Social Engineering Tips

Cleaning crews and Keyloggers, oh my!

 

Capture The Flag competitions are very useful ways to rethink and find creative solutions to solve the challenge. The Social Engineering CTF caused me to think a few angles I hadn’t considered before. Top item of the flag list: Is IT Support handled in house or outsourced? All the way down to what technology the company is using. What’s contained in the photograph are potential attack vectors or key bits of information that could lead to exploitable opportunities. Take a gander J

 

Say Cyber one more time…

IT Security’s love hate relationship with the word Cyber

I attended DefCon 22 and as usual it was great! However, the word Cyber brewed controversy and passionate debates. One presentation by Keren Elazari thoroughly summarized the word’s roots and explained its essence. Others carried flasks embracing liquid alcohol yumminess upon the mere mention of the word.

 

I personally say it’s here as long as it’s used correctly but not too frequently. Do you hate the word? Have you played the Cyber drinking game? Or do you embrace it like a warm Snuggie?

DefCon 22 participant custom made T-shirt

How to suck at setting up an Information Security Awareness training program for your organization

In my 20+ years of working in IT Security I have seen great programs and completely non-existent programs. Most organizations I’ve worked for have yearly Ethics
Training but no end user/employee based IT Security training. Organizations understand damage to reputation and fines for ethics violations but are still ignorant to the real risk of damage to reputation or fines resulting from data breaches.  Ethics training is as important and can go hand in hand with a robust IT Security awareness program.

 1.       Starting an awareness program without full executive/management buy-in.

a.       New is change and change is
scary
. If you have buy-in at a high level employees will have more confidence in the program.

b.      Added bonus: higher visibility with D$cision Makers!

2.       Start an Information Security Awareness training program just to check a box.

a.       If your organization doesn’t take it seriously, your employees won’t either.

3.       Start an Information Security Awareness training program with no budget.

a.       An Information Security Awareness training program is risk mitigation.

b.      Your CEO is averting or minimizing that horrible press release when your customer database is posted to PasteBin! This will make their lives easier.

c.       Post-it note IT Security awareness “posters” by the coffee machine might work for an office with a few people, maybe.

4.       Assume Information Technology or Information Security is solely responsible for data protection.

a.       Every employee is entrusted with valuable data, everyone in the organization should protect it.

5.       Inability for management or employees to understand the value of data they are entrusted with.

a.       That new research and development into nanotechnology whatever is worth money, at least as much your company has spent in R&D.

6.       Assume IT or IT Security personnel are trainers and can train employees.

a.       These are IT/IT Security professionals, not Professional
Trainers
.

b.      If IT or IS must train employees, train the trainer must be funded for the program to be successful.

7.       Pay an outside consulting firm to start an awareness program without actual knowledge of your business.

a.        Knowing your business means you can observe how technology is utilized by business units.

8.       Internally start an awareness program without asking the business units.

a.       Same as #6. Get to know your business units higher risk targets, such as the personal assistants to a upper management or C level executives are also targets.

9.       Assume a logon splash screen: “Use this computer or network for business only!” constitutes a proper Information Security Awareness training program.

a.       How many people actually read those warnings on a regular basis? I log in before coffee so I know I don’t.

10.   Enforce usage guidelines without a complementary Information Security Awareness training program.

a.       You are being written up for X“, say HR. “But I didn’t even know X was wrong to do?!” says employee. Otherwise known as: don’t hit people with a big stick if they don’t know what they did wrong.

How to get on a USA Government Surveillance list

Use any advanced search techniques in Google and you’re a Cyber-Terrorist

A recent warning was posted to USA law enforcement listing advanced Google search techniques as indicators of Cyber-Terrorism is slightly chilling. Thanks to: Sadly, this is not the Onion
saw this story. The advanced techniques are old school ways of ensuing you return only the filtered data you want in a more accurate manner. Google Dorking, as it’s called in slang is a method of searching for a specific keyword in specific conditions. For example, if you want to search only the website CNN.com for the keyword LolCats in Dorking terms is: site:CNN.com + “LolCats”.

Sean Gallagher from ArsTechnica, commented he believed the notice is meant to be more of a wakeup call to make law enforcement IT more aware of the techniques. I slightly disagree and saw only FUD in the law enforcement notice. The same story commentary also mentions how using advanced Google searches has already landed some reporters in trouble and wrongfully accused of criminal activity due to massive technology misunderstandings. Using a search engine is not illegal, at least not yet.

My advice if you are a law enforcement agency IT, learn more about Open Source Intelligence and disregard FUD notices written by technologically challenged policy makers. Here are ten friendly tips to help find or protect your internet exposed assets:

  1. Keep all public facing digital assets updated and harden them. There is no reason why you should be running old, weak crud on the internet.
  2. Apache Security read if you are running an Apache web server.
  3. How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services with Security Guidance of ISS Security if you are running Windows Server.
  4. Best option: Rent space on Amazon AWS or Microsoft Azure they have DDoS defenses and can get you an inexpensive, new server version up and running. This gets a web server off your network, cheaply, with defenses available and limits damage only to reputation no information leakage. Also, if hardware breaks, no interruption for the most part and they fix everything within tight time service level agreements.
  5. Scan your public servers and internal servers with Evil FOCA from Informatica64. Scan all your domains, download all documents, analyze and take a look at what you have up for the public to see and the baddies to exploit. Review your metadata exposure.
  6. Google Dorking is a good passive reconnaissance tool but if I wear my Ethical Hacker Hat I wouldn’t use it before committing a crime. I would move to non-tracking search engines such as DuckDuckGo.com also combined with untraceable connections and several hops away. Run regular searches using different search engines to learn your public exposure.
  7. Use ShodanHQ against your domain, IP range and keywords by using a filter. I love Shodan J Try a super advanced search word like: police. I’m disappointed but not surprised: Owen Sound Police Services – FirePro event data server and Wildwood Crest Police webmail server. Try and limit the amount of data available on your public facing assets. Please don’t advertise unless you are running a Honeypot so obviously!
  8. If budgets have your IT bogged down. Network and pool external resources and contractors. What if four departments could share 1 full time, traveling IT Security contractor?
  9. Cover over all Web enabled Cameras when not in use, especially in interrogation rooms!:

  1. Read the SANS Diary Internet Storm Center every day and listen to the Podcast.

 

Using Google Dorking or any other advanced internet searches are not illegal nor indicators of cyber terrorism. However, exposing private IT assets to the internet without proper hardening helps no one but criminals.

Python Adventures – 05

Following the free E-book Learning Python the Hard Way and getting down the basics of Python. In Exercise 1: A Good First Program
it’s how to write your very first Hello World! program.

 

Bring up Canopy in Ubuntu or Windows and start a new script.

 

# -*- coding: utf-8 -*-

print “Hello there world!”

print “Hello back to you!”

print “I like typing with you.”

print “Typing back is fun.”

print ‘Yay! Printing lines with Python.’

print ‘Um, I’m not touching “that!”‘

print ‘I thought you “liked” Pythons? “wink, wink, nudge nudge” ‘

print ‘The language Python and that dear Sir is definitely not a “Python”!’

 

If all goes well you should see a similar result:


 

My PowerShell acted a little funny and changed some characters:


 

However, with the assistance of a colleague with ServerCare.nl, a PowerShell Guru. I learned an important lesson. Characters might look the same but are not. For instance the < ” > I used versus what is on a website. I tried at first to type out the script but it didn’t work. I kept getting syntax errors. I copied from the exercise website, it worked in Canopy. I rewrote everything except the quote structure, it worked in Canopy. When I ran it in PowerShell, strange characters. As in real life, one sometimes must employ escape techniques around a Python. These are called escape characters so a “double quote is just a” .

 

The corrected Python:

# -*- coding: utf-8 -*-

print “Hello there world!”

print “Hello back to you!”

print “I like typing with you.”

print “Typing back is fun.”

print ‘Yay! Printing lines with Python.’

print “Um, I\’m not touching that!”

print “I thought you \”liked\” Pythons? \”wink, wink, nudge nudge\” ”

print ‘The language Python and that dear Sir is definitely not a \”Python\”!’

 

The corrected PowerShell output:


 

I had to jump ever so slightly beyond this exercise to Exercise 10: What Was That? To get a better handle on escape characters.

 

Off to the next exercise and adding in fun with data.

 

 

 

 

 

 

Python Adventures – 04

Getting a data set to play with!!!!!

The Data-Driven Security book uses free tools and sources. In Chapter 3 the fun begins by gathering some data. The authors begin with AlienVault’s open source reputation database. It’s updated hourly and I noticed sometimes not available on the hour possibly due to traffic load.

I used the following Python script, stored also on GitHub (to be linked) to get it the AlienVault data:

# -*- coding: utf-8 -*-

# Similar to Listing 3-1

import os

import sys

os.chdir(os.path.expanduser(“~”) + “/book/ch03”)

 

# Similar to Listing 3-3

# URL for the AlienVault IP Reputation Database (OSSIM format)

# storing the URL in a variable makes it easier to modify later

# if it changes. NOTE: I choose a direct URL because I don’t

# know any better J.

 

import urllib

import os.path

 

avURL = “http://reputation.alienvault.com/reputation.data&#8221;

 

# relative path for the downloaded data

avRep = “D:\Python\Data Driven Security/reputation.data”

 

To update once a day, I scheduled a Windows task. This is only the start! My version of Windows can’t update more often via the GUI and I should be able to improve this so I can script what I need.

I scheduled the task to run a script daily at 39 minutes after a random hour.

# Similar to Listing 3-3

# URL for the AlienVault IP Reputation Database (OSSIM format)

# storing the URL in a variable makes it easier to modify later

# if it changes. NOTE: I choose a direct URL because I don’t

# know any better J.

 

import urllib

import os.path

avURL = “http://reputation.alienvault.com/reputation.data&#8221;

 

# relative path for the downloaded data

avRep = “D:\Python\Data Driven Security/reputation.data”

#I’m sure there are much better ways of accomplishing this, comments warmly welcomed!

 

I am puzzled about the lack of HTTPS and/or a more secure method available to feed in trusted, verified reputation data both directly to a SIEM like OSSIM or via the website. I used a tool called EvilGrade way too much in the past (with permission) which makes me twitchy regarding insecure updates. An awesome write up on pivoting attacks with EvilGrade.

 

I’m certain there are better methods of scripting this. I made a basic variation from the DDS book. I want to improve on this script and comments and ideas are welcomed.

 

 

 

 

 

 

Python Adventures – 03

Sharing code and delving into Python & Pandas.

My GitHub repository (which I must reorganize prior to sharing a link) where I will endeavor to post a copy of all the code I create for my Python Adventures. I look forward to open reviews and improvements.

 

The Python & Pandas example based on Data-Driven Security Listing 2-2:

#Python & Pandas data frame example similar to Data-Driven Security Listing 2-2

# create a new data frame

import numpy as np

import pandas as pd

 

#create a new data frame of 5 IT and OT assets and vulnerability counts

assets_df = pd.DataFrame( {

“name” : [ “ControlRoom-PC001″,”PLC-002″,”RTU-003″,”DCS-004″,”FilePrint-SVR005” ],

“os” : [ “WinXP”,”Fatek”,”GE_D20MX”,”DLink_DCS-2000″,”W2K8″ ],

“highvulns” : [ 25,5,12,6,0 ]

} )

 

#review the data frame structure & content

print(assets_df.dtypes)

assets_df.head()

 

#shows a sample or slice of the available operating systems input

assets_df.os.head()

 

#Addition of a new column with IP address information & new column

assets_df[‘ip’] = [ “10.10.1.2”,”10.10.2.2″,”10.10.3.3″,

“10.10.2.4”, “10.10.4.5”]

 

#Display assets only with greater than 10 high vulnerabilities & new column

assets_df[assets_df.highvulns>10].head()

 

#Categorize assets in zones and add a new column

assets_df[‘zones’] = np.where(

assets_df.ip.str.startswith(“10.10.2”), “Zone1”, “Zone2”)

 

#final inspection of code input

assets_df.head()

 

If all goes well the output should look something like:

What is nice about Python with Pandas is the nice output layout. When I do the same thing in R, no table layout without work, more difficult to read through. This would be of greater importance when handling larger sets of data and limited knowledge of Python and R.

Why did I pick Operations Technologies (OT) and IT resources? OT is what runs much of our physical world nowadays, not shiny IT like new servers or laptops. IT controls our virtual selves, our data and not for example traffic lights, railway signaling, medical equipment or factories. For this reason, I will be presenting Confessions of an IT/OT Hacker at the European Industrial Control Systems Summit, London, UK Royal Aeronautical Society, 22 & 23 September, 2014. Everyone in IT and should familiarize themselves with the basics of Industrial Control Systems.

 

Python Adventures – 02

The noob in me means I should read the instructions first, the engineer in me says I can figure it out, I don’t need no stinking instructions! How quickly I forget the last time I attempted this method with Ikea kitchen cabinets, um…..Moving swiftly along; I fixed my Windows RStudio installation issues. I had this strange assumption that RStudio would come with R. Similarly to how Visual Studio comes with C#. Assumptions and IT rarely work out well.

R goes hand in hand with Python if you want to break out of metrics beyond averages, using a normal distribution or standard deviation. If you want to crunch juicy, more advanced numbers R is the way to go. I’m new to R and I know just enough statistics to be slightly mathematically dangerous J

Remember, numbers are your friend, they justify the return on IT Security investment, i.e. your paycheck.

To download R, go to the CRAN project page and choose a close mirror for the newest package which is R-3.1.1 for Windows 32/64. Although the title of the package screams security vulnerabilities, my version was patched to 2014-08-18, the day I downloaded it. Once R is downloaded and installed, RStudio can be installed and it works straight away on Windows.

Let’s say I have 5 assets and I want to put them in a data frame with vulnerability counts:

#R data frame example similar to Data-Driven Security Listing 2-1

#create a new data frame of 5 IT and OT assets and vulnerability counts

assets.df <- data.frame(

name=c(“ControlRoom-PC001″,”PLC-002″,”RTU-003″,”DCS-004″,”FilePrint-SVR005”),

os=c(“WinXP”,”Fatek”,”GE_D20MX”,”DLink_DCS-2000″,”W2K8″),

highvulns=c(25,5,12,6,0))

#review the data frame structure & content

str(assets.df)

#review assets as now added in

head(assets.df)

#shows a sample or slice of the available operating systems input

head(assets.df$os)

#Addition of a new column with IP address information & new column

assets.df$ip <- c(“10.10.1.2″,”10.10.2.2″,”10.10.3.3”,

“10.10.2.4”, “10.10.4.5”)

#Display assets only with greater than 10 high vulnerabilities & new column

head(assets.df[assets.df$highvulns>10,])

#Categorize assets in zones and add a new column

assets.df$zones <- ifelse(grepl(“^10.10.2″,assets.df$ip),”Zone1″,”Zone2”)

#final inspection of code input

head(assets.df)

 

If all goes well your run output will look like this:

>

 #R data frame example similar to Data-Driven Security Listing 2-1
> #create a new data frame of 5 IT and OT assets and vulnerability counts
> assets.df <- data.frame(
+   name=c("ControlRoom-PC001","PLC-002","RTU-003","DCS-004","FilePrint-SVR005"),
+   os=c("WinXP","Fatek","GE_D20MX","DLink_DCS-2000","W2K8"),
+   highvulns=c(25,5,12,6,0))
> 
> #review the data frame structure & content
> str(assets.df)
'data.frame':    5 obs. of  3 variables:
 $ name     : Factor w/ 5 levels "ControlRoom-PC001",..: 1 4 5 2 3
 $ os       : Factor w/ 5 levels "DLink_DCS-2000",..: 5 2 3 1 4
 $ highvulns: num  25 5 12 6 0
> #review assets as now added in
> head(assets.df)
               name             os highvulns
1 ControlRoom-PC001          WinXP        25
2           PLC-002          Fatek         5
3           RTU-003       GE_D20MX        12
4           DCS-004 DLink_DCS-2000         6
5  FilePrint-SVR005           W2K8         0
> #shows a sample or slice of the available operating systems input
> head(assets.df$os)
[1] WinXP          Fatek          GE_D20MX       DLink_DCS-2000 W2K8          
Levels: DLink_DCS-2000 Fatek GE_D20MX W2K8 WinXP
> #Addition of a new column with IP address information & new column
> assets.df$ip <- c("10.10.1.2","10.10.2.2","10.10.3.3",
+                   "10.10.2.4", "10.10.4.5") 
> #Display assets only with greater than 10 high vulnerabilities & new column
> head(assets.df[assets.df$highvulns>10,])
               name       os highvulns        ip
1 ControlRoom-PC001    WinXP        25 10.10.1.2
3           RTU-003 GE_D20MX        12 10.10.3.3
> #Categorize assets in zones and add a new column
> assets.df$zones <- ifelse(grepl("^10.10.2",assets.df$ip),"Zone1","Zone2")
> #final inspection of code input
> head(assets.df)
               name             os highvulns        ip zones
1 ControlRoom-PC001          WinXP        25 10.10.1.2 Zone2
2           PLC-002          Fatek         5 10.10.2.2 Zone1
3           RTU-003       GE_D20MX        12 10.10.3.3 Zone2
4           DCS-004 DLink_DCS-2000         6 10.10.2.4 Zone1
5  FilePrint-SVR005           W2K8         0 10.10.4.5 Zone2
>

 

 

 

 

 

 

 

 

 

 

 

Python Adventures – 01

I completed Learn Python the Hard Way Exercise 0: The Setup & Appendix A: Command Line Crash Course by Zed A. Shaw. The command line section was a refresher but I’m unfamiliar with using PowerShell vs a command prompt in Windows and I never used pushd and popd before. Something new is always cool. There was one caveat with my PowerShell: -p didn’t work for me, I had to use –path instead.

I figured it best to download the Data-Driven Security book code from Wiley as I’m prone to typos. That way I can test the clean, working code if my results fail epically. Prior to moving forward to chapter 3 of the book, one must delve deep into the Data Frame. The book code had Python Listing 2-2 but I’m having trouble with 2-1, 2-3 & 2-4 due to my Windows RStudio installation.

Nothing helps installation frustration like reference materials J

Short Introductions to Python, Pandas and R references:

 

Learn Python in 10 minutes

 

 


by Stavros Korokithakis

10 Minutes to Pandas by the Pandas Development Team

A (Very) Short Introduction to R by Paul Torfs & Claudia Brauer SHA256: d847c553386deaf8e85a718c91ef5ec122d31d3faf4c291b5a1f6e1ceb8ab5d2

The R Markdown cheat sheet by RStudio

 

 

 

Python Adventures – Setup

I’m following the book Learn Python the Hard Way, recommended by @stevemcgrath. I want to tackle some serious data for security analytics using Python and R as well. Ultimately, I wish to create some cool, easy to understand visualizations. The main goal is to complete the book Data-Driven Security and kick some serious security data analytics.

First, I started by installing Canopy 64 bit on Windows 8.1 and Ubuntu 14.04. This sounds easy, it wasn’t. Neither OS version installation worked out of the box. I adjusted the graphics options in the Canopy main area, both OS versions via: Main Screen, Edit, Preferences, Python, Inline (SVG). I will show both operating systems were feasible.

I then ran the following verification check per Data-Driven Security:

 

import pandas as pd

import numpy as np

np.random.seed(1492)

test_df = pd.DataFrame({ “var1”: np.random.randn(5000) })

test_df.hist()


In Windows, I kept getting an openpyxl versioning error. This took a while to solve. After a few uninstall, re-install, “Kernel died, restarting” errors it all worked!

In Linux, I ran into matplotlib, openpyxl and fttype verison errors.

To solve fttype & matplotlib, I found a solution posted by user3888817 on Stack Exchange:

enpkg –no-deps matplotlib 1.2.1

enpkg –no-deps libpng 1.2.40

enpkg –no-deps freetype 2.4.4

 

To solve the openpyxl errors, I can’t remember where I found it:

sudo apt-get install mercurial

 

To install R, I went to R Studio Desktop Download for Windows

 

To install in Ubuntu I went to the Ubuntu Software Center, RStudio

To install ggplot2, at a terminal session:

 

sudo apt-get install r-base-core

R

In R:

install.packages(“ggplot2”)

 

To verify your R installation, run inside R:

 

library(ggplot2)

set.seed(1492)

test.df = data.frame(var1=rnorm(5000))

ggplot(data=test.df) + geom_histogram(aes(x=var1))

 


 

 

Python and R are now both installed!!! J

 

 

 

 

 

Follow

Get every new post delivered to your Inbox.

Join 104 other followers