CyberSec Tips: E-Commerce – tip details 1 – search engines

Our local paper, like just about everyone else, recently published a set of tips for online shopping.  (They got them from Trend Micro Canada.)  The tips are mostly OK, as far as they go, but I figured they could use a little expansion.

“Don’t rely on search engines to find a shopping site.

“Search results can lead to malicious websites that will take your credit card and other confidential data or infect your computer with a virus. Instead, bookmark reliable online shopping sites.”

As a general rule, it’s best to be careful whenever you go to a site that is new or unknown to you.  However, I’d have to take this tip with a grain of salt.  I did a (Google) search on London Drugs, a chain in Western Canada (widely known in the tech community for their computer departments) (about which I have written before), and the first five pages gave results that were all from, or legitimately about, that company.  Quick checks on other retailers got similar results.

It makes sense to bookmark a “known good” link if you shop someplace regularly.  But if you are going to a new site, you can get into just as much trouble by guessing at a domain name, or even just fumbling typing the URL.  Fraudsters will register a number of domain names that are very similar to those of legitimate companies; just a character or so off; knowing that slipping fingers will drive people to their sites.  Some of those malicious sites look very much like the real thing.  (Others, promoting all kinds of questionable services and deals, are obviously false.)

Always be careful, and suspicious.  If anything seems off, get out of there, and maybe do a bit of research before you try again.  But don’t just avoid search engines as a matter of course.

Share

CyberSec Tips: Email – Spam – Fraud – example 3

This one is slightly interesting, in that it contains elements of both 419 and phishing.  It’s primarily an advance fee fraud message.  First off, the headers:

> Subject: Dear Winner!!!
> From: CHELPT <inf8@hotline.onmicrosoft.com>
> Date: Thu, 28 Nov 2013 17:45:06 +0530
> Reply-To: <morrluke@careceo.com>
> Message-ID: <XXX.eurprd01.prod.exchangelabs.com>

Again, we see different domains, in particular, a different address to reply to, as opposed to where it is supposed to be from.

> Corporate Headquarters
> Technical Office Chevrolet promotion unit
> 43/45 The Promenade…
> Head Office Chevrolet motors
> 43/45 The Promenade Cheltenham
> Ref: UK/9420X2/68
> Batch: 074/05/ZY369
> Chevrolet Canter, London, SE1 7NA – United Kingdom

My, my, my.  With all that addressing and reference numbers, it certainly looks official.  But isn’t.

> Dear Winner,
>
> Congratulations, you have just won a cash prize of £1,000, 000, 00. One million
> Great British Pounds Sterling (GBP) in the satellite software email lottery.
> On-line Sweepstakes International program held on this day Satur day 23rd
> November 2013 @05:42.PM London time. Conducted by CHEVROLET LOTTERY BOARD in
> which your e-mail address was pick randomly by software powered by the Internet
> send data’s to;
> ——————————————————————————–
> Tell: +44 701 423 4661             Email: morrluke@careceo.com Officer Name: Mr.
> Morrison Luke. CHEVROLET LOTTERY BOARD London UK
> ——————————————————————————–

As usual, you have supposedly won something.  If you reply, of course, there will start to be fees or taxes that you have to pay before the money is released to you.  The amounts will start out small (hey, who wouldn’t be willing to pay a hundred pound “processing fee” in order to get a million pounds, right?) but then get larger.  (Once you’ve paid something, then you would tend to be willing to pay more.  Protecting your investment, as it were.)  And, of course you will never see a cent of your winnings, inheritance, charity fund, etc, etc.

> Below is the claims and verifications form. You are expected to fill and return
> it immediately so we can start processing your claims:
>
> 1. Full Names:
> 2. Residential Address:
> 3. Direct Phone No:
> 4. Fax Number
> 5. Occupation:
> 6. Sex:
> 7. Age:
> 8. Nationality:
> 9. Annual Income:
> 10. Won Before:
> 11. Batch number: CHELPT1611201310542PM
> 12: Ticket Numbers: 69475600545-72113
> 13: Lucky numbers: 31-6-26-13-35-7

But here, they are starting to ask you for a lot of personal information.  This could be used for identity theft.  Ultimately, they might ask for your bank account information, in order to transfer your winnings.  Given enough other data on you, they could then empty your account.

> We wish you the best of luck as you spend your good fortune thank you for being
> part of our commemorative yearly Draws.
>
> Sincerely,
> Mrs. Susan Chris.
> CHEVROLET LOTTERY PROMOTION TEAM.

Oh, yeah.  Good luck on ever getting any of this money.

Share

CyberSec Tips: Email – Spam – Phishing – example 2

Some of you may have a BarclayCard credit card.  You might receive a reminder message that looks like the one below.  (Actually, the only credit card company I know that actually sends email reminders is American Express, which I think is a black mark on their security record.)

> Subject: Barclaycard Payment is due
> From: “Barclaycard” <barclaycard@card.com>
> Received: from smtp.alltele.net

If you look at the message headers, you might note that this message doesn’t come from where it says it comes from, and that’s something of which to beware.

> Your barclaycard payment is due
>
> Visit your card service section below to proceed
> hxxp://www.equivalente.it/rss/re.html

You might also note that, it you do have a BarclayCard, it’s probably because you live in the UK.  And the server they want you to visit is in Italy: .it

Share

CyberSec Tips: Email – Spam – Phishing – example 1

Phishing is pretty constant these days.  One of the tips to identify phishing messages is if you don’t have an account at that particular bank.  Unfortunately, a lot of people who are online have accounts with Paypal, so Paypal is becoming a favourite with phishers.  You’ll probably get a message something like this:

Subject: Your account access has been limited
From: service@paypal.co.uk <notice@paypal6.co.uk>

(You might think twice if you have an account with Paypal in the United States, but this domain is in the UK.)

> PayPal is constantly working to ensure security by regularly screening the
>accounts in our system. We recently reviewed your account, and we need more
>information to help us provide you with secure service. Until we can
> collect  this information, your access to sensitive account features will be
> limited. We would like to restore your access as soon as possible, and we
> apologize     for the inconvenience.

>    Why is my account access limited?

>    Your account access has been limited for the following reason(s):

> November 27, 2013: We would like to ensure that your account was not
> accessed by an unauthorized third party. Because protecting the security of
> your account is our primary concern, we have limited access to sensitive
> PayPal account features. We understand that this may be an inconvenience but
> please understand that this temporary limitation is for your protection.

>    Case ID Number: PP-197-849-152

>You must click the link below and enter your password for email on the following page to review your account. hxxp://dponsk.ru/wp-admins/.pay/

> Please visit the hxxp://dponsk.ru/wp-admins/.pay Resolution Center and
> complete the Steps to Remove Limitations.

Sounds official, right?  But notice that the URLs given have nothing to do with Paypal.  Also notice, given the .ru domain, that they are in Russia.  Don’t click on those links.  Neither Paypal of anybody else is going to send you these type of messages these days.

Share

CyberSec Tips: Email – Spam – Fraud – example 2

Another advance fee/419 fraud is the lottery.

> Subject: Dear User
> To: Recipients <info@notizia348.onmicrosoft.com>
> From: Alexander brown <info@notizia348.onmicrosoft.com>

Again, your email address, which supposedly “won” this lottery, is missing: this message is being sent to many people.  (If you really had won millions, don’t you think they’d take a bit more care getting it to you?)

> Dear Internet User,
>  We are pleased to inform you again of the result of the Internet Promotional
>  Draws. All email addresses entered for this promotional draws were randomly
>  inputted from an internet resource database using the Synchronized
> Data Collective Balloting Program.

Sounds impressive.  But it really doesn’t mean anything.  In the first place, you never entered.  And why would anyone set up a lottery based simply on random email sent around the net?  There is no benefit to anyone in that, not even as a promotion.

>  This is our second letter to you. After this automated computer ballot,your
>  email address was selected in Category A with Ref Number: GTL03-2013 and
>  E-Ticket Number: EUB/8974IT,this qualifies you to be the recipient of t
> he grand prize award sum of (US$2,500,000.00) Two Million, Five Hundred Thousand
> United States Dollars.

This is interesting: it presents still more impressive stuff–that really has no meaning.  It starts by saying this is the second message to you, implying that you missed the first.  This is intended to make you anxious, and probably a bit less questioning about things.  Watch out for anything that tries to rush or push you.

The numbers, of course, are meant to sound official, but are meaningless.

>  The payout of this cash prize to you will be subject to the final validations
>  and satisfactory report that you are the bona fide owner of the winning email
>  address. In line with the governing rules of claim, you are requ
> ired to establish contact with your designated claims agent via email or
> telephone with the particulars below:
>  Enquiry Officer: Mr. Samuel Trotti
> Phone: +39 3888146161
> Email: trottioffice@aim.com

Again, note that the person you are to contact is not the one (or even the same domain) as sent the message.

>  You may establish contact with the Enquiry Officer via the e-mail address above
>  with the information’s necessary: Name:, Address:, Phone:, Cell Phone:, Email:,
>  Alternative Email:, Occupation:, Ref Number and E-Ticket Number. All winnings
>  must be claimed within 14 days from today. After this date all unclaimed funds
>  would be included in the next stake. Remember to quote your reference
>  information in all correspondence with your claims agent.

This is interesting: the amount of information they ask from you means that this might not simply be advance fee fraud, but they might be doing phishing and identity theft, as well.

Share

CyberSec Tips: Email – Spam – Fraud – example 1

A lot of the advance fee fraud (also called 419 or Nigerian scams) these days say you’ve been named in a will:

> Subject: WILL EXECUTION!!!
> To: Recipients <clifordchance08@cliffordchance854.onmicrosoft.com>
> From: Clifford Chance <clifordchance08@cliffordchance854.onmicrosoft.com>

Note in this case that the message is sent “to” the person who sent it.  This is often an indication that many people have been sent the same message by being “blind” copied on it.  In any case, it wasn’t sent specifically to you.

> Late Mr.Robert Adler bequeathed US$20,500,000.00 USD, to you in his will.More
> info,contact your attorney(Clifford Chance Esq) via email
> address:clf.chance@hotmail.com  Tell+44-871-974-9198

This message doesn’t tell you very much: sometimes they have a reference to a recent tragic event.

Note also that the email address you are supposed to contact is not the same address that sent the message.  This is always suspicious.  (So is giving a phone number.)

If you look into the headers, there are more oddities:

> From: Clifford Chance <clifordchance08@cliffordchance854.onmicrosoft.com>
> Reply-To: <clf.chance@hotmail.com>
> Message-ID: <XXXX@SINPR02MB153.apcprd02.prod.outlook.com>

There are not only three different email addresses, but three different domains.  Microsoft owns Hotmail, and Hotmail became Outlook, so it’s possible, but it’s still a bit odd.

Share

It’s What’s on the Inside that Counts

The last time I checked, the majority of networking and security professionals were still human.

We all know that the problem with humans is that they sometimes exhibit certain behaviors that can lead to trouble – if that wasn’t the case we’d probably all be out of a job! One such behavior is obsession.

Obsession can be defined as an idea or thought that continually preoccupies or intrudes on a person’s mind. I’ve worked with a number of clients who have had an obsession that may, as bizarrely as it seems, have had a negative impact on their information security program.

The obsession I speak of is the thought of someone “breaking in” to their network from the outside.

You’re probably thinking to yourself, how on earth can being obsessed with protecting your network from external threats have a negative impact on your security? If anything it’s probably the only reason you’d want a penetration test in the first place! I’ll admit, you’re correct about that, but allow me to explain.

Every organization has a finite security budget. How they use that budget is up to them, and this is where the aforementioned obsession can play its part. If I’m a network administrator with a limited security budget and all I think about is keeping people out of my network, my shopping list will likely consist of edge firewalls, web-application firewalls, IDS/IPS and a sprinkling of penetration testing.

If I’m a pen tester working on behalf of that network administrator I’ll scan the network and see a limited number of open ports thanks to the firewall, trigger the IPS, have my SQL injection attempts dropped by the WAF and generally won’t be able to get very far. Then my time will be up, I’ll write a nice report about how secure the network is and move on. Six or twelve months later, I’ll do exactly the same test, find exactly the same things and move on again. This is the problem. It might not sound like a problem, but trust me, it is. Once we’ve gotten to this point, we’ve lost sight of the reason for doing the pen test in the first place.

The test is designed to be a simulation of an attack conducted by a malicious hacker with eyes only for the client. If a hacker is unable to break into the network from the outside, chances are they won’t wait around for a few months and try exactly the same approach all over again. Malicious hackers are some of the most creative people on the planet. If we really want to do as they do, we need to give our testing a creativity injection. It’s our responsibility as security professionals to do this, and encourage our clients to let us do it.

Here’s the thing, because both pen testers and clients have obsessed over how hackers breaking into stuff for so long, we’ve actually gotten a lot better at stopping them from doing so. That’s not to say that there will never be a stray firewall rule that gives away a little too much skin, or a hastily written piece of code that doesn’t validate input properly, but generally speaking “breaking in” is no longer the path of least resistance at many organizations – and malicious hackers know it. Instead “breaking out” of a network is the new route of choice.

While everyone has been busy fortifying defenses on the way in to the network, traffic on the way out is seldom subject to such scrutiny – making it a very attractive proposition to an attacker. Of course, the attacker still has to get themselves into position behind the firewall to exploit this – but how? And how can we simulate it in a penetration test?

What the Pen Tester sees

The Whole Picture

On-Site Testing

There is no surer way of getting on the other side of the firewall than to head to your clients office and plugging directly into their network. This isn’t a new idea by any means, but it’s something that’s regularly overlooked in favor of external or remote testing. The main reason for this of course is the cost. Putting up a tester for a few nights in a hotel and paying travel expenses can put additional strain on the security budget. However, doing so is a hugely valuable exercise for the client. I’ve tested networks from the outside that have shown little room for enumeration, let alone exploitation. But once I headed on-site and came at those networks from a different angle, the angle no one ever thinks of, I had trouble believing they were the same entity.

To give an example, I recall doing an on-site test for a client who had just passed an external test with flying colors. Originally they had only wanted the external test, which was conducted against a handful of IPs. I managed to convince them that in their case, the internal test would provide additional value. I arrived at the office about an hour and a half early, I sat out in the parking lot waiting to go in. I fired up my laptop and noticed a wireless network secured with WEP, the SSID was also the name of the client. You can probably guess what happened next. Four minutes later I had access to the network, and was able to compromise a domain controller via a flaw in some installed backup software. All of this without leaving the car. Eventually, my point of contact arrived and said, “So are you ready to begin, or do you need me to answer some questions first?” The look on his face when I told him that I’d actually already finished was one that I’ll never forget. Just think, had I only performed the external test, I would have been denied that pleasure. Oh, and of course I would have never picked up on the very unsecure wireless network, which is kind of important too.

This is just one example of the kind of thing an internal test can uncover that wouldn’t have even been considered during an external test. Why would an attacker spend several hours scanning a network range when they could just park outside and connect straight to the network?

One of my favorite on-site activities is pretending I’m someone with employee level access gone rogue. Get on the client’s standard build machine with regular user privileges and see how far you can get on the network. Can you install software? Can you load a virtual machine? Can you get straight to the internet, rather than being routed through a proxy? If you can, there are a million and one attack opportunities at your fingertips.

The majority of clients I’ve performed this type of test for hugely overestimated their internal security. It’s well documented that the greatest threat comes from the inside, either on purpose or by accident. But of course, everyone is too busy concentrating on the outside to worry about what’s happening right in front of them.

Good – Networks should be just as hard to break out of, as they are to break in to.

Fortunately, some clients are required to have this type of testing, especially those in government circles. In addition, several IT security auditing standards require a review of internal networks. The depth of these reviews is sometimes questionable though. Auditors aren’t always technical people, and often the review will be conducted against diagrams and documents of how the system is supposed to work, rather than how it actually works. These are certainly useful exercises, but at the end of the day a certificate with a pretty logo hanging from your office wall won’t save you when bad things happen.

Remote Workers

Having a remote workforce can be a wonderful thing. You can save a bunch of money by not having to maintain a giant office and the associated IT infrastructure. The downside of this is that in many organizations, the priority is getting people connected and working, rather than properly enforcing security policy. The fact is that if you allow someone to connect remotely into the heart of your network with a machine that you do not have total control over, your network is about as secure as the internet. You are in effect extending your internal network out past the firewall to the unknown. I’ve seen both sides of the spectrum, from an organization that would only allow people to connect in using routers and machines that they configured and installed, to an organization that provided a link to VPN client and said “get on with it”.

I worked with one such client who was starting to rely on remote workers more and more, and had recognized that this could introduce a security problem. They arranged for me to visit the homes of a handful of employees and see if I could somehow gain access to the network’s internal resources. The first employee I visited used his own desktop PC to connect to the network. He had been issued a company laptop, but preferred the big screen, keyboard and mouse that were afforded to him by his desktop. The machine had no antivirus software installed, no client firewall running and no disk encryption. This was apparently because all of these things slowed it down too much. Oh, but it did have a peer-to-peer file sharing application installed. No prizes for spotting the security risks here.

In the second home I visited, I was pleased to see the employee using her company issued XP laptop. Unfortunately she was using it on her unsecured wireless network. To demonstrate why this was a problem, I joined my testing laptop to the network, fired up a Metasploit session and hit the IP with my old favorite, the MS08-067 NetAPI32.dll exploit module. Sure enough, I got a shell, and was able to pivot my way into the remote corporate network. It was at this point that I discovered the VPN terminated in a subnet with unrestricted access to the internal server subnet. When I pointed out to the client that there really should be some sort of segregation between these two areas, I was told that there was. “We use VLAN’s for segregation”, came the response. I’m sure that everyone reading this will know that segregation using VLAN’s, at least from a security point of view, is about as useful as segregating a lion from a Chihuahua with a piece of rice paper. Ineffective, unreliable and will result in an unhappy ending.

Bad – The VPN appliance is located in the core of the network.

Social Engineering

We all know that this particular activity is increasing in popularity amongst our adversaries, so why don’t we do it more often as part of our testing? Well, simply put, a lot of the time this comes down to politics. Social engineering tests are a bit of a touchy subject at some organizations, who fear a legal backlash if they do anything to blatantly demonstrate how their own people are subject to the same flaws as the seven billion other on the planet. I’ve been in scoping meetings when as soon as the subject of social engineering has come up, I’m stared at harshly and told in no uncertain terms, “Oh, no way, that’s not what we want, don’t do that.” But why not do it? Don’t you think a malicious hacker would? You’re having a pen test right? Do you think a malicious hacker would hold off on social engineering because they haven’t gotten your permission to try it? Give me a break.

On the other hand, I’ve worked for clients who have recognized the threat of social engineering as one of the greatest to their security, and relished at the opportunity to have their employees tested. Frequently, these tests result in a greater than 80% success rate. So how are they done?

Well, they usually start off with the tester registering a domain name which is extremely similar to the client’s. Maybe with one character different, or a different TLD (“.net” instead of “.com” for example).

The tester’s next step would be to set up a website that heavily borrows CSS code from the client’s site. All it needs is a basic form with username and password fields, as well as some server side coding to email the contents of the form to the tester upon submission.

With messages like this one in an online meeting product, it’s no wonder social engineering attacks are so successful.

Finally, the tester will send out an email with some half-baked story about a new system being installed, or special offers for the employee “if you click this link and login”. Sit back and wait for the responses to come in. Follow these basic steps and within a few minutes, you’ve got a username, password and employee level access. Now all you have to do is find a way to use that to break out of the network, which won’t be too difficult, because everyone will be looking the other way.

Conclusion

The best penetration testers out there are those who provide the best value to the client. This doesn’t necessarily mean the cheapest or quickest. Instead it’s those who make the most effective use of their relatively short window of time, and any other limitations they face to do the job right. Never forget what that job is, and why you are doing it. Sometimes we have to put our generic testing methodologies aside and deliver a truly bespoke product. After all, there is nothing more bespoke than a targeted hacking attack, which can come from any direction. Even from the inside.

Share

“Poor” decisions in management?

I started reading this article just for the social significance.  You’ve probably seen reports of it: it’s been much in the media.

However, I wasn’t very far in before I came across a statement that seems to have a direct implication to all business management, and, in particular, the CISSP:

“The authors gathered evidence … and found that just contemplating a projected financial decision impacted performance on … reasoning tests.”

As soon as I read that, I flashed on the huge stress we place on cost/benefit analysis in the CISSP exam.  And, of course, that extends to all business decisions: everything is based on “the bottom line.”  Which would seem to imply that hugely important corporate and public policy decisions are made on the worst possible basis and in the worst possible situation.

(That *would* explain a lot about modern business, policy, and economics.  And maybe the recent insanity in the US Congress.)

Other results seem to temper that statement, and, unfortunately, seem to support wage inequality and the practice of paying obscene wages to CEOs and directors: “… low-income people asked to ponder an expensive car repair did worse on cognitive-function tests than low-income people asked to consider cheaper repairs or than higher-income people faced with either scenario.”

But it does make you think …

Share

Google’s “Shared Endorsements”

A lot of people are concerned about Google’s new “Shared Endorsements” scheme.

However, one should give credit where credit is due.  This is not one of Facebook’s functions, where, regardless of what you’ve set or unset in the past, every time they add a new feature it defaults to “wide open.”  If you have been careful with your Google account in the past, you will probably find yourself still protected.  I’m pretty paranoid, but when I checked the Shared Endorsements setting page on my accounts, and the “Based upon my activity, Google may show my name and profile photo in shared endorsements that appear in ads” box is unchecked on all of them.  I can only assume that it is because I’ve been circumspect in my settings in the past.

Share

The Common Vulnerability Scoring System

Introduction

This article presents the Common Vulnerability Scoring System (CVSS) Version 2.0, an open framework for scoring IT vulnerabilities. It introduces metric groups, describes base metrics, vector, and scoring. Finally, an example is provided to understand how it works in practice. For a more in depth look into scoring vulnerabilities, check out the ethical hacking course offered by the InfoSec Institute.

Metric groups

There are three metric groups:

I. Base (used to describe the fundamental information about the vulnerability—its exploitability and impact).
II. Temporal (time is taken into account when severity of the vulnerability is assessed; for example, the severity decreases when the official patch is available).
III. Environmental (environmental issues are taken into account when severity of the vulnerability is assessed; for example, the more systems affected by the vulnerability, the higher severity).

This article is focused on base metrics. Please read A Complete Guide to the Common Vulnerability Scoring System Version 2.0 if you are interested in temporal and environmental metrics.

Base metrics

There are exploitability and impact metrics:

I. Exploitability

a) Access Vector (AV) describes how the vulnerability is exploited:
- Local (L)—exploited only locally
- Adjacent Network (A)—adjacent network access is required to exploit the vulnerability
- Network (N)—remotely exploitable

The more remote the attack, the more severe the vulnerability.

b) Access Complexity (AC) describes how complex the attack is:
- High (H)—a series of steps needed to exploit the vulnerability
- Medium (M)—neither complicated nor easily exploitable
- Low (L)—easily exploitable

The lower the access complexity, the more severe the vulnerability.

c) Authentication (Au) describes the authentication needed to exploit the vulnerability:
- Multiple (M)—the attacker needs to authenticate at least two times
- Single (S)—one-time authentication
- None (N)—no authentication

The lower the number of authentication instances, the more severe the vulnerability.

II. Impact

a) Confidentiality (C) describes the impact of the vulnerability on the confidentiality of the system:
- None (N)—no impact
- Partial (P)—data can be partially read
- Complete (C)—all data can be read

The more affected the confidentiality of the system is, the more severe the vulnerability.

+b) Integrity (I) describes an impact of the vulnerability on integrity of the system:
- None (N)—no impact
- Partial (P)—data can be partially modified
- Complete (C)—all data can be modified

The more affected the integrity of the system is, the more severe the vulnerability.

c) Availability (A) describes an impact of the vulnerability on availability of the system:
- None (N)—no impact
- Partial (P)—interruptions in system’s availability or reduced performance
- Complete (C)—system is completely unavailable

The more affected availability of the system is, the more severe the vulnerability.

Please note the abbreviated metric names and values in parentheses. They are used in base vector description of the vulnerability (explained in the next section).

Base vector

Let’s discuss the base vector. It is presented in the following form:

AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]

This is an abbreviated description of the vulnerability that brings information about its base metrics together with metric values. The brackets include possible metric values for given base metrics. The evaluator chooses one metric value for every base metric.

Scoring

The formulas for base score, exploitability, and impact subscores are given in A complete Guide to the Common Vulnerability Scoring System Version 2.0 [1]. However, there in no need to do the calculations manually. There is a Common Vulnerability Scoring System Version 2 Calculator available. The only thing the evaluator has to do is assign metric values to metric names.

Severity level

The base score is dependent on exploitability and impact subscores; it ranges from 0 to 10, where 10 means the highest severity. However, CVSS v2 doesn’t transform the score into a severity level. One can use, for example, the FortiGuard severity level to obtain this information:

FortiGuard severity level CVSS v2 score
Critical 9 – 10
High 7 – 8.9
Medium 4 – 6.9
Low 0.1 – 3.9
Info 0

Putting the pieces together

An exemplary vulnerability in web application is provided to better understand how Common Vulnerability Scoring System Version 2.0 works in practice. Please keep in mind that this framework is not limited to web application vulnerabilities.

Cross-site request forgery in admin panel allows adding a new user and deleting an existing user or all users.

Let’s analyze first the base metrics together with the resulting base vector:

Access Vector (AV): Network (N)
Access Complexity (AC): Medium (M)
Authentication (Au): None (N)

Confidentiality (C): None (N)
Integrity (I): Partial (P)
Availability (A): Complete (C)

Base vector: (AV:N/AC:M/Au:N/C:N/I:P/A:C)

Explanation: The admin has to visit the attacker’s website for the vulnerability to be exploited. That’s why the access complexity is medium. The website of the attacker is somewhere on the Internet. Thus the access vector is network. No authentication is required to exploit this vulnerability (the admin only has to visit the attacker’s website). The attacker can delete all users, making the system unavailable for them. That’s why the impact of the vulnerability on the system’s availability is complete. Deleting all users doesn’t delete all data in the system. Thus the impact on integrity is partial. Finally, there is no impact on the confidentiality of the system provided that added user doesn’t have read permissions on default.

Let’s use the Common Vulnerability Scoring System Version 2 Calculator to obtain the subscores (exploitability and impact) and base score:

Exploitability subscore: 8.6
Impact subscore: 7.8
Base score: 7.8

Let’s transform the score into a severity level according to FortiGuard severity levels:

FortiGuard severity level: High

Summary

This article described an open framework for scoring IT vulnerabilities—Common Vulnerability Scoring System (CVSS) Version 2.0. Base metrics, vector and scoring were presented. An exemplary way of transforming CVSS v2 scores into severity levels was described (FortiGuard severity levels). Finally, an example was discussed to see how all these pieces work in practice.

Dawid Czagan is a security researcher for the InfoSec Institute and the Head of Security Consulting at Future Processing.

Share

Bank of Montreal online banking insecurity

I’ve had an account with the Bank of Montreal for almost 50 years.

I’m thinking that I may have to give it up.

BMO’s online banking is horrendously insecure.  The password is restricted to six characters.  It is tied to telephone banking, which means that the password is actually the telephone pad numeric equivalent of your password.  You can use that numeric equivalent or any password you like that fits the same numeric equivalent.  (Case is, of course, completely irrelevant.)

My online access to the accounts has suddenly stopped working.  At various times, over the years, I have had problems with the access and had to go to the bank to find out why.  The reasons have always been weird, and the process of getting access again convoluted.  At present I am using, for access, the number of a bank debit card that I never use as a debit card.  (Or even an ATM card.)  The card remains in the file with the printed account statements.

Today when I called about the latest problem, I had to run through the usual series of inane questions.  Yes, I knew how long my password had to be.  Yes, I knew my password.  Yes, it was working until recently.  No, it didn’t work on online banking.  No, it didn’t work on telephone banking.

The agent (no, sorry, “service manager,” these days) was careful to point out that he was *not* going to ask me for my password.  Then he set up a conference call with the online banking system, and had me key in my password over the phone.

(OK, it’s unlikely that even a trained musician could catch all six digits from the DTMF tones on one try.  But a machine could do it easily.)

After all that, the apparent reason for the online banking not working is that the government has mandated that all bank cards now be chipped.  So, without informing me, and without sending me a new card, the bank has cancelled my access.  ( I suppose that is secure.  If you are not counting on availability, or access to audit information.)

(I also wonder, if that was the reason, why the “service manager” couldn’t just look up the card number and determine that the access had been cancelled, rather than having me try to sign in.)

I’ll probably go and close my account this afternoon.

Share

Has your email been “hacked?”

I got two suspicious messages today.  They were identical, and supposedly “From” two members of my extended family, and to my most often used account, rather than the one I use as a spam trap.  I’ve had some others recently, and thought it a good opportunity to write up something on the general topic of email account phishing.

The headers are no particular help: the messages supposedly related to a Google Docs document, and do seem to come from or through Google.  (Somewhat ironically, at the time the two people listed in these messages might have been sharing information with the rest of us in the family in this manner.  Be suspicious of anything you receive over the Internet, even if you think it might relate to something you are expecting.)

The URLs/links in the message are from TinyURL (which Google wouldn’t use) and, when resolved, do not actually go to Google.  They seem to end up on a phishing site intended to steal email addresses.  It had a Google logo at the top, and asked the user to “sign in” with email addresses (and passwords) from Gmail, Yahoo, Hotmail, and a few other similar sites.  (The number of possible Webmail sites should be a giveaway in itself: Google would only be interested in your Google account.)

Beware of any messages you receive that look like this:

——- Forwarded message follows ——-
Subject:            Important Documents
Date sent:          Mon, 5 Aug 2013 08:54:26 -0700
From:               [a friend or relative]

*Hello,*
*
How are you doing today? Kindly view the documents i uploaded for you using
Google Docs CLICK HERE <hxxp://tinyurl.com/o2vlrxx>.
——- End of forwarded message ——-

That particular site was only up briefly: 48 hours later it was gone.  This tends to be the case: these sites change very quickly.  Incidentally, when I initially tested it with a few Web reputation systems, it was pronounced clean by all.

This is certainly not the only type of email phishing message: a few years ago there were rafts of messages warning you about virus, spam, or security problems with your email account.  Those are still around: I just got one today:

——- Forwarded message follows ——-
From:               ”Microsoft HelpDesk” <microsoft@helpdesk.com>
Subject:            Helpdesk Mail Box Warning!!!
Date sent:          Wed, 7 Aug 2013 15:56:35 -0200

Helpdesk Mail Support require you to re-validate your Microsoft outlook mail immediately by clicking: hxxp://dktxxxkgek.webs.com/

This Message is From Helpdesk. Due to our latest IP Security upgrades we have reason to believe that your Microsoft outlook mail account was accessed by a third party. Protecting the security of your Microsoft outlook mail account is our primary concern, we have limited access to sensitive Microsoft outlook mail account features.

Failure to re-validate, your e-mail will be blocked in 24 hours.

Thank you for your cooperation.

Help Desk
Microsoft outlook Team
——- End of forwarded message ——-

Do you really think that Microsoft wouldn’t capitalize its own Outlook product?

(Another giveaway on that particular one is that it didn’t come to my Outlook account, mostly because I don’t have an Outlook account.)

(That site was down less than three hours after I received the email.

OK, so far I have only been talking about things that should make you suspicious when you receive them.  But what happens if and when you actually follow through, and get hit by these tricks?  Well, to explain that, we have to ask why the bad guys would want to phish for your email account.  After all, we usually think of phishing in terms of bank accounts, and money.

The blackhats phishing for email accounts might be looking for a number of things.  First, they can use your account to send out spam, and possibly malicious spam, at that.  Second, they can harvest email addresses from your account (and, in particular, people who would not be suspicious of a message when it comes “From:” you).  Third, they might be looking for a way to infect or otherwise get into your computer, using your computer in a botnet or for some other purpose, or stealing additional information (like banking information) you might have saved.  A fourth possibility, depending upon the type of Webmail you have, is to use your account to modify or create malicious Web pages, to serve malware, or do various types of phishing.

What you have to do depends on what it was the bad guys were after in getting into your account.

If they were after email addresses, it’s probably too late.  They have already harvested the addresses.  But you should still change your password on that account, so they won’t be able to get back in.  And be less trusting in future.

The most probable thing is that they were after your account in order to use it to send spam.  Change your password so that they won’t be able to send any more.  (In a recent event, with another relative, the phishers had actually changed the password themselves.  This is unusual, but it happens.  In that case, you have to contact the Webmail provider, and get them to reset your password for you.)  The phishers have probably also sent email to all of your friends (and everyone in your contacts or address list), so you’d better send a message around, ‘fess up to the fact that you’ve been had, and tell your friends what they should do.  (You can point them at this posting.)  Possibly in an attempt to prevent you from finding out that your account has been hacked, the attackers often forward your email somewhere else.  As well as changing your password, check to see if there is any forwarding on your account, and also check to see if associated email addresses have been changed.

It’s becoming less likely that the blackhats want to infect your computer, but it’s still possible.  In that case, you need to get cleaned up.  If you are running Windows, Microsoft’s (free!) program Microsoft Security Essentials (or MSE) does a very good job.  If you aren’t, or want something different, then Avast, Avira, Eset, and Sophos have products available for free download, and for Windows, Mac, iPhone, and Android.  (If you already have some kind of antivirus program running on your machine, you might want to get these anyway, because yours isn’t working, now is it?)

(By the way, in the recent incident, both family members told me that they had clicked on the link “and by then it was too late.”  They were obviously thinking of infection, but, in fact, that particular site wasn’t set up to try and infect the computer.  When they saw the page asked for their email addresses and password, it wasn’t too late.  if they had stopped at that point, and not entered their email addresses and passwords, nothing would have happened!  Be aware, and a bit suspicious.  It’ll keep you safer.)

When changing your password, or checking to see if your Web page has been modified, be very careful, and maybe use a computer that is protected a bit better than your is.  (Avast is very good at telling you if a Web page is trying to send you something malicious, and most of the others do as well.  MSE doesn’t work as well in this regard.)  Possibly use a computer that uses a different operating system: if your computer uses Windows, then use a Mac: if your computer is a Mac, use an Android tablet or something like that.  Usually (though not always) those who set up malware pages are only after one type of computer.

Share

(Photo) Copyist’s error?

Students of the classics and ancient documents are used to checking for copyist errors, but a photocopier?

And, of course, you can’t trust the machine to check the copy against the original, since it will probably make the same mistake every time.

Actually, with absolutely everything in the world going digital, this type of problem is becoming inevitable, and endemic.  Analogue systems have problems, but digital systems are subject to catastrophic collapse.

Share

REVIEW: “Intelligent Internal Control and Risk Management”, Matthew Leitch

BKIICARM.RVW   20121210

“Intelligent Internal Control and Risk Management”, Matthew Leitch, 2008, 978-0-566-08799-8, U$144.95
%A   Matthew Leitch
%C   Gower House, Croft Rd, Aldershot, Hampshire, GU11 3HR, England
%D   2008
%G   978-0-566-08799-8 0-566-08799-5
%I   Gower Publishing Limited
%O   U$114.95 www.gowerpub.com
%O  http://www.amazon.com/exec/obidos/ASIN/0566087995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0566087995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0566087995/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   253 p.
%T   “Intelligent Internal Control and Risk Management”

The introduction indicates that this book is written from the risk management perspective of the financial services industry, with a concentration on Sarbanes-Oxley, COSO, and related frameworks.  There is an implication that the emphasis is on designing new controls.

Part one, “The Bigger Picture,” provides a history of risk management and internal controls.  Chapter one asks how much improvement is possible through additional controls.  The author’s statement that “[w]hen an auditor, especially an external auditor, recommends an improvement control it is usually with little concern for the cost of implementing or operating that control [or improved value].  The auditor wants to feel `covered’ by having recommended something in the face of a risk that exists, at least in theory” is one that is familiar to anyone in the security field.  Leitch goes on to note that there is a disparity between providing real value and revenue assurance, and the intent of this work is increasing the value of business risk controls.  The benefits of trying quality management techniques, as well as those of quantitative risk management, are promoted in chapter two.   Chapter three appears to be a collection of somewhat random thoughts on risk.  Psychological factors in assessing risk, and the fact that controls have to be stark enough to make people aware of upcoming dangers, are discussed in chapter four.

Part two turns to a large set of controls, and examines when to use, and not to use, them.  Chapter five introduces the list, arrangement, and structure.  Controls that generate other controls (frequently management processes) are reviewed in chapter six.  For each control there is a title, example, statement of need, opening thesis, discussion, closing recommendation, and summary relating to other controls.  Most are one to three pages in length.  Audit and monitoring controls are dealt with in chapter seven.  Adaptation is the topic of chapter eight.  (There is a longer lead-in discussion to these controls, since, inherently, they deal with change, to which people, business, and control processes are highly resistant.)  Chapter nine notes issues of protection and reliability.  The corrective controls in chapter ten are conceptually related to those in chapter seven.

Part three looks at change for improvement, rather than just for the sake of change.  Chapter eleven suggests means of promoting good behaviours.  A Risk and Uncertainty Management Assessment (RUMA) tool is presented in chapter twelve, but, frankly, I can’t see that it goes beyond thinking out alternative courses of action.  Barriers to improvement are noted in chapter thirteen.  Roles in the organization, and their relation to risk management, are outlined in chapter fourteen.  Chapter fifteen examines the special needs for innovative projects.  Ways to address restrictive ideology are mentioned in chapter sixteen.  Seven areas that Leitch advises should be explored conclude the book in chapter seventeen.

A number of interesting ideas are presented for consideration in regard to the choice and design of controls.  However, the text is not a guidebook for producing actual control systems.

copyright, Robert M. Slade   2013   BKIICARM.RVW   20121210

Share

A virus too big to fail?

Once upon a time, many years ago, a school refused to take my advice (mediated through my brother) as to what to do about a very simple computer virus infection.  The infection in question was Stoned, which was a boot sector infector.   BSIs generally do not affect data, and (and this is the important point) are not eliminated by deleting files on the computer, and often not even by reformatting the hard disk.  (At the time there were at least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it’s entire computer network by boxing it up, shipping it back to the store, and having the store reformat everything.  Which the store did.  The school lost it’s entire database of student records, and all databases for the library.  Everything had to be re-entered.  By hand.

I’ve always thought this was the height of computer virus stupidity, and that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

“In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network.

“They isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $170,000 worth of computers, cameras, mice, etc.”

The only reason they *stopped* destroying computer equipment and devices was because they ran out of money.  For the destruction process.

Malware is my field, and so I often sound like a bit of a nut, pointing out issues that most people consider minor.  However, malware, while now recognized as a threat, is a field that extremely few people, even in the information security field, study in any depth.  Most general security texts (and, believe me, I know almost all of them) touch on it only tangentially, and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing happening again.

 

Lest you think I exaggerate any of this, you can read the actual report.

Share

REVIEW: “Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch

BKSCPRO2.RVW   20121122

“Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch,
2012, 0735668833, U$9.99
%A   Mitch Tulloch info@mtit.com www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2012
%G   0735668833
%I   Microsoft Press
%O   U$9.99 800-MSPRESS fax: 206-936-7329 mspinput@microsoft.com
%O  http://www.amazon.com/exec/obidos/ASIN/0735668833/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0735668833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735668833/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   100 p.
%T   “Security and Privacy for Microsoft Office 2010 Users”

Reducing the complex jargon in the introduction to its simplest terms, this book is intended to allow anyone who uses the Microsoft Office 2010 suite, or the online Office 365, to effectively employ the security functions built into the software.  Chapter one purports to present the “why” of security, but does a very poor job of it.  Company policy is presented as a kind of threat to the employee, and this does nothing to ameliorate the all-too-common perception that security is there simply to make life easier for the IT department, while it makes work harder for everyone else.

Chapter two examines the first security function, called “Protected View.”  The text addresses issues of whether or not you can trust a document created by someone else, and mentions trusted locations.  (Trusted locations seem simply to be defined as a specified directory on your hard drive, and the text does not discuss whether merely moving an unknown document into this directory will magically render it trustworthy.  Also, the reader is told how to set a trusted location, but not an area for designating untrusted files.)  Supposedly “Protected View” will automatically restrict access to, and danger from, documents you receive from unknown sources.  Unfortunately, having used Microsoft Office 2010 for a couple of years, and having received, in that time, hundreds of documents via email and from Web sources, I’ve never yet seen “Protected View,” so I’m not sure how far I can trust what the author is telling me.  (In addition, Tulloch’s discussion of viruses had numerous errors: Concept came along five years before Melissa, and some of the functions he attributes to Melissa are, in fact, from the CHRISTMA exec over a decade earlier.)

Preparation of policy is promised in chapter three, but this isn’t what most managers or security professionals would think of as policy: it is just the provision of a function for change detection or digital signatures.  It also becomes obvious, at this point, that Microsoft Office 2010 and Office 365 can have significantly different operations.  The material is quite confusing with references to a great many programs which are not part of the two (2010 and 365) MS Office suites.

Chapter four notes the possibility of encryption with a password, but the discussion of rights is unclear, and a number of steps are missing.

An appendix lists pointers to a number of references at Microsoft’s Website.

The utility of this work is compromised by the fact that it provides instructions for functions, but doesn’t really explain how, and in what situations, the functions can assist and protect the user.  Any employee using Microsoft Office will be able to access the operations, but without understanding the concepts they won’t be able to take advantage of what protection they offer.

copyright, Robert M. Slade   2012     BKSCPRO2.RVW   20121122

Share