Security Analyst – Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH

Never before has the threat of malware been more prevalent and the breach at Italy’s HackingTeam helps make us all aware of this. I recently reviewed some of the analysis from this site ( http://labs.bromium.com/2015/07/10/government-grade-malware-a-look-at-hackingteams-rat/) regarding just how a company had created and sold malware to governments and corporations that was used to spy on all of our computer platforms and phones.

As security researchers we are able to conclude that there are organizations that create and maintain a complete suite of malware known as a RAT (remote access Trojan) that when installed on your windows/mac/Linux computer and/or your Android/Apple/Windows phone can do any one of the following;

• Can be installed on 32/64 bit platforms
• collect saved passwords from all applications
• collect conversations from messaging apps
• capture emails,contacts from mail programs
• record from your microphone, webcam
• save clipboard and key strokes
• forward all websites visitied

They have added some additional features that are really creepy;

• collect nearby WiFi information and harvest locations
• spread via SD cards and usb drives
• spread to Virtual Machine systems via VMware disk images
• evade over 26 different Antivirus programs
• BIOS persistence via UEFI infection

WOW – network security just got a whole lot harder! Seriously if you thought you were safe trolling the Internet from behind your $30 dollar router at home or because you always upgrade your smart phone every couple of years you are in need of a reality check. When users connect to any old free wifi they find in Hotels and restaurants and then connect to home/office networks they are targets for this kind of attack.

Its time to start protecting ourselves from drive by downloads and casual surfing – get yourself a network condom and lets all practice safe Internet!

I was getting ready to write a blog post about hardware refreshing when I came upon this article from Brian Krebs.

For anyone looking to review/replace their hardware you should please review his article below for some good tips. Get to know your own network before I do 😉

http://krebsonsecurity.com/tools-for-a-safer-pc/

Recently we completed construction of the first of our devices that are being designed to help analyse network devices for vulnerabilities. Picture a small computer about the size of a smart phone that will sit quietly on your network and learn about all of the computer devices that are connected.

During its initial phase this device will analyse all of your traffic and identify what some of us don’t even know we have on our wired and wireless networks.

Phase two involves logging into a website to review the devices we have found and identified for you. Once categorized into OS type, function and IP address you can prioritize how to launch any passive scanning. We will monitor activity patterns and check for connections to known malicious sites or dangerous behaviour like scanning, etc.

Phase three involves active scanning which can include vulnerability assessment, break and fix testing and hardware/software analysis. We will assess your security posture as we verify passwords, configuration settings and information leakage. There are also a number of vulnerabilities associated with device firmware on items such as your routers. If you have a very strong control regimen when it comes to all your network devices (this includes routers, printers, wireless devices, smart phones, cameras, IP phones, VOIP providers, etc. then we probably won’t find anything…today. Lets run the test next week, next month when you add the new Cell phone or by the new computer or laptop.

If you are like most of us, keeping up with security is a full time job and most of us already have full time jobs. This is why it is about time that we had a computer that can do it for us.

Something to keep tabs on all of our ‘Internet of Things’ and keep us safe from the hackers on the Internet or next door to us in the coffee shop or the free Hotel/Restaurant WiFi. It’s about time we can be sure of just who gets to see our information by probing our electronics…are you?

0day – this stands for Zero Day in the parlance of the pentester and the blackhat alike. For the rest of us this simply means that someone could break into your computer using a vulnerability that the vendor doesn’t even know about yet.

Well that has changed since yesterday and Adobes Flash player now has a patch against what is now called CVE-2015-3113. It affects all systems Windows, Linux and Mac OS and it even affects those old Windows XP machines if you were smart enough to be running Firefox on too.

Check if you are vulnerable here (https://www.adobe.com/software/flash/about/) and verify that you are running version 18.0.0.194. For Windows 8.1 x64 users like me that means applying KB3074219 from MS if you are running IE (you will need to restart too).

Run don’t walk to your patching system – read more about it here (https://helpx.adobe.com/security/products/flash-player/apsb15-14.html)

In this post I wanted to help bring some understanding to many small business owner regarding the need to get control of your Internet connections. With all of the new devices that will surely be enabled in your environment (with and without your knowledge) the need to inventory the usage is now more important than ever.

For those of you who feel that all of this stuff can cost too much money I am happy to show you how you can do it with some free (as in beer) software. When properly setup you can have a great patch management system along with a central logging and reporting server that can help get a handle on usage in your organization.

Logging

Lets start with a Splunk – this is a real-time operational search database capable of handling secured connections from some/all of your devices both wired and wireless. Almost anything that connects to a network and has remote logging capabilities can be configured to send logs to your new splunk server. The server software can be installed on Windows, Linux, Mac OS, AIX, Solaris and FreeBSD. You can reuse any existing computer you currently have along with an existing license or install a free Linux/BSD software to repurpose some existing hardware.

Your splunk server will consist of a few remote connections for your devices to send data to (TCP port 9997 is the default) and a web server that is currently being run in python. The whole system runs with a very small footprint and the free version of Splunk Lite only allows you to index up to 500MB of data per index/ per day so there is no need for a very powerful system. You will be querying this system for reporting and live data feeds so please no 386 computers 🙂

I hope you don’t need to be told about the benefits of error log analysis or the necessity to do so if you want to be compliant but lets just point out that by configuring all your electronics to use some type of syslog facility you can better manage these devices by querying one device on a proactive basis instead of trying to be reactive.

Patch Management

Now we all have some type of windows update program on our machines and trying to connect to each of them to monitor patch success is a nightmare and for most of the sysadmins out there that thought WSUS was the best thing since slice bread until they began to run out of disk space these options just don’t stack up. They can be time and resource intensive and what about third party patches? This is where Desktop Central can come in handy. ManageEngine creates a very nice suite of paid programs and they offer this one for free if you have less that 25 machines to manage. I have a handful of clients that are using this deployment and I can do Windows patch management, all third party patches and I can execute scripts using powershell or windows shell remotely. We run windows disk maintenance like chkdsk and disk cleanup, remove temp files from user and system temp directories. All of this from a single windows server running a postgresql database and some software called Desktop Central.

Now most small business with a few extra hardware resources won’t have to have full-time IT budgets to get enterprise IT management. When coupled with a medium range firewall solution you can mitigate most malware risks and monitor your network all from two web consoles. Knowing is half the battle…

More info about either of these products is available below or feel free to reach out to us here;

http://www.splunk.com/en_us/download.html

https://www.manageengine.com/products/desktop-central/windows-patch-management.html

VMware has been one of the most popular virtualized platforms for enterprise but I wanted to show why most small and medium sized businesses should invest in VMware Essentials.

When VMware removed the Memory cap on ESXi 5.5 they were probably gambling on clients choosing a VMware Essentials license because they included the VMware vCenter license. You get a 6 CPU license which can be used on up to three separate hosts but you can also run a vCenter server (something you don’t get with the free version). This administrative component is really much more valuable to any shop with two or more VM hosts than running the free version as a standalone. When you run a separate vCenter windows server you can run some of the additional features that are available to be installed on the windows version of vCenter.

Patches

With as little as 8G of RAM (although this is less than half of the recommended level) we were able to run the VCenter server core components along with the VMware Update Manager on our test box (a Dell workstation with mirrored hard drives). We setup this server (running a fully patched version of Windows Server 2008 R2) with the bare minimum to see if we could dedicate a system for the task of running it as a vCenter server. If you are interested in keeping your systems patched (and in todays security focused world with vm break outs like venom you should be) then you know its a chore. Running VMwares’ Update Manager helps manage host patches, vmtools and hardware updates automatically so you don’t have to. You can even use it to upgrade major versions when you have older machines.

(Our test box is used expressly as the management interface using VSphere Client. This is necessary in order to configure the VMWare Update Manager although we could use the Web Client – it does appear to be sluggish with the under utilized deployment).

One caveat that upgrading your vmtools introduces is that you will need to use a vCenter management appliance or windows server in order to make changes to your virtual machines. By upgrading your vms to use VMware tools version 10 or higher you can no longer make changes to your existing vms with the vsphere client. You will however need to connect to the vCenter console using the vsphere client in order to use the Update manager plugin. Changes to existing vms must be performed using the new web client once vms are using the newer vmtools.

With the exception of using a standalone server for your Windows VCenter instance or using some resources on an existing VM host you can easily run VCenter as an Linux appliance if you do not want to configure Windows and use a license. Either way the metrics available coupled with a robust management interface makes VMware a clear winner again.

I was recently auditing some client systems and decided to try and brute force some passwords on Windows based systems to determine if people are choosing more complex passphrases. I set about using a GPU based system with two graphics cards and used a well known program called Hashcat to try and brute force the hashes.

Now I have mentioned in the past that using a wordlist to ‘guess’ user passwords or WPA passcodes can be done by anyone with enough horse power and a good list of pass phrases. When using GPU based cracking these wordlists go very quickly but unfortunately if you haven’t got the passphrase in your list it will fail.

Another alternative is to use all possible characters to try and brute force them. Although this process is sure to work because any combination of letters (upper and lower case), numbers and all of the special characters can push the permutations so high that it can take days or even weeks and months to brute force.

I decided that a subset of the brute force rule would yield some interesting results. What was the likelihood that people were picking pass phrases with only letters and numbers? I speculated that a cross section of my clients might represent an average sample to test with and the assumption that these results would represent an average of the population – my findings were a little staggering.

I found that with my Dual GPU based system, that I could crack NTLM hashes at a benchmark of approx. 18,000 Mh/s. This represent an extremely quick pattern matching ability which I used to create NTLM hashes that I could use for comparison.

From the Openwall site (current maintainer of the free John the Ripper software based cracking program);

Secure message length

I was hoping to find a way that the average reader would understand about the process that ensues when a target is identified and eventually pwned. ‘Pwned’ is a term whose etymology is attributed to a typo because the keys ‘o’ and ‘p’ are so close to each other on a qwerty style keyboard. Its history dating back to the early 21rst century when first person shooters were popular video games. It is meant to indicate the ability to conquer and gain ownership.

Today ownership isn’t just in the video game area – it is being waged in the computer world to control information, bandwidth and overall control of a computer and it’s network. If you loose control of your electronic devices you may or may not ever know it. Individuals, competitors or even nation states have been doing this for many years and everyone is a potential victim.

If you buy electronics and want to be hooked up to the internet you may want to read about the methods that can be used to gain access to your computers. Whether it is for fun, to prove a point or as a launching point to another site anyone can suffer from an orchestrated attack.

I recently reviewed a website who managed to sum up the essence of an attack.  You can read more about the process from his link (here) but please pay heed – this could happen to you if you don’t take steps to prevent it from happening. Contact us for a consultation and to learn more.