Identifying compromised credit cards

I just received news of a new Team Cymru no-cost service for worldwide Financial Institutions.

Their BIN ('Bank Identification Number') feed comprises a near real time list of accounts and credit cards that have been identified as being compromised. This data comes from Team Cymru's unique insight into the Underground Economy.

Representatives of Financial Institutions can email outreach@cymru.com with details of their BIN/IIN numbers. Team Cymru will provide access to a secure web portal where Financial

Institutions can obtain a regularly updated list of their own compromised accounts. Details of the compromised accounts of other Financial Institutions will not be available.

See http://www.team-cymru.org/Services/BINFeed/

for further details of this new service.

Team Cymru provide no cost data sets and services to the community. Take a look at their site for details of the extensive work they do for the security community as well as further advice, data and tips to help you make your networks more secure: http://www.team-cymru.org/Services

Telecommuting

I've been working from home a lot more since my replacement hip operation a year ago. It started as a necessity, but I found it very productive and stuck with it. Now I've got to the point where I miss my colleagues and the general office banter, so am adjusting my routine to include more days in the office (it's only 15 minutes away, so not much of an effort). Thinking about this, I remembered a wonderful sequence of Dilbert cartoons.

However, as more and more organisations give employees the flexibility to work at home, I can't help wondering about the impact on security ... unencrypted (or WEP-encrypted) home wireless networks ... kids playing with company laptops ... unencrypted hard drives ... no clear desk policies ... poor physical security ... and an increasing trend for staff to use their home computers to connect to company VPNs. Scary stuff.

Perhaps we ought to consider expanding ethical hacking and audit to include home networks and PCs?

Team Cymru

An old chum e-mailed me about a very interesting service that Team Cymru has just launched. Here's what he had to say:

This email is to announce a new look-up service that Team Cymru is launching today. The Malware Hash Registry (MHR) service allows you to query our database of many millions of unique malware samples for a computed MD5 or SHA-1 hash of a file. If it is malware and we know about it, we return the last time we've seen it along with an approximate anti-virus detection percentage.

There is no cost for non-commercial use of this tool. Access is publicly available to anyone.

Upon submission of a malware hash, the output of the command will return a date the sample was first seen as well as the detection rate we've seen using up to 30 AV packages. The detection rate is based on the first time we scanned the sample.

Queries, including reasonable bulk queries, may be made using the command line only.

The MHR compliments an anti-virus (AV) strategy by helping to identify unknown or suspicious files that we have already identified as malicious. This enables you to take action earlier than you would otherwise be able to.

Full details including command syntax and procedures can be found at: https://www.team-cymru.org/Services/MHR/

This is one of several new (free) data sets and services we are currently providing to the community; if you haven't visited our (recently revamped) site recently please do so for details of the extensive work we do for the security community as well as further advice, data and tips to help you make your networks more secure:

https://www.team-cymru.org/Services

We very much look forward to working with you all on this new project and we sincerely hope that as many of you as possible will be able to actively participate in the use of this unique and very exciting new service.

Warm regards,

Team Cymru.

Cloud computing

Data Security Podcast recently asked me to comment on the security issues in cloud computing - the result is here if you're interested. Nothing revolutionary of course, just best practice and my usual hatred of passwords :-)

Geek humour

Last week I spent a very enjoyable three days passing along some penetration testing skills to a room full of nice people. Amongst them was a gentleman named Dan from Texas. Dan was good company and a knowledgeable penetration tester - he also recommended xkcd to me and I strongly suggest it to you - it's inspired.

Le SPAM?

I've recently spent a good deal of time getting my head around French IT terms (including impenetrable phrases such as matrise d'ouvrage) in order to translate some IT security awareness material into English. A few days after I finished the first piece of work, imagine my surprise when I started receiving French SPAM. And, no, it's no more interesting than the English/US version IMHO!

A little head scratching and I realised that my pride had caused me to announce that I was translating French awareness material into English in my "what are you doing at the moment" thingy in Facebook. As far as I can see this is the only place on the web where my translation skills were on display. So - are the spammers monitoring all our Facebook accounts to refine their targets, or am I being paranoid again?

~{:-D

Is your network public?

If I were to wander into your offices, plug in my laptop and within minutes take control of your network infrastructure, would you be surprised?

There’s a "backdoor" into many large networks which few organisations seem to recognise or understand – Simple Network Management Protocol (SNMP). SNMP is the Internet standard protocol developed to manage nodes (servers, workstations, routers, switches and hubs etc.) on an IP network. It enables network administrators to manage network performance, find and solve network problems, and plan for network growth (ref http://www.snmplink.org/). It’s also one of the easiest ways for someone to control your network, steal information and eavesdrop on traffic!

By default, SNMP is enabled on routers, switches and even servers. If you’re using network management software like HP OpenView or IBM Tivoli then you’re using SNMP. Even if you’re not using any network management tools, you’ll still have SNMP somewhere on your network. There are two passwords (called “community strings”) that you need to know in order to take advantage of SNMP - the read string, which has a default value of “public” and the read/write string, which is set to “private”. Most people never change these defaults. Armed with this knowledge you can view, alter or remotely control any SNMP-enabled device.

When I plug into your network a DHCP server will issue me an IP address. At the same time I am also given a “default gateway” address – the address of the router that my laptop needs to know about in order to view the rest of your network. Just type “ipconfig –all” at a command prompt to see what I mean. If I feed the default gateway address into a network discovery tool like SolarWinds Network Sonar (http://www.solarwinds.net/) and if your router is set up with defaults, I will soon have details of every device on your network. I can also download the router config from each of your routers and read the administrative passwords, giving me the keys to your network infrastructure.

If you have Windows servers running SNMP (and chances are you do) then I can list the name of every user and group on that server. This gives me an excellent starting point for password guessing and dictionary attacks. I can also map out your Windows domain, discover your server names and even see what hardware you’re using.

Of course it’s not just the casual visitor who may take advantage of this vulnerability, but a disgruntled member of staff, an industrial spy disguised as a contractor or just a nosy IT graduate. Most organisations remain highly vulnerable to insider attacks, yet feel secure because they’ve spent a lot of money on firewalls. It’s time to wake up and recognise that organised crime and casual thieves will both take the easiest, least risky route and that’s from inside the organisation.

So what can you do? First and foremost, if you’re not using SNMP, turn it off! If you are using it, a good start must be to change those default community strings. But before you rush off to start this project, a few words of caution. Firstly, discover which software in your organisation is using SNMP and whether it can use non-default community strings (there are still some horrible applications with hard-coded strings and passwords in many organisations). Secondly, once you’re satisfied that nothing will break if you change those strings, select something complex that will resist a dictionary attack. A long string of mixed case, numbers and punctuation is best. Thirdly, as you’ll need to write those complex strings down, make sure you secure that information properly!

Now, before you go to set up that meeting with your network admins, there are a number of other backdoors that may reveal your SNMP strings to an attacker even after you’ve changed them all. So build a strategy to seek out those backdoors and secure them, and then develop an incident response procedure to use when your shiny new community strings are compromised.

One sneaky method of exposing SNMP community strings is via server management consoles like HP/Compaq Insight Manager (CIM), which may have been poorly configured. A web browser interface to CIM can often be found on TCP port 2301 (and 2381 for HTTPS). Older versions have a default Administrator password of “administrator”, permitting an unauthorised user to gain control of the server remotely, read and alter the SNMP strings and even power down the server.

A short network discovery exercise can provide you with valuable information on your network weaknesses and a remediation plan for your networks team. Understanding how these and other default infrastructure configurations can provide unrestricted access to your network is a major weapon in the battle against hackers and insiders.

Exposing yourself for the summer

As you'd expect, like all Brits, I'm trying to convince myself that we're actually having a summer. This put me in mind of social events, and specifically social networking. Everyone and their dog (literally) is now on Facebook it seems.

Lately there's been a lot of news about Facebook using personal details for profit and now Canada's federal privacy commissioner has launched an investigation into Facebook. Apparently four students complained that the popular Web site violates Canadian law by disclosing personal information to advertisers without proper consent.

This in turn reminded me of a wonderful YouTube video - definitely worth watching and passing on to your less security-aware friends and family!

After the goldrush

Well here we are, a couple of weeks after Infosecurity Europe, and sure enough I was right. More silver bullets from all the vendors. If you want the video version of my thoughts look here: http://tinyurl.com/5rcfgt and if you're interested in my opinions on the real future of hacking, then look at this: http://tinyurl.com/63r4lb Despite my compaints about vendors, Infosec was a terrific place to meet friends old and new, as usual.

Meanwhile my thoughts are turning to the rash of drive-by web sites, innocently offering to infect your inadequately protected PC with all kinds of malware courtesy of JavaScript. The recent plague of infected sites has led me to once again extol the virtues of Firefox coupled with the NoScript plug in. Used intelligently, this really does provide trouble-free web browsing and is an essential addition to conventional anti-virus and personal firewall protection. If you haven't tried NoScript, I thoroughly recommend that you do - be patient while you teach it the trusted sites and you'll fall in love with it.

More silver bullets?

With Infosec Europe approaching fast (22-24 April) my thoughts turned to the inevitable release of even more products, products, products. Everyone in IT loves gadgets, but is this really the future of information security? As penetration testers we spend a large proportion of our time trying to break into networks, with continued success unfortunately. However, when we analyse the reasons that networks remain vulnerable, we find that it's not about Zero Day exploits but rather mistakes that could have been avoided.

The same techniques I used to break into a Windows network in 1996 still work today, for example. Why? Because, despite manufacturers such as Microsoft and Oracle spending huge efforts to improve the security of their products, organisations still use stupid passwords, fail to understand security best practice and don't think outside of the box.

Just this week we again found Windows domain administrator accounts with pathetically weak passwords and business-critical infrastructure with default SNMP read/write strings. It took just just minutes to gain complete control of a global company's network with no prior knowledge at all. Every time we are asked to conduct a social engineering exercise - walking in the back door with the smokers, strolling past reception carrying a sandwich at lunchtime, or phoning the help desk and getting remote access - we find the same thing. No security awareness amongst staff at all.

So imagine my delight when five major clients all approached me to assist with staff awareness training this year. It seems that large organisations are finally getting to grips with the "human firewall" concept and realising that they need to invest in people, not just technology. Let's hope this trend continues!

The future of (ethical) hacking?

This post is not about where the hacking community is going (whatever that means), but more what I'd like organisations to think about.

I'm particularly proud of one aspect of our service: that we are pragmatic. By this I mean our ability to focus on genuine threats without being lost in the testosterone-driven "I've found the most obscure vulnerability ever" mindset. Wearing a white hat is much more than digging deeper than the next penetration tester - it's also about helping clients to understand where they should put their effort and their budget to get the most appropriate defence.

For me the most obvious illusion is that the important attacks will come from outside the organisation and that they will come via the interweb. If an organised criminal is going to target your organisation, then they're going to take the route that combines the best return on their investment with the highest probability of success (and to some degree the lowest risk). This is a typical business model - just an immoral one in their case.

So where do I believe organisations should focus? On what I'm calling blended attacks - attacks that combine technical skills with social engineering. These are the types of attack which we find work time after time, in the fastest way, with the highest return and with little risk of detection. There's nothing new in this sort of approach (just read Kevin Mitnick), yet the majority of organisations do little or nothing to test for these vulnerabilities.

Here's an example from my own team's experience. Recently, a UK-based insurance company asked us to test their physical security, with the objective of stealing as much information as possible. Andy and I rented a car close to their offices, then I parked in their car park and waited, having dropped Andy off at the side of the building. He was wearing a suit without a jacket, so he looked as if he had just come out from the office. At the rear of the building was a door with a proximity card access control. This door was used by the smokers who (as usual these days) had to visit a little shelter at the rear of the building to get their fix. When one employee finished her cigarette and walked back towards the door, Andy ran after her and, complaining about the weather, asked her to hold the door for him - which of course she did. He was then able to open the door from the inside and let me in. We then played our assigned roles - Andy was the employee and I was the consultant, there to conduct a security audit (of course!). We found the usual suite of meeting rooms and selected one which was empty. Within a couple of minutes I had hooked up my laptop to a network port in the floor, obtained a DHCP address and started my network discovery software. After an hour or so, some genuine employees arrived to use the meeting room - we of course apologised for the double booking and found ourselves another empty room. In total we were on site for five hours and able to grab just about anything we wanted from the network. We were never challenged or asked to show a badge, and at the end of the day we left by the same route we came in. Game over.

There really is no substitute for the "human firewall" and there's definitely no patch for ignorance (it is ignorance, not stupidity in many cases, you know). Using the results of this type of exercise demonstrates to everyone how easy this devastating style of attack can be, and allows the organisation to start the difficult process of security awareness education. And they not only have to educate the office staff, they have to educate the IT folks and the senior managers and board members too.

Unprotected laptops

With so many staff working at home one or two days a week and everyone wanting connectivity from anywhere in the world, laptops have become very important tools. Pretty much every organisation now has a VPN to give staff remote access across the Internet, yet a tiny minority understand how much at risk they are from laptops. If an attacker were able to gain control of a lost or stolen laptop, they would have access to all the information stored on it plus the opportunity to connect to the corporate network via the VPN.

From time to time we are asked to test the security of a laptop build - perhaps the organisation is intending to migrate to a new version of Windows or has simply designed a new “build” - in any event we are asked to test the security of their standard laptop configuration.

Our first check is to see whether a BIOS password has been set. This poses a small hurdle to the would-be attacker, one that is usually overcome fairly simply by a bit of jiggery-pokery on the motherboard or by removing the hard disk and putting it in a another system. A hard-disk password is a different problem, which often requires specialist assistance, and is therefore considerably more effective. Unless that is, the hard disk password is the same as the BIOS password in which case the problem is solved. However we have yet to find a corporate laptop utilising either form of power-on password, probably because of the anticipated support costs of all those forgotten passwords!

Assuming that there are no BIOS passwords, all we need is a Windows username and password. Since we have physical access to the machine, that is very easy to achieve. Software such as Petter Nordahl-Hagen’s Offline NT Password and Registry Editor is free and available for download on the web. This software creates a bootable CD or floppy disk which can be used to reset the administrator’s password without ever starting Windows.

Once done, you reboot the laptop and login as Administrator with full access to everything, including any dial-up or VPN connections of course. However, if your laptop’s owner has used Microsoft’s encrypting file system (EFS) on XP, then you will not be able to recover those files, which could be very irritating!

An alternative approach is to use a program like NTFS Reader for DOS, which will allow you to make a copy of the Windows SAM file containing the usernames and passwords, again without running Windows. Once you have a copy of the SAM file, you can run a password cracking program to discover all the passwords on the laptop, and then logon with the Administrator’s legitimate credentials.

This is slightly more time consuming but leaves no evidence of tampering and preserves the EFS files intact. In case you are wondering, a sure-fire way to crack the passwords is to use rainbow tables with a tool such as Cain and Abel. The rainbow tables are pre-computed password hashes for almost every combination of letter, number and punctuation character for passwords up to 14 characters in length, making the job of finding the passwords just a matter of time. Although they are very large (many gigabytes in size) Windows rainbow tables are available for free download from the Internet or can be purchased online for delivery on a set of CDs or DVDs.

There is one simple solution to Unprotected Laptops: full disk encryption. This provides the laptop user with the facility to protect everything with one easily remembered passphrase (much simpler to manage and remember than a complex password) whilst providing the IT support people with a legitimate “backdoor” into the laptop if the user’s passphrase is forgotten or if the member of staff leaves the organisation under a cloud.