/

for further details of this new service.

Team Cymru provide no cost data sets and services to the community. Take a look at their site for details of the extensive work they do for the security community as well as further advice, data and tips to help you make your networks more secure: http://www.team-cymru.org/Services

Telecommuting

2008-11-06T17:30:00.003Z

I've been working from home a lot more since my replacement hip operation a year ago. It started as a necessity, but I found it very productive and stuck with it. Now I've got to the point where I miss my colleagues and the general office banter, so am adjusting my routine to include more days in the office (it's only 15 minutes away, so not much of an effort). Thinking about this, I remembered a wonderful sequence of Dilbert cartoons.

However, as more and more organisations give employees the flexibility to work at home, I can't help wondering about the impact on security ... unencrypted (or WEP-encrypted) home wireless networks ... kids playing with company laptops ... unencrypted hard drives ... no clear desk policies ... poor physical security ... and an increasing trend for staff to use their home computers to connect to company VPNs. Scary stuff.

Perhaps we ought to consider expanding ethical hacking and audit to include home networks and PCs?

Team Cymru

2008-10-28T10:56:00.003Z

An old chum e-mailed me about a very interesting service that Team Cymru has just launched. Here's what he had to say:

This email is to announce a new look-up service that Team Cymru is launching today. The Malware Hash Registry (MHR) service allows you to query our database of many millions of unique malware samples for a computed MD5 or SHA-1 hash of a file. If it is malware and we know about it, we return the last time we've seen it along with an approximate anti-virus detection percentage.

There is no cost for non-commercial use of this tool. Access is publicly available to anyone.

Upon submission of a malware hash, the output of the command will return a date the sample was first seen as well as the detection rate we've seen using up to 30 AV packages. The detection rate is based on the first time we scanned the sample.

Queries, including reasonable bulk queries, may be made using the command line only.

The MHR compliments an anti-virus (AV) strategy by helping to identify unknown or suspicious files that we have already identified as malicious. This enables you to take action earlier than you would otherwise be able to.

Full details including command syntax and procedures can be found at: https://www.team-cymru.org/Services/MHR/

This is one of several new (free) data sets and services we are currently providing to the community; if you haven't visited our (recently revamped) site recently please do so for details of the extensive work we do for the security community as well as further advice, data and tips to help you make your networks more secure:

https://www.team-cymru.org/Services

We very much look forward to working with you all on this new project and we sincerely hope that as many of you as possible will be able to actively participate in the use of this unique and very exciting new service.

Warm regards,

Team Cymru.

Cloud computing

2008-09-17T10:05:00.002+01:00

Data Security Podcast recently asked me to comment on the security issues in cloud computing - the result is here if you're interested. Nothing revolutionary of course, just best practice and my usual hatred of passwords :-)

Geek humour

2008-08-24T08:47:00.003+01:00

Last week I spent a very enjoyable three days passing along some penetration testing skills to a room full of nice people. Amongst them was a gentleman named Dan from Texas. Dan was good company and a knowledgeable penetration tester - he also recommended xkcd to me and I strongly suggest it to you - it's inspired.

Le SPAM?

2008-08-02T16:04:00.004+01:00

I've recently spent a good deal of time getting my head around French IT terms (including impenetrable phrases such as matrise d'ouvrage) in order to translate some IT security awareness material into English. A few days after I finished the first piece of work, imagine my surprise when I started receiving French SPAM. And, no, it's no more interesting than the English/US version IMHO!

A little head scratching and I realised that my pride had caused me to announce that I was translating French awareness material into English in my "what are you doing at the moment" thingy in Facebook. As far as I can see this is the only place on the web where my translation skills were on display. So - are the spammers monitoring all our Facebook accounts to refine their targets, or am I being paranoid again?

~{:-D

Is your network public?

2008-07-11T15:31:00.002+01:00

If I were to wander into your offices, plug in my laptop and within minutes take control of your network infrastructure, would you be surprised?

There’s a "backdoor" into many large networks which few organisations seem to recognise or understand – Simple Network Management Protocol (SNMP). SNMP is the Internet standard protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network. It enables network administrators to manage network performance, find and solve network problems, and plan for network growth (ref http://www.snmplink.org/). It’s also one of the easiest ways for someone to control your network, steal information and eavesdrop on traffic!

By default, SNMP is enabled on routers, switches and even servers. If you’re using network management software like HP OpenView or IBM Tivoli then you’re using SNMP. Even if you’re not using any network management tools, you’ll still have SNMP somewhere on your network. There are two passwords (called “community strings”) that you need to know in order to take advantage of SNMP - the read string, which has a default value of “public” and the read/write string, which is set to “private”. Most people never change these defaults. Armed with this knowledge you can view, alter or remotely control any SNMP-enabled device.

When I plug into your network a DHCP server will issue me an IP address. At the same time I am also given a “default gateway” address – the address of the router that my laptop needs to know about in order to view the rest of your network. Just type “ipconfig –all” at a command prompt to see what I mean. If I feed the default gateway address into a network discovery tool like SolarWinds Network Sonar (http://www.solarwinds.net/) and if your router is set up with defaults, I will soon have details of every device on your network. I can also download the router config from each of your routers and read the administrative passwords, giving me the keys to your network infrastructure.

If you have Windows servers running SNMP (and chances are you do) then I can list the name of every user and group on that server. This gives me an excellent starting point for password guessing and dictionary attacks. I can also map out your Windows domain, discover your server names and even see what hardware you’re using.

Of course it’s not just the casual visitor who may take advantage of this vulnerability, but a disgruntled member of staff, an industrial spy disguised as a contractor or just a nosy IT graduate. Most organisations remain highly vulnerable to insider attacks, yet feel secure because they’ve spent a lot of money on firewalls. It’s time to wake up and recognise that organised crime and casual thieves will both take the easiest, least risky route and that’s from inside the organisation.

So what can you do? First and foremost, if you’re not using SNMP, turn it off! If you are using it, a good start must be to change those default community strings. But before you rush off to start this project, a few words of caution. Firstly, discover which software in your organisation is using SNMP and whether it can use non-default community strings (there are still some horrible applications with hard-coded strings and passwords in many organisations). Secondly, once you’re satisfied that nothing will break if you change those strings, select something complex that will resist a dictionary attack. A long string of mixed case, numbers and punctuation is best. Thirdly, as you’ll need to write those complex strings down, make sure you secure that information properly!

Now, before you go to set up that meeting with your network admins, there are a number of other backdoors that may reveal your SNMP strings to an attacker even after you’ve changed them all. So build a strategy to seek out those backdoors and secure them, and then develop an incident response procedure to use when your shiny new community strings are compromised.

One sneaky method of exposing SNMP community strings is via server management consoles like HP/Compaq Insight Manager (CIM), which may have been poorly configured. A web browser interface to CIM can often be found on TCP port 2301 (and 2381 for HTTPS). Older versions have a default Administrator password of “administrator”, permitting an unauthorised user to gain control of the server remotely, read and alter the SNMP strings and even power down the server.

A short network discovery exercise can provide you with valuable information on your network weaknesses and a remediation plan for your networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to your network is a major weapon in the battle against hackers and insiders.

Exposing yourself for the summer

2008-06-06T13:52:00.002+01:00

As you'd expect, like all Brits, I'm trying to convince myself that we're actually having a summer. This put me in mind of social events, and specifically social networking. Everyone and their dog (literally) is now on Facebook it seems.

Lately there's been a lot of news about Facebook using personal details for profit and now Canada's federal privacy commissioner has launched an investigation into Facebook. Apparently four students complained that the popular Web site violates Canadian law by disclosing personal information to advertisers without proper consent.

This in turn reminded me of a wonderful YouTube video - definitely worth watching and passing on to your less security-aware friends and family!

After the goldrush

2008-05-13T15:19:00.003+01:00

Well here we are, a couple of weeks after Infosecurity Europe, and sure enough I was right. More silver bullets from all the vendors. If you want the video version of my thoughts look here: http://tinyurl.com/5rcfgt and if you're interested in my opinions on the real future of hacking, then look at this: http://tinyurl.com/63r4lb Despite my compaints about vendors, Infosec was a terrific place to meet friends old and new, as usual.

Meanwhile my thoughts are turning to the rash of drive-by web sites, innocently offering to infect your inadequately protected PC with all kinds of malware courtesy of JavaScript. The recent plague of infected sites has led me to once again extol the virtues of Firefox coupled with the NoScript plug in. Used intelligently, this really does provide trouble-free web browsing and is an essential addition to conventional anti-virus and personal firewall protection. If you haven't tried NoScript, I thoroughly recommend that you do - be patient while you teach it the trusted sites and you'll fall in love with it.

More silver bullets?

2008-03-07T09:10:00.003Z

With Infosec Europe approaching fast (22-24 April) my thoughts turned to the inevitable release of even more products, products, products. Everyone in IT loves gadgets, but is this really the future of information security? As penetration testers we spend a large proportion of our time trying to break into networks, with continued success unfortunately. However, when we analyse the reasons that networks remain vulnerable, we find that it's not about Zero Day exploits but rather mistakes that could have been avoided.

The same techniques I used to break into a Windows network in 1996 still work today, for example. Why? Because, despite manufacturers such as Microsoft and Oracle spending huge efforts to improve the security of their products, organisations still use stupid passwords, fail to understand security best practice and don't think outside of the box.

Just this week we again found Windows domain administrator accounts with pathetically weak passwords and business-critical infrastructure with default SNMP read/write strings. It took just just minutes to gain complete control of a global company's network with no prior knowledge at all. Every time we are asked to conduct a social engineering exercise - walking in the back door with the smokers, strolling past reception carrying a sandwich at lunchtime, or phoning the help desk and getting remote access - we find the same thing. No security awareness amongst staff at all.

So imagine my delight when five major clients all approached me to assist with staff awareness training this year. It seems that large organisations are finally getting to grips with the "human firewall" concept and realising that they need to invest in people, not just technology. Let's hope this trend continues!

The future of (ethical) hacking?

2008-01-21T17:30:00.001Z

This post is not about where the hacking community is going (whatever that means), but more what I'd like organisations to think about.

I'm particularly proud of one aspect of our service: that we are pragmatic. By this I mean our ability to focus on genuine threats without being lost in the testosterone-driven "I've found the most obscure vulnerability ever" mindset. Wearing a white hat is much more than digging deeper than the next penetration tester - it's also about helping clients to understand where they should put their effort and their budget to get the most appropriate defence.

For me the most obvious illusion is that the important attacks will come from outside the organisation and that they will come via the interweb. If an organised criminal is going to target your organisation, then they're going to take the route that combines the best return on their investment with the highest probability of success (and to some degree the lowest risk). This is a typical business model - just an immoral one in their case.

So where do I believe organisations should focus? On what I'm calling blended attacks - attacks that combine technical skills with social engineering. These are the types of attack which we find work time after time, in the fastest way, with the highest return and with little risk of detection. There's nothing new in this sort of approach (just read Kevin Mitnick), yet the majority of organisations do little or nothing to test for these vulnerabilities.

Here's an example from my own team's experience. Recently, a UK-based insurance company asked us to test their physical security, with the objective of stealing as much information as possible. Andy and I rented a car close to their offices, then I parked in their car park and waited, having dropped Andy off at the side of the building. He was wearing a suit without a jacket, so he looked as if he had just come out from the office. At the rear of the building was a door with a proximity card access control. This door was used by the smokers who (as usual these days) had to visit a little shelter at the rear of the building to get their fix. When one employee finished her cigarette and walked back towards the door, Andy ran after her and, complaining about the weather, asked her to hold the door for him - which of course she did. He was then able to open the door from the inside and let me in. We then played our assigned roles - Andy was the employee and I was the consultant, there to conduct a security audit (of course!). We found the usual suite of meeting rooms and selected one which was empty. Within a couple of minutes I had hooked up my laptop to a network port in the floor, obtained a DHCP address and started my network discovery software. After an hour or so, some genuine employees arrived to use the meeting room - we of course apologised for the double booking and found ourselves another empty room. In total we were on site for five hours and able to grab just about anything we wanted from the network. We were never challenged or asked to show a badge, and at the end of the day we left by the same route we came in. Game over.

There really is no substitute for the "human firewall" and there's definitely no patch for ignorance (it is ignorance, not stupidity in many cases, you know). Using the results of this type of exercise demonstrates to everyone how easy this devastating style of attack can be, and allows the organisation to start the difficult process of security awareness education. And they not only have to educate the office staff, they have to educate the IT folks and the senior managers and board members too.

Unprotected laptops

2008-01-01T22:04:00.001Z

With so many staff working at home one or two days a week and everyone wanting connectivity from anywhere in the world, laptops have become very important tools. Pretty much every organisation now has a VPN to give staff remote access across the Internet, yet a tiny minority understand how much at risk they are from laptops. If an attacker were able to gain control of a lost or stolen laptop, they would have access to all the information stored on it plus the opportunity to connect to the corporate network via the VPN.

From time to time we are asked to test the security of a laptop build - perhaps the organisation is intending to migrate to a new version of Windows or has simply designed a new “build” - in any event we are asked to test the security of their standard laptop configuration.

Our first check is to see whether a BIOS password has been set. This poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system. A hard-disk password is a different problem, which often requires specialist assistance, and is therefore considerably more effective. Unless that is, the hard disk password is the same as the BIOS password in which case the problem is solved. However we have yet to find a corporate laptop utilising either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords!

Assuming that there are no BIOS passwords, all we need is a Windows username and password. Since we have physical access to the machine, that is very easy to achieve. Software such as Petter Nordahl-Hagen’s Offline NT Password and Registry Editor is free and available for download on the web. This software creates a bootable CD or floppy disk which can be used to reset the administrator’s password without ever starting Windows.

Once done, you reboot the laptop and login as Administrator with full access to everything, including any dial-up or VPN connections of course. However, if your laptop’s owner has used Microsoft’s encrypting file system (EFS) on XP, then you will not be able to recover those files, which could be very irritating!

An alternative approach is to use a program like NTFS Reader for DOS, which will allow you to make a copy of the Windows SAM file containing the usernames and passwords, again without running Windows. Once you have a copy of the SAM file, you can run a password cracking program to discover all the passwords on the laptop, and then logon with the Administrator’s legitimate credentials.

This is slightly more time consuming but leaves no evidence of tampering and preserves the EFS files intact. In case you are wondering, a sure-fire way to crack the passwords is to use rainbow tables with a tool such as Cain and Abel. The rainbow tables are pre-computed password hashes for almost every combination of letter, number and punctuation character for passwords up to 14 characters in length, making the job of finding the passwords just a matter of time. Although they are very large (many gigabytes in size) Windows rainbow tables are available for free download from the Internet or can be purchased online for delivery on a set of CDs or DVDs.

There is one simple solution to Unprotected Laptops: full disk encryption. This provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password) whilst providing the IT support people with a legitimate “backdoor” into the laptop if the user’s passphrase is forgotten or if the member of staff leaves the organisation under a cloud.

How not to choose a strong password

2007-12-17T22:40:00.001Z

Microsoft have published a Password Checker which is intended to help determine your password strength as you type:

http://www.microsoft.com/protect/yourself/password/checker.mspx

Interestingly the passphrase "microsoft lm hashes are insecure" is rated as Weak, whilst "Passw0rd" (with a zero instead of an o) is rated as Strong.

Nearly everyone uses Microsoft Windows at work and at home (yes, I know you use a Mac, but you're special!). I would guess the majority of serious Windows users will be running W2K or XP. And all of these will be compatible with LAN Manager - a Microsoft operating system that most organisations stopped using decades ago! This appears to be part of Microsoft’s desire to be “backwards compatible” with older systems (although Vista is no longer LAN Manager compatible by default).

Why is this compatibility with LAN Manager important? Well, it comes down to how your password is encrypted and stored. By default, Windows passwords are encrypted using two different algorithms: the LM algorithm (to retain compatibility with LAN Manager) and the NTLM algorithm (which is cryptographically stronger). The encrypted password is called a hash - and both types of hash are stored on your computer. The first problem with the LM hash is that it is in fact composed of two 7-character hashes. So if you were to choose a 10-character password, it would effectively appear to be a 7-character password and a 3-character password, reducing the number of permutations significantly. The second problem is that the LM algorithm coverts upper and lower case characters to all upper case, thus reducing the number of permutations even further. Finally LM hashes use a smaller set of symbols than NTLM - you might see where this is going ...

You might imagine that even a 7-character password is very difficult to crack. Indeed, if we were to try guessing every possible 7-character password using an automated tool, it might take something like a month to work through all the permutations, by which time you may well have changed your password (although Elcomsoft seemed to have changed the rules on this recently). However, most people choose something far simpler - perhaps the name of their partner with a number appended or some other word commonly found in a dictionary. An attacker with the right software can try most words from the English dictionary, a large selection of proper nouns, and all of these with one or two numbers appended in just a few seconds or minutes.

The traditional response to this is to encourage users to use complex passwords containing random letters, numbers and symbols. Such passwords are impossible for the average person to remember, resulting in other serious problems such as passwords written on post-it notes or under the keyboard where even inexperienced attackers can find them.

There is a threat far more important than dictionary-based attacks, one that requires a serious response to the problem of LM hashes - rainbow tables. Putting it simply, rainbow tables are lists of pre-computed hashes for a selection of passwords, making the process of guessing a password very fast indeed. The downside of rainbow tables is size - the longer the password you are trying to guess, the larger the tables need to be. However, the rainbow tables for most combinations of upper case letters, numbers and symbols for a password up to 7-characters long are only 64 GB in size - quite easy to store on a portable hard disk or even a USB key. This means that it becomes feasible to “recover” the password from a LM hash in seconds, no matter how complex the original password.

For some time it has been possible to “switch off” the backwards compatibility in Windows, but most people don’t know that this is possible, or even that it’s important to do so. In any event, even an 8-character NTLM hash is vulnerable to a rainbow table attack, albeit a very large set of rainbow tables for the attacker to generate (or download) and use.

So what’s the solution? When Windows 2000 was launched, the maximum length of a Windows password was increased from 14 characters to 127. Of course, this remains true for Windows XP and Windows Server 2003. One interesting side effect is that a Windows password longer than 14 characters no longer has an LM hash and thus is invulnerable to any LM attacks. The other effect is surprising for many people - the password can in fact be seen as a passphrase and thus simple to remember! A passphrase such as “If I won the lottery I would buy a Ferrari” is very easy to remember and all but impossible to crack by any of today’s tools. So, providing that your PC is running Windows 2000 or XP or Vista, you are free to choose an easy-to-remember, effectively uncrackable password. Simple, eh?

If you've read this far, you may be wondering why Microsoft's Password Checker doesn't reflect this ... so am I.