Category Archives: Operating System Security

How to get on a USA Government Surveillance list

Use any advanced search techniques in Google and you’re a Cyber-Terrorist

A recent warning was posted to USA law enforcement listing advanced Google search techniques as indicators of Cyber-Terrorism is slightly chilling. Thanks to: Sadly, this is not the Onion
saw this story. The advanced techniques are old school ways of ensuing you return only the filtered data you want in a more accurate manner. Google Dorking, as it’s called in slang is a method of searching for a specific keyword in specific conditions. For example, if you want to search only the website CNN.com for the keyword LolCats in Dorking terms is: site:CNN.com + “LolCats”.

Sean Gallagher from ArsTechnica, commented he believed the notice is meant to be more of a wakeup call to make law enforcement IT more aware of the techniques. I slightly disagree and saw only FUD in the law enforcement notice. The same story commentary also mentions how using advanced Google searches has already landed some reporters in trouble and wrongfully accused of criminal activity due to massive technology misunderstandings. Using a search engine is not illegal, at least not yet.

My advice if you are a law enforcement agency IT, learn more about Open Source Intelligence and disregard FUD notices written by technologically challenged policy makers. Here are ten friendly tips to help find or protect your internet exposed assets:

  1. Keep all public facing digital assets updated and harden them. There is no reason why you should be running old, weak crud on the internet.
  2. Apache Security read if you are running an Apache web server.
  3. How to Improve Security on the Edge with Windows Web Server 2008 and Internet Information Services with Security Guidance of ISS Security if you are running Windows Server.
  4. Best option: Rent space on Amazon AWS or Microsoft Azure they have DDoS defenses and can get you an inexpensive, new server version up and running. This gets a web server off your network, cheaply, with defenses available and limits damage only to reputation no information leakage. Also, if hardware breaks, no interruption for the most part and they fix everything within tight time service level agreements.
  5. Scan your public servers and internal servers with Evil FOCA from Informatica64. Scan all your domains, download all documents, analyze and take a look at what you have up for the public to see and the baddies to exploit. Review your metadata exposure.
  6. Google Dorking is a good passive reconnaissance tool but if I wear my Ethical Hacker Hat I wouldn’t use it before committing a crime. I would move to non-tracking search engines such as DuckDuckGo.com also combined with untraceable connections and several hops away. Run regular searches using different search engines to learn your public exposure.
  7. Use ShodanHQ against your domain, IP range and keywords by using a filter. I love Shodan J Try a super advanced search word like: police. I’m disappointed but not surprised: Owen Sound Police Services – FirePro event data server and Wildwood Crest Police webmail server. Try and limit the amount of data available on your public facing assets. Please don’t advertise unless you are running a Honeypot so obviously!
  8. If budgets have your IT bogged down. Network and pool external resources and contractors. What if four departments could share 1 full time, traveling IT Security contractor?
  9. Cover over all Web enabled Cameras when not in use, especially in interrogation rooms!:

  1. Read the SANS Diary Internet Storm Center every day and listen to the Podcast.

 

Using Google Dorking or any other advanced internet searches are not illegal nor indicators of cyber terrorism. However, exposing private IT assets to the internet without proper hardening helps no one but criminals.

Hospital patient insecurity due to lacking patches or decent passwords

This time only 493,000 patients lost their privacy, systems left wide open for years.

A hospital in Gouda, the Netherlands called Groene Hart Ziekenhuis (Green Heart Hospital) had according to Bonnie at the Nederlands Genootschap van Hackende Huisvrouwen (Netherlands Society of Hacking Housewives) and reported to the journalist Brenno de Winter (@brenno) allowed weakly configured servers which contained confidential information accessible to the internet which contained patient data for almost half a million people. These sensitive systems had been left in an insecure state for several years. This is nothing new in the Netherlands; the same group reported a similar data leak involving over 800,000 Dutch citizens and residents at another facility in July, 2012.

Information which was exposed:

  • Patient Name
  • Date of Birth
  • Address
  • Tax ID number (BSN like US Social Security number)
  • Telephone number
  • Patient number
  • Insurance number
  • Diagnosis
  • Medication
  • Lab results
  • X-rays and similar medical imaging
  • Treatment plans

Why was the information accessible?

  1. Unpatched and outdated versions of Microsoft, Adobe Flash and VMWare. Recently the CSIS Denmark released a report that highlighted 99.8 % of malware or virus infections could be mitigated by patching these applications along with Adobe Reader and Java.
  2. The password for the administrator account was ‘groen2000‘. The password is both easily guessable and extremely weak 40 bit strength. Using Jack the Ripper, and a beefed up system could crack the password in seconds. I wonder if 2000 was the last year the systems were patched?

Why are medical facilities, hospitals, insurance companies and doctor offices seemingly so lacking in security and unsympathetic towards patient privacy?

  • Shockingly, the maximum fine in the Netherlands for data breaches is only 4,500 euro. This is cheaper in some cases then implementing anti-virus or buying a decent firewall. My previous Dutch GP once told me without flinching “Our systems are secure because we use MacOS, no anti-virus is needed.” If the punishment is cheaper, way cheaper that remediation I would take a fine any day.
  • DRA the agency tasked with ensuring data privacy and investigating breaches is staffed with about 80 personnel, which includes all support staff whilst the Dutch Animal Police has over 500 officers.

Link to original story:

http://www.nu.nl/binnenland/2927832/groene-hart-ziekenhuis-lekt-medische-dossiers.html

More proof that patching, keeping systems on supportable versions and strong, secured passwords are a basic requirement for you and all organizations. Lastly, Dank uw wel/thank you very much to Bonnie and the
Nederlands Genootschap van Hackende Huisvrouwen, it is good to know we have highly technical, expert, hacker housewives willing to take a risk and help protect our privacy when governments fail to do so.

 

 

 


 

Patches! We don’t need no stinking Patches!

And you thought implementing a vulnerability program was too expensive!

Recently the CSIS Denmark released a report which highlighted 99.8 % of malware or virus infections could be mitigated by patching five key applications. Those applications, some of our favorite:

Internet Explorer – Lots of bells and whistles elements built into the browser which must be kept up-to-date for them all to be as secure as possible. IE is now a very secure browser for the most part, if kept patched! As with all browsers, if there is a dodgy website setup to exploit a browser weakness, unless it is a zero day (rare), patching will protect from this risk and is easy to deploy locally and administratively.

Windows Vista & Server 2003 – Both operating systems need to be kept up-to-date with a roadmap for upgrade to Windows 7 & Server 2008 respectively. If you weren’t aware, most users would rather still use Windows XP over Vista and would love to be upgraded to Windows 7. Both Server 2003 and Windows Vista have been out for a number of years and those naughty cyber-criminal syndicates are very familiar with exploitation. The operating systems are weaker than their upgrade counterparts due to some architectural flaws. An operating system infection is dreadful, you can’t trust any installed applications or the OS itself. They can also take the greatest amount of time and highest cost to remediate.

Adobe Acrobat Reader/Writer – The business, internet, research, and education necessary applications all computer users at one time (or 20 times today) have used much to our delight and frustration. Due to the widespread usage of the apps and lack of patch management they are a juicy, luscious easy target.

Java JRE– Again, widespread usage and lack of general patch management is a driving force behind infections. Also, this application, similar to many Adobe products, suffers from a less than favorable security reputation.

Here how expensive not patching and vulnerability testing is:

You have to call the CEO and or the board to an emergency meeting. A trusted third party supplier infected your network and compromised very publically a primary database of customer information. It seems quite sensitive customer information that is. The CEO and or other higher up well known for arse-chewing or at least the level that can terminate you instantly is on vacation. As an extra bonus, it is 2 am his/her friendly, understanding corporate officer’s local time. No matter if your IT Security department had sign off, documented meetings, warnings etc.… to the upper management or board that a program was needed it will still cost reputation, business and possibly jobs before the dust is all cleared.

If you are new to the topic, a fantastic resource for assistance is Reddit NetSec and need some solid answers. Try to avoid loss from the door being left unlocked to all your organization’s information because of an aged or insecure application that in most cases just needs a free patch. If your patch and vulnerability testing is lacking, get up to speed now. If all else fails, you can learn to use some new tools and update your CV/resume, just in case due to pressures within your organization there is a risk of ever having to make that loud, uncomfortable and/or demoralizing phone call.

There are low cost, awesome, high feature, speedy tools that can be used to express the importance of patching and vulnerability testing. They also have a low learning curve for new users:

Nessus– There is a limited free version which is perfect to perform quick (non) commercial tests. If you contact them and explain you wish to use a demo with more features I’m guessing they will likely send you one. Once you use Nessus it’s a fairly easy sell after presenting the app’s generally solid results.

FOCA-This is one of my favorite tools, always impressed when I use it. It is a succulent, meta-data driven beauty that makes basic to medium level pen testing feel like a holiday on a warm tropical beach during winter. At a push of a button, to paraphrase from their Hack in the Box presentation: Perfect for the lazy pen-tester. FEAR the FOCA!

Belarc Advisor– There are fully functional (free) home and low cost corporate versions. Its HTML based and can be parsed with functions such as displaying software keys, if patches were correctly installed with hyperlinks for rectification, review of user accounts and a custom security score. I have used it for more years than I care to reveal lest I date myself out of the abundant job market.

   
 

   
 

   
 

   
 

   

Android You Broke My Heart, (Pen name: Ry0ki) 2600 Volume 27, Number 4, Winter 2010-2011

It wasn’t Christmas or Arbitrary Day, but there it was my new toy impeccably wrapped and waiting: my new Android cell phone! I was so excited and I carefully peeled back the packing and wrapping layers. My fingers tingled with delight to reveal my new HTC Magic. It was gleaming white with sharp graphics and the promise of storing my life in it; my more organized and productive life. I was able to get over the initial fumbling with the OS and the touch screen over a few weeks and began using my new phone. I filled it with contact information like emails, phone numbers, photos and I transitioned all my contacts from my old phone to the new super shiny one.

Introduction

My big troubles with the operating system on my phone began during a job interview, one with the potential for a lot of money, I might add. The interviewer was horrible, so I wasn’t really expecting a call back for the job. Although for the money, I might have worked there anyways. I’m in IT. I sold my soul years ago, but I digress. I discovered the hard way that my phone had been automatically routing all calls to my voice mail, while at the same time shutting off the notifications for new voice mails or missed calls. Maybe it started a couple of days after the interview. It must have been an unannounced feature called “Silence,” offering peace of mind by never allowing my phone to ring. To add to the complexity of my issue, my cell phone provider automatically erases unsaved voice mail messages after three days. I searched through what I thought was everywhere in the phone to re-enable notification of incoming calls, but I couldn’t find any setting. I figured, “Google, I bought your phone; feed me baby.” I must mention under duress, I didn’t check with my spouse. But that’s another story.

My Heat Crumbling

Within 30 minutes I found two Android forum posts with similar issues. One said do a hard reset. The other said to install a shortcut program called Any Cut and to re-run the initial phone setup. I chose the “run setup” again” route as a couple of people posted that even after the hard reset, the problem came back. The Any Cut solution post said the issue was due to a corrupt configuration file that could only be corrected if you have root level access or re-run setup. I didn’t’ have root level access so I re-ran setup. This is where things began to get a little strange. I went through setup again, but made a fatal mistake! I entered the wrong password for my Gmail account once. Once, only one little itsy bitsy, teenie weenie problem, I got the Android version of the blue screen of death, “Waiting for Sync. Your email will appear shortly.” Everything with the Android OS is based on your Gmail credentials. You don’t need a SIM card for the phone to work, but you must have a Gmail account. Funny thing though… if you run setup again and you enter the wrong credential, you are locked out of a great majority of features on the phone. The only fix per Google; hard reset. Really? Enter your credentials wrong just once and you have to wipe the phone?

What worked and didn’t after invalid credentials presented

My contacts were gone. No contacts listed. I was left with a barren message: “You don’t have any contacts to display. Go to your menu and Edit Sync Group.” I suddenly felt very lonely. My entire call log was fully available, just no names associated with the phone numbers. As I cleared out my log, all numbers incoming or outgoing were listed with dates, times, call length, call status of missed calls if applicable and call direction. I guess root has the contacts properties but any user has the call log. No phone numbers were stored on my SIM by default with Android. There is no menu to force save your contacts to the SIM. The only SIM contacts the Android OS phone was willing to import from my SIM were the cell provider’s default contacts. I am not one to memorize random numbers. I theorize the human brain has a maximum of short and long term memory and there is no use adding useless information. Hence, some contact details I didn’t memorize. I went to check if my SMS messages were available, theorizing they may be because I could see my call log. I thought maybe I could rebuild my contact list based on the content of the messages. All of my SMS messages were available but with no names associated with them. I had never cleared my SMS log, so all messages incoming and outgoing were retained and available from the inception of the phone service. My meet up, greet up, lovely, or angry sexy time related flipping SMS messages to said spouse or others were still available. Everything! Frack man. I could receive Google Talk chats inbound via my regular Gmail account name and could respond only to those Google Talk messages. Yet, I was not logged into the phone with valid credentials. I tried the built in Chrome browser. My heart sunk. When I opened my browser, it took me to my domain Google mobile page. I could not access my applications like email unless I put in my business domain credentials, luckily. Could this mean that no matter if you are logged into the phone with valid credentials or not, the former person’s home page, browsing history (yes, complete from the last time I dumped cache), and possible credentials for services are still retained somewhere on the phone? That is already a great deal of information about a person to be essentially accessible to anyone logged into the phone or not. The Android Market was fully accessible. At that point I should have been logged out of the Android Market. I hadn’t bought an application. This would allow access to the Google pay system associated with my <sameusername@google.com> regardless if I were logged in as <sameusername@google.com> or not. Per the Android release notes for 1.6, access to the market should be restricted if you’re not logged into the phone with a valid Gmail account. This would make sense, as this allows full access to the pay system. I guess the release notes need some correcting. The reason the market was accessible is due to one or more of my applications already in the notification bar requiring updates. Going directly from the notifications bar, I could access the market, update my software and download any software. This appears to override the need for credentials. About a week went by and I woke up one morning to my phone not really working OS-wise. The Android Market wouldn’t let me in and the phone now wanted me to log into Gmail. I used my trusty Any Cut and I ran the setup wizard again. I tried my credentials again and got the same message: “waiting for sync: this may take up to 5 minutes.”

A Different Tactic

I decided to create another Gmail account. This time is was <sameusername>1@google.com. I logged into the phone OS and the built-in browser showed via Google search that I was logged in as <sameusername>1@google.com. I could use the Android Market again. I was happy at this point, until I got an incoming Goggle Chat from my spouse. I had created the new account not more than 15 minutes prior to the incoming chat so no one knew about it yet. I answered back, “What Gmail account did you send this to?” The response, “<sameusername@google.com> – the only account I know about.” I was, at this point, logged into the phone but as <sameusername>1@google.com. I had full access to <sameusername@google.com> chats and could talk back and forth with my Gmail contacts logged in as someone else. My Chrome home page to me to my <sameusername@google.com> Google application home page. If I went to a Google search via the built in browser at the bottom of the page, it showed I was logged in as <sameusername>1@google.com. No contacts were listed still, but my entire call log was available. All browsing history since the last dump remained. I could not use the built-in Gmail application, but I could use the Chrome browser to navigate to both accounts.

All Was Never What It Seemed

My spouse, a “you should have asked me – I am a master programmer and can fix almost anything,” was right. I handed my phone over because it was still unable to receive incoming phone calls. Little did I know this setting is in the “main settings,” “call settings,” “GSM call settings,” “additional GSM only call settings,” “call forwarding,” then finally “always forward with my international voice mail phone number built in by default. Otherwise known as an infinite loop of insanity.

Conclusion

You don’t need root; you don’t really need to “hack” anything. On any 1.6 (probably beyond too) version of an Android OS cello phone, force a re-run of setup, enter the wrong credentials on purpose, and you have sweet access to the previous settings and plenty of private information to keep you naughty. I have heard the claim “well, not in newer versions.” Then I suggest Google force their manufacturers to maintain the OS. If the issue isn’t fixed, consumers with version 1.6 are stuck with a huge gaping security hole. “New” Android Tablet PCs are shipping with the 1.6 version to unsuspecting users. All information stored on an insecure phone OS is fair game, including your contact information. I agreed to the terms and conditions, but my contacts weren’t given that option. My journey ends here. An affair with a phone OS that broke heart, and is willing to leak my data to anyone.

This is a repost from the original by the author from 2600 Magazine, Winter 2010-2011

FBI DNS Changer Deadline Extended to 9 July, 2012

FBI DNS Changer Deadline Extended to 9 July, 2012

The US FBI was granted an extension on the court order to maintain control of the DNS Changer IP ranges until 9 July, 2012. This extension was granted based on the large amount of computers and routers which were still making DNS requests to these IP ranges. According to The Register, a research group called IID found about 18.8% of all US Fortune 500 companies surveyed were affected on 23/02/2012. This is a substantial decrease, down from 50% of US Fortune 500 companies in January, 2012 based on a previous study by IID.
The FBI court order might not be extended again due to substantial decreases in the number of USA based suspected infections. Conversely, our group has observed suspect infections in approximately 25% of the networks we advise and consult for in Europe, Africa, Middle East and Asia Pacific. The infections in the USA might be dropping; however, too many non-USA geo-located IPv4 sources remain infected. The majority of identified assets were fully updated and patched end point assets, critical servers with up-to-date Anti-virus software or routers with modified configuration files.

Why do so many suspected infections remain? 

  1. Over reliance on Anti-virus software.
    1. A clean anti-virus scan does not equate to a clean asset, it just means that version and vendor of anti-virus was unable to find an infection at this time. Malware can be written specifically to evade or disable certain features of anti-virus software.
  2. Inability to understand the risks of allowing external DNS requests to untrusted locations.
    1. You wouldn’t knowingly ask the enemy for directions to your own ambush. The same principal applies to allowing or not investigating external DNS requests to un-trusted or suspected malicious DNS servers.
    2. Also, just because a firewall dropped outbound activity does not mean there is no risk to the network. You still have a suspected infected machine that requires investigation.
  3. Inability to find the end points due to short TTL’s in large DHCP based networks or other issues.
    1. Finding end points has been a big challenge for our clients. Their networks have grown or merged in many cases without full documentation or change control. This is a huge gap in security for many but one that can be easily remedied through documentation and network mapping applications.
  4. Lack of time or fiscal budget to properly review logs.
    1. Please review your firewall and proxy drops, this is very, very important.

If your organization has assets making DNS requests to the FBI controlled IP ranges related to the DNS Changer they need to be investigated. We start in the following order in large networks with many possible infections:

  1. Revise firewall or other perimeter controls to avoid more assets making suspect requests, e.g. close the hole.
  2. Investigate all assets which successfully made DNS requests.
  3. Investigate assets attempting to make DNS requests by frequency and criticality of the asset.
    1. If the asset in question is a critical router or server, especially a DNS server open an incident immediately as further compromise of the network is suspected.
    2. If one asset is making 1000 DNS requests while another made 25 investigate the more active asset.
    3. Review the configuration file of routers which might be compromised and check through the DNS settings.


Source: http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf

 

Reporting can be your friend and can lead to pro-activity, i.e. don’t wait for your anti-virus to alert you to an infected machine. For example we wrote a very basic series ArcSight reports which runs on a daily basis:

  1. All assets making DNS requests to the FBI DNS Changer IPv4 ranges successfully.
  2. All assets attempting to make DNS requests to the FBI DNS Changer IPv4 sorted Z-A showing the assets making the most DNS requests at the top of the report with a bar graph.
    1. Using graphs can help visualize the problem to management and gain their buy-in. Looking at the problem from a business standpoint does not make you less technical but better at communicating the issue to those that approve budgets, staff and possibly investigations.

If you have any questions, concerns or techniques which have been successful in your organization please feel free to share them.