Enhanced Nigerian scam – linkedin style

Linkedin is a much better platform for Nigerian scammers: They now have my first and last name, information about me, etc. So they can craft the following letter (sent by this guy):

Hello Aviram Jenik,

I am Dr Sherif Akande, a citizen of Ghana, i work with Barclay’s Bank Ltd, Ghana. I have in my bank Existence of the Amount of money valued at $8.400,000.00, the big hurt Belongs to the customer, Peter B.Jenik, who Happen To Have The Same name as yours. The fund is now without any Claim Because, Peter B.Jenik, in a deadly earthquake in China in 2008. I want your cooperation so that bank will send you the fund as the beneficiary and located next of kin to the fund.

This transaction will be of a great mutual assistance to us. Send me your reply of interest so that i will give you the details. Strictly send it to my private email account {sherifakande48@gmail.com} or send me your email address to send you details of this transaction.

At the receipt of your reply, I will give you details of the transaction.I look forward to hear from you. I will send you a scan copy of the deposit certificate.

Send me an email to my private email account {sherifakande48@gmail.com}for more details of the transaction.

Sincerely,
Best Regard’s
Dr Sherif Akande.
Here is my number +233548598269

Share

CyberSec Tips – “Computer Maintenance Department”

I got a call today from “James,” of the “computer maintenance department.”

I suppose this may work better against those who actually have a computer maintenance department.  Since I’m self-employed, it’s pretty obvious that this is phony.  Sometimes, though, “James” or his friends call from Microsoft or other such possibilities.

Just in case anyone doesn’t know, these are false, attempts to get you to damage your own computer, or install something nasty.  They can then charge you for spurious repairs, add you to a botnet, or mine your computer for account information.

Oh, and also, as chance would have it, today I got my first completely automated spam/fraud/telemarketing call: a computer generated voice and voice response system, asking how I was, and then, when I didn’t respond, was I there.  Probably would have been fun to try and push the limits of it’s capability, but I didn’t have time …

Share

Cyberbullying, anonymity, and censorship

Michael Den Tandt’s recent column in the Vancouver Sun is rather a melange, and deserves to have a number of points addressed separately.

First, it is true that the behaviours the “cyberbullying” bill address, those of spreading malicious and false information widely, generally using anonymous or misleading identities, do sound suspiciously close to those behaviours in which politicians engage themselves.  It might be ironic if the politicians got charged under the act.

Secondly, whether bill C-13 is just a thinly veiled re-introduction of the reviled C-30 is an open question.  (As one who works with forensic linguistics, I’d tend to side with those who say that the changes in the bill are primarily cosmetic: minimal changes intended to address the most vociferous objections, without seriously modifying the underlying intent.)

However, Den Tandt closes with an insistence that we need to address the issue of online anonymity.  Removing anonymity from the net has both good points and bad, and it may be that the evil consequences would outweigh the benefits.  (I would have thought that a journalist would have been aware of the importance of anonymous sources of reporting.)

More importantly, this appeal for the banning of anonymity betrays an ignorance of the inherent nature of networked communitcation.  The Internet, and related technologies, have so great an influence on our lives that it is important to know what can, and can’t, be done with it.

The Internet is not a telephone company, where the central office installs all the wires and knows at least where (and therefore likely who) a call came from.  The net is based on technology whish is designed, from the ground up, in such a way that anyone, with any device, can connect to the nearest available source, and have the network, automatically, pass information to or from the relevant person or site.

The fundamental technology that connects the Internet, the Web, social media, and pretty much everything else that is seen as “digital” these days, is not a simple lookup table at a central office.  It is a complex interrelationship of prototcols, servers, and programs that are built to allow anyone to communicate with anyone, without needing to prove your identity or authorization.  Therefore, nobody has the ability to prevent any communication.

There are, currently, a number of proposals to “require” all communications to be identified, or all users to have an identity, or prevent anyone without an authenticated identity from using the Internet.  Any such proposals will ultimately fail, since they ignore the inherent foundational nature of the net.  People can voluntarily participate in such programs–but those people probably wouldn’t have engaged in cyberbullying in any case.

John Gilmore, one of the people who built the basics of the Internet, famously stated that “the Internet interprets censorship as damage and routes around it.”  This fact allows those under oppressive regimes to communicate with the rest of the world–but it also means that pornography and hate speech can’t be prevented.  The price of reasonable commuincations is constant vigilance and taking the time to build awareness.  A wish for a technical or legal shortcut that will be a magic pill and “fix” everything is doomed to fail.

Share

CyberSec Tips: Email – Spam – Phishing – example 3 – credit checks

A lot of online security and anti-fraud checklists will tell you to check your credit rating with the credit rating reporting companies.  This is a good idea, and, under certain conditions, you can often get such reports free of charge from the ratings companies.

However, you should never get involved with the promises of credit reports that come via spam.

Oddly, these credit report spam messages have very little content, other than a URL, or possibly a URL and some extra text (which usually doesn’t display) meant only to confuse the matter and get by spam filters.  There are lots of these messages: today I got five in only one of my accounts.

I checked one out, very carefully.  The reason to be careful is that you have no idea what is at the end of that URL.  It could be a sales pitch.  It could be an attempt to defraud you.  It could be “drive-by” malware.  In the case I tested, it redirected through four different sites before finally displaying something.  Those four different sites could simply be there to make it harder to trace the spammers and fraudsters, but more likely they were each trying something: registering the fact that my email address was valid (and that there was a live “sucker” attached to it, worth attempting to defraud), installing malware, checking the software and services installed on my computer, and so forth.

It ended up at a site listing a number of financial services.  The domain was “simply-finances.com.”  One indication that this is fraudulent is that the ownership of this domain name is deeply buried.  It appears to be registered through GoDaddy, which makes it hard to check out with a normal “whois” request: you have to go to GoDaddy themselves to get any information.  Once there you find that it is registered through another company called Domains By Proxy, who exist solely to hide the ownership of domains.  Highly suspicious, and no reputable financial company would operate in such a fashion.

The credit rating link sent me to a domain called “transunion.ca.”  The .ca would indicate that this was for credit reporting in Canada, which makes sense, as that is where I live.  (One of the redirection sites probably figured that out, and passed the information along.)  However, that domain is registered to someone in Chicago.  Therefore, it’s probably fraud: why would someone in Chicago have any insight on contacts for credit reporting for Canadians?

It’s probably fraudulent in any case.  What I landed on was an offer to set me up for a service which, for $17 per month, would generate credit ratings reports.  And, of course, it’s asking for lots of information about me, definitely enough to start identity theft.  There is no way I am signing up for this service.

Again, checking out your own credit rating is probably a good idea, although it has to be done regularly, and it only really detects fraud after the fact.  But going through offers via spam is an incredibly bad idea.

Share

CyberSec Tips: Follow the rules – and advice

A recent story (actually based on one from several years ago) has pointed out that, for years, the launch codes for nuclear missiles were all set to 00000000.  (Not quite true: a safety lock was set that way.)

Besides the thrill value of the headline, there is an important point buried in the story.  Security policies, rules, and procedures are usually developed for a reason.  In this case, given the importance of nuclear weapons, there is a very real risk from a disgruntled insider, or even simple error.  The safety lock was added to the system in order to reduce that risk.  And immediately circumvented by people who didn’t think it necessary.

I used to get asked, a lot, for help with malware infestations, by friends and family.  I don’t get asked much anymore.  I’ve given them simple advice on how to reduce the risk.  Some have taken that advice, and don;t get hit.  A large number of others don’t ask because they know I will ask if they’ve followed the advice, and they haven’t.

Security rules are usually developed for a reason, after a fair amount of thought.  This means you don’t have to know about security, you just have to follow the rules.  You may not know the reason, but the rules are actually there to keep you safe.  It’s a good idea to follow them.

 

(There is a second point to make here, addressed not to the general public but to the professional security crowd.  Put the thought in when you make the rules.  Don’t make stupid rules just for the sake of rules.  That encourages people to break the stupid rules.  And the necessity of breaking the stupid rules encourages people to break all the rules …)

Share

CyberSec Tips: Email – Spam – Fraud – example 4

Sometimes it’s pretty easy to tell a fraud.  Some of these guys are just lazy:

> From:               ”PINILLA, KARINA” <pinillak@friscoisd.org>
> Subject:
> Date sent:          Mon, 2 Dec 2013 22:05:05 +0000

> Do you want your X-mas money and bonus for gift,if Yes contact me at this email:
> david.loanfinancialcomany12@gmail.com

You don’t know this person.  No subject for the message.  No explanation of why they are going to give you money.  (Although the name chosen for the email would seem to indicate that they want to emulate a pay-day loan company–which are pretty much rip-offs anyway.)  Poor grammar and spelling.

A while back someone seriously theorized that this lack of care might be deliberate.  Only stupid people would fall for a “come-on” like this, and it would be easier to defraud stupid people.  Unfortunately, as the song says, the world is full of stupid people …

Share

CyberSec Tips: Email – Spam – Phishing – email accounts – example 1

Sometimes phishers are after more than your bank account or credit cards.  These days a lot of them want your email account.  They can use it to send spam, to your friends, and those friends will trust a message from you.  (That’s a more reliable form of social engineering to get them to install malware on their computers.  Or give up their bank accounts and credit card numbers …)

> Dear user
> Your email has exceeded 2 GB, which is created by Webmaster, you are currently
> running at 2.30GB, you can not Send or receive new messages until you check your
> account.Complete the form below to verify your account.

Sometimes the email phishers will send you this “over quota” message.  Other times it may be that you are, supposedly, sending out malware or spam yourself.

> Please complete the details below to confirm your account
>
> (1) E-mail:
> (2) Name:
> (3) Password:
> (4) Confirm Password:

Here they just flat out ask you for your user name and password.

Spam isn’t the only thing they can do with your account.  These days Web based email accounts can be linked to storage space and other functions.  Google accounts are very valuable, since they give the phishers access to Google+ (with lots of personal information about you), YouTube, and Google Drive (which still has Google Docs in it, and can be used to set up phishing Websites).

Again, watch for telltale signs in the headers:

To:                 Recipients <web@epamig.br>
From:               HELP DESK<web@epamig.br>
Date sent:          Sun, 01 Dec 2013 14:01:47 +0100
Send reply to:      647812717@qq.com

It isn’t “to” you, and the “reply” isn’t the same as the “from.”

Share

CyberSec Tips: E-Commerce – tip details 1 – search engines

Our local paper, like just about everyone else, recently published a set of tips for online shopping.  (They got them from Trend Micro Canada.)  The tips are mostly OK, as far as they go, but I figured they could use a little expansion.

“Don’t rely on search engines to find a shopping site.

“Search results can lead to malicious websites that will take your credit card and other confidential data or infect your computer with a virus. Instead, bookmark reliable online shopping sites.”

As a general rule, it’s best to be careful whenever you go to a site that is new or unknown to you.  However, I’d have to take this tip with a grain of salt.  I did a (Google) search on London Drugs, a chain in Western Canada (widely known in the tech community for their computer departments) (about which I have written before), and the first five pages gave results that were all from, or legitimately about, that company.  Quick checks on other retailers got similar results.

It makes sense to bookmark a “known good” link if you shop someplace regularly.  But if you are going to a new site, you can get into just as much trouble by guessing at a domain name, or even just fumbling typing the URL.  Fraudsters will register a number of domain names that are very similar to those of legitimate companies; just a character or so off; knowing that slipping fingers will drive people to their sites.  Some of those malicious sites look very much like the real thing.  (Others, promoting all kinds of questionable services and deals, are obviously false.)

Always be careful, and suspicious.  If anything seems off, get out of there, and maybe do a bit of research before you try again.  But don’t just avoid search engines as a matter of course.

Share

CyberSec Tips: Email – Spam – Fraud – example 3

This one is slightly interesting, in that it contains elements of both 419 and phishing.  It’s primarily an advance fee fraud message.  First off, the headers:

> Subject: Dear Winner!!!
> From: CHELPT <inf8@hotline.onmicrosoft.com>
> Date: Thu, 28 Nov 2013 17:45:06 +0530
> Reply-To: <morrluke@careceo.com>
> Message-ID: <XXX.eurprd01.prod.exchangelabs.com>

Again, we see different domains, in particular, a different address to reply to, as opposed to where it is supposed to be from.

> Corporate Headquarters
> Technical Office Chevrolet promotion unit
> 43/45 The Promenade…
> Head Office Chevrolet motors
> 43/45 The Promenade Cheltenham
> Ref: UK/9420X2/68
> Batch: 074/05/ZY369
> Chevrolet Canter, London, SE1 7NA – United Kingdom

My, my, my.  With all that addressing and reference numbers, it certainly looks official.  But isn’t.

> Dear Winner,
>
> Congratulations, you have just won a cash prize of £1,000, 000, 00. One million
> Great British Pounds Sterling (GBP) in the satellite software email lottery.
> On-line Sweepstakes International program held on this day Satur day 23rd
> November 2013 @05:42.PM London time. Conducted by CHEVROLET LOTTERY BOARD in
> which your e-mail address was pick randomly by software powered by the Internet
> send data’s to;
> ——————————————————————————–
> Tell: +44 701 423 4661             Email: morrluke@careceo.com Officer Name: Mr.
> Morrison Luke. CHEVROLET LOTTERY BOARD London UK
> ——————————————————————————–

As usual, you have supposedly won something.  If you reply, of course, there will start to be fees or taxes that you have to pay before the money is released to you.  The amounts will start out small (hey, who wouldn’t be willing to pay a hundred pound “processing fee” in order to get a million pounds, right?) but then get larger.  (Once you’ve paid something, then you would tend to be willing to pay more.  Protecting your investment, as it were.)  And, of course you will never see a cent of your winnings, inheritance, charity fund, etc, etc.

> Below is the claims and verifications form. You are expected to fill and return
> it immediately so we can start processing your claims:
>
> 1. Full Names:
> 2. Residential Address:
> 3. Direct Phone No:
> 4. Fax Number
> 5. Occupation:
> 6. Sex:
> 7. Age:
> 8. Nationality:
> 9. Annual Income:
> 10. Won Before:
> 11. Batch number: CHELPT1611201310542PM
> 12: Ticket Numbers: 69475600545-72113
> 13: Lucky numbers: 31-6-26-13-35-7

But here, they are starting to ask you for a lot of personal information.  This could be used for identity theft.  Ultimately, they might ask for your bank account information, in order to transfer your winnings.  Given enough other data on you, they could then empty your account.

> We wish you the best of luck as you spend your good fortune thank you for being
> part of our commemorative yearly Draws.
>
> Sincerely,
> Mrs. Susan Chris.
> CHEVROLET LOTTERY PROMOTION TEAM.

Oh, yeah.  Good luck on ever getting any of this money.

Share

CyberSec Tips: Email – Spam – Phishing – example 2

Some of you may have a BarclayCard credit card.  You might receive a reminder message that looks like the one below.  (Actually, the only credit card company I know that actually sends email reminders is American Express, which I think is a black mark on their security record.)

> Subject: Barclaycard Payment is due
> From: “Barclaycard” <barclaycard@card.com>
> Received: from smtp.alltele.net

If you look at the message headers, you might note that this message doesn’t come from where it says it comes from, and that’s something of which to beware.

> Your barclaycard payment is due
>
> Visit your card service section below to proceed
> hxxp://www.equivalente.it/rss/re.html

You might also note that, it you do have a BarclayCard, it’s probably because you live in the UK.  And the server they want you to visit is in Italy: .it

Share

CyberSec Tips: Email – Spam – Phishing – example 1

Phishing is pretty constant these days.  One of the tips to identify phishing messages is if you don’t have an account at that particular bank.  Unfortunately, a lot of people who are online have accounts with Paypal, so Paypal is becoming a favourite with phishers.  You’ll probably get a message something like this:

Subject: Your account access has been limited
From: service@paypal.co.uk <notice@paypal6.co.uk>

(You might think twice if you have an account with Paypal in the United States, but this domain is in the UK.)

> PayPal is constantly working to ensure security by regularly screening the
>accounts in our system. We recently reviewed your account, and we need more
>information to help us provide you with secure service. Until we can
> collect  this information, your access to sensitive account features will be
> limited. We would like to restore your access as soon as possible, and we
> apologize     for the inconvenience.

>    Why is my account access limited?

>    Your account access has been limited for the following reason(s):

> November 27, 2013: We would like to ensure that your account was not
> accessed by an unauthorized third party. Because protecting the security of
> your account is our primary concern, we have limited access to sensitive
> PayPal account features. We understand that this may be an inconvenience but
> please understand that this temporary limitation is for your protection.

>    Case ID Number: PP-197-849-152

>You must click the link below and enter your password for email on the following page to review your account. hxxp://dponsk.ru/wp-admins/.pay/

> Please visit the hxxp://dponsk.ru/wp-admins/.pay Resolution Center and
> complete the Steps to Remove Limitations.

Sounds official, right?  But notice that the URLs given have nothing to do with Paypal.  Also notice, given the .ru domain, that they are in Russia.  Don’t click on those links.  Neither Paypal of anybody else is going to send you these type of messages these days.

Share

CyberSec Tips: Email – Spam – Fraud – example 2

Another advance fee/419 fraud is the lottery.

> Subject: Dear User
> To: Recipients <info@notizia348.onmicrosoft.com>
> From: Alexander brown <info@notizia348.onmicrosoft.com>

Again, your email address, which supposedly “won” this lottery, is missing: this message is being sent to many people.  (If you really had won millions, don’t you think they’d take a bit more care getting it to you?)

> Dear Internet User,
>  We are pleased to inform you again of the result of the Internet Promotional
>  Draws. All email addresses entered for this promotional draws were randomly
>  inputted from an internet resource database using the Synchronized
> Data Collective Balloting Program.

Sounds impressive.  But it really doesn’t mean anything.  In the first place, you never entered.  And why would anyone set up a lottery based simply on random email sent around the net?  There is no benefit to anyone in that, not even as a promotion.

>  This is our second letter to you. After this automated computer ballot,your
>  email address was selected in Category A with Ref Number: GTL03-2013 and
>  E-Ticket Number: EUB/8974IT,this qualifies you to be the recipient of t
> he grand prize award sum of (US$2,500,000.00) Two Million, Five Hundred Thousand
> United States Dollars.

This is interesting: it presents still more impressive stuff–that really has no meaning.  It starts by saying this is the second message to you, implying that you missed the first.  This is intended to make you anxious, and probably a bit less questioning about things.  Watch out for anything that tries to rush or push you.

The numbers, of course, are meant to sound official, but are meaningless.

>  The payout of this cash prize to you will be subject to the final validations
>  and satisfactory report that you are the bona fide owner of the winning email
>  address. In line with the governing rules of claim, you are requ
> ired to establish contact with your designated claims agent via email or
> telephone with the particulars below:
>  Enquiry Officer: Mr. Samuel Trotti
> Phone: +39 3888146161
> Email: trottioffice@aim.com

Again, note that the person you are to contact is not the one (or even the same domain) as sent the message.

>  You may establish contact with the Enquiry Officer via the e-mail address above
>  with the information’s necessary: Name:, Address:, Phone:, Cell Phone:, Email:,
>  Alternative Email:, Occupation:, Ref Number and E-Ticket Number. All winnings
>  must be claimed within 14 days from today. After this date all unclaimed funds
>  would be included in the next stake. Remember to quote your reference
>  information in all correspondence with your claims agent.

This is interesting: the amount of information they ask from you means that this might not simply be advance fee fraud, but they might be doing phishing and identity theft, as well.

Share

CyberSec Tips: Email – Spam – Fraud – example 1

A lot of the advance fee fraud (also called 419 or Nigerian scams) these days say you’ve been named in a will:

> Subject: WILL EXECUTION!!!
> To: Recipients <clifordchance08@cliffordchance854.onmicrosoft.com>
> From: Clifford Chance <clifordchance08@cliffordchance854.onmicrosoft.com>

Note in this case that the message is sent “to” the person who sent it.  This is often an indication that many people have been sent the same message by being “blind” copied on it.  In any case, it wasn’t sent specifically to you.

> Late Mr.Robert Adler bequeathed US$20,500,000.00 USD, to you in his will.More
> info,contact your attorney(Clifford Chance Esq) via email
> address:clf.chance@hotmail.com  Tell+44-871-974-9198

This message doesn’t tell you very much: sometimes they have a reference to a recent tragic event.

Note also that the email address you are supposed to contact is not the same address that sent the message.  This is always suspicious.  (So is giving a phone number.)

If you look into the headers, there are more oddities:

> From: Clifford Chance <clifordchance08@cliffordchance854.onmicrosoft.com>
> Reply-To: <clf.chance@hotmail.com>
> Message-ID: <XXXX@SINPR02MB153.apcprd02.prod.outlook.com>

There are not only three different email addresses, but three different domains.  Microsoft owns Hotmail, and Hotmail became Outlook, so it’s possible, but it’s still a bit odd.

Share

BadBIOS

In recent days there has been much interest in the “BadBIOS” infection being reported by Dragos Ruiu.  (The best overview I’ve seen has been from Naked Security.)  But to someone who has lived through several viral myths and legends, parts of it sound strange.

  • It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn’t necessarily wrong.  However, BIOS infectors never became a major vector.

  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.

This sounds bit odd, but we’ve had cross-platform stuff before.  But they never became major problems either.

  • It is said to prevent infected systems being booted from CD drives.

Possible: we’ve seen similar effects over the years, both intentionally and un.

  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

OK, it’s dangerous to go out on a limb when you haven’t seen details and say something can’t happen, but I’m calling bullshit on this one.  Not that I don’t think someone couldn’t create a communications channel without the hardware: anything the hardware guys can do the software guys can emulate, and vice versa.  However, I can’t see getting an infection channel this way, at least without some kind of minimal infection first.  (It is, of course, possible that the person doing the analysis may have made a mistake in what they observed, or in the reporting of it.)

  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.

As above.

  • It is said to infect simply by plugging in a USB key, with no other action required.

We’ve seen that before.

  • It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I don’t see that this would present any problem.

  • It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.

Reminds me somewhat of the old “fast infectors” of the early 90s.  They had unintended effects that actually made the infections easy to remove.

  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.

Don’t know details of the internals of TTF files, but they should certainly have enough space.

  • It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

  • It is said to render any hardware used in researching the threat useless for further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy …

  • It is said to have first been seen more than three years ago on a Macbook.

And it’s taken three years to get these details?  Or get a sample to competent researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either a promotion for PacSec, or a promo for some presentation on social engineering.

 

Share

It’s What’s on the Inside that Counts

The last time I checked, the majority of networking and security professionals were still human.

We all know that the problem with humans is that they sometimes exhibit certain behaviors that can lead to trouble – if that wasn’t the case we’d probably all be out of a job! One such behavior is obsession.

Obsession can be defined as an idea or thought that continually preoccupies or intrudes on a person’s mind. I’ve worked with a number of clients who have had an obsession that may, as bizarrely as it seems, have had a negative impact on their information security program.

The obsession I speak of is the thought of someone “breaking in” to their network from the outside.

You’re probably thinking to yourself, how on earth can being obsessed with protecting your network from external threats have a negative impact on your security? If anything it’s probably the only reason you’d want a penetration test in the first place! I’ll admit, you’re correct about that, but allow me to explain.

Every organization has a finite security budget. How they use that budget is up to them, and this is where the aforementioned obsession can play its part. If I’m a network administrator with a limited security budget and all I think about is keeping people out of my network, my shopping list will likely consist of edge firewalls, web-application firewalls, IDS/IPS and a sprinkling of penetration testing.

If I’m a pen tester working on behalf of that network administrator I’ll scan the network and see a limited number of open ports thanks to the firewall, trigger the IPS, have my SQL injection attempts dropped by the WAF and generally won’t be able to get very far. Then my time will be up, I’ll write a nice report about how secure the network is and move on. Six or twelve months later, I’ll do exactly the same test, find exactly the same things and move on again. This is the problem. It might not sound like a problem, but trust me, it is. Once we’ve gotten to this point, we’ve lost sight of the reason for doing the pen test in the first place.

The test is designed to be a simulation of an attack conducted by a malicious hacker with eyes only for the client. If a hacker is unable to break into the network from the outside, chances are they won’t wait around for a few months and try exactly the same approach all over again. Malicious hackers are some of the most creative people on the planet. If we really want to do as they do, we need to give our testing a creativity injection. It’s our responsibility as security professionals to do this, and encourage our clients to let us do it.

Here’s the thing, because both pen testers and clients have obsessed over how hackers breaking into stuff for so long, we’ve actually gotten a lot better at stopping them from doing so. That’s not to say that there will never be a stray firewall rule that gives away a little too much skin, or a hastily written piece of code that doesn’t validate input properly, but generally speaking “breaking in” is no longer the path of least resistance at many organizations – and malicious hackers know it. Instead “breaking out” of a network is the new route of choice.

While everyone has been busy fortifying defenses on the way in to the network, traffic on the way out is seldom subject to such scrutiny – making it a very attractive proposition to an attacker. Of course, the attacker still has to get themselves into position behind the firewall to exploit this – but how? And how can we simulate it in a penetration test?

What the Pen Tester sees

The Whole Picture

On-Site Testing

There is no surer way of getting on the other side of the firewall than to head to your clients office and plugging directly into their network. This isn’t a new idea by any means, but it’s something that’s regularly overlooked in favor of external or remote testing. The main reason for this of course is the cost. Putting up a tester for a few nights in a hotel and paying travel expenses can put additional strain on the security budget. However, doing so is a hugely valuable exercise for the client. I’ve tested networks from the outside that have shown little room for enumeration, let alone exploitation. But once I headed on-site and came at those networks from a different angle, the angle no one ever thinks of, I had trouble believing they were the same entity.

To give an example, I recall doing an on-site test for a client who had just passed an external test with flying colors. Originally they had only wanted the external test, which was conducted against a handful of IPs. I managed to convince them that in their case, the internal test would provide additional value. I arrived at the office about an hour and a half early, I sat out in the parking lot waiting to go in. I fired up my laptop and noticed a wireless network secured with WEP, the SSID was also the name of the client. You can probably guess what happened next. Four minutes later I had access to the network, and was able to compromise a domain controller via a flaw in some installed backup software. All of this without leaving the car. Eventually, my point of contact arrived and said, “So are you ready to begin, or do you need me to answer some questions first?” The look on his face when I told him that I’d actually already finished was one that I’ll never forget. Just think, had I only performed the external test, I would have been denied that pleasure. Oh, and of course I would have never picked up on the very unsecure wireless network, which is kind of important too.

This is just one example of the kind of thing an internal test can uncover that wouldn’t have even been considered during an external test. Why would an attacker spend several hours scanning a network range when they could just park outside and connect straight to the network?

One of my favorite on-site activities is pretending I’m someone with employee level access gone rogue. Get on the client’s standard build machine with regular user privileges and see how far you can get on the network. Can you install software? Can you load a virtual machine? Can you get straight to the internet, rather than being routed through a proxy? If you can, there are a million and one attack opportunities at your fingertips.

The majority of clients I’ve performed this type of test for hugely overestimated their internal security. It’s well documented that the greatest threat comes from the inside, either on purpose or by accident. But of course, everyone is too busy concentrating on the outside to worry about what’s happening right in front of them.

Good – Networks should be just as hard to break out of, as they are to break in to.

Fortunately, some clients are required to have this type of testing, especially those in government circles. In addition, several IT security auditing standards require a review of internal networks. The depth of these reviews is sometimes questionable though. Auditors aren’t always technical people, and often the review will be conducted against diagrams and documents of how the system is supposed to work, rather than how it actually works. These are certainly useful exercises, but at the end of the day a certificate with a pretty logo hanging from your office wall won’t save you when bad things happen.

Remote Workers

Having a remote workforce can be a wonderful thing. You can save a bunch of money by not having to maintain a giant office and the associated IT infrastructure. The downside of this is that in many organizations, the priority is getting people connected and working, rather than properly enforcing security policy. The fact is that if you allow someone to connect remotely into the heart of your network with a machine that you do not have total control over, your network is about as secure as the internet. You are in effect extending your internal network out past the firewall to the unknown. I’ve seen both sides of the spectrum, from an organization that would only allow people to connect in using routers and machines that they configured and installed, to an organization that provided a link to VPN client and said “get on with it”.

I worked with one such client who was starting to rely on remote workers more and more, and had recognized that this could introduce a security problem. They arranged for me to visit the homes of a handful of employees and see if I could somehow gain access to the network’s internal resources. The first employee I visited used his own desktop PC to connect to the network. He had been issued a company laptop, but preferred the big screen, keyboard and mouse that were afforded to him by his desktop. The machine had no antivirus software installed, no client firewall running and no disk encryption. This was apparently because all of these things slowed it down too much. Oh, but it did have a peer-to-peer file sharing application installed. No prizes for spotting the security risks here.

In the second home I visited, I was pleased to see the employee using her company issued XP laptop. Unfortunately she was using it on her unsecured wireless network. To demonstrate why this was a problem, I joined my testing laptop to the network, fired up a Metasploit session and hit the IP with my old favorite, the MS08-067 NetAPI32.dll exploit module. Sure enough, I got a shell, and was able to pivot my way into the remote corporate network. It was at this point that I discovered the VPN terminated in a subnet with unrestricted access to the internal server subnet. When I pointed out to the client that there really should be some sort of segregation between these two areas, I was told that there was. “We use VLAN’s for segregation”, came the response. I’m sure that everyone reading this will know that segregation using VLAN’s, at least from a security point of view, is about as useful as segregating a lion from a Chihuahua with a piece of rice paper. Ineffective, unreliable and will result in an unhappy ending.

Bad – The VPN appliance is located in the core of the network.

Social Engineering

We all know that this particular activity is increasing in popularity amongst our adversaries, so why don’t we do it more often as part of our testing? Well, simply put, a lot of the time this comes down to politics. Social engineering tests are a bit of a touchy subject at some organizations, who fear a legal backlash if they do anything to blatantly demonstrate how their own people are subject to the same flaws as the seven billion other on the planet. I’ve been in scoping meetings when as soon as the subject of social engineering has come up, I’m stared at harshly and told in no uncertain terms, “Oh, no way, that’s not what we want, don’t do that.” But why not do it? Don’t you think a malicious hacker would? You’re having a pen test right? Do you think a malicious hacker would hold off on social engineering because they haven’t gotten your permission to try it? Give me a break.

On the other hand, I’ve worked for clients who have recognized the threat of social engineering as one of the greatest to their security, and relished at the opportunity to have their employees tested. Frequently, these tests result in a greater than 80% success rate. So how are they done?

Well, they usually start off with the tester registering a domain name which is extremely similar to the client’s. Maybe with one character different, or a different TLD (“.net” instead of “.com” for example).

The tester’s next step would be to set up a website that heavily borrows CSS code from the client’s site. All it needs is a basic form with username and password fields, as well as some server side coding to email the contents of the form to the tester upon submission.

With messages like this one in an online meeting product, it’s no wonder social engineering attacks are so successful.

Finally, the tester will send out an email with some half-baked story about a new system being installed, or special offers for the employee “if you click this link and login”. Sit back and wait for the responses to come in. Follow these basic steps and within a few minutes, you’ve got a username, password and employee level access. Now all you have to do is find a way to use that to break out of the network, which won’t be too difficult, because everyone will be looking the other way.

Conclusion

The best penetration testers out there are those who provide the best value to the client. This doesn’t necessarily mean the cheapest or quickest. Instead it’s those who make the most effective use of their relatively short window of time, and any other limitations they face to do the job right. Never forget what that job is, and why you are doing it. Sometimes we have to put our generic testing methodologies aside and deliver a truly bespoke product. After all, there is nothing more bespoke than a targeted hacking attack, which can come from any direction. Even from the inside.

Share

“Identity Theft” of time

I really should know better.

Last night, hoping that, in two hours, Hollywood might provide *some* information on an important topic, even if limited, I watched “Identity Thief,” a movie put out by Universal in 2013, starring Jason Bateman and Melissa McCarthy.

It is important to point out to people that, if someone phones you up and offers you a free service to protect you from identity theft, it is probably not a good idea to give them your name, date of birth, social security/insurance number, credit card and bank account numbers, and basically everything else about you.  This tip is provided in the first thirty seconds of the film.  After that (except for the point that the help law enforcement might be able to give you is limited) it’s all downhill.  The plot is ridiculous (even for a comedy), the characters somewhat uneven, the situations crude, the relationship unlikely, the language profane, and the legalities extremely questionable.

(The best line in the entire movie is: Sandy – “Do you know what a sociopath is?” Diane – “Do they like ribs?”  I know this may not seem funny, but trust me: it gives you a very good idea of how humorous this movie really is.)

Share