Category Archives: How To

Social Networking Threats

SECURITY IS ALL ABOUT KNOWING WHO AND WHAT TO TRUST

 

 

Social networking service (also social networking site, SNS or social media) is an online platform that is used by people to build social networks or social relations with other people who share similar personal or career interests, activities, backgrounds or real-life connections.

Social Network Sites such as Twitter, Facebook, Google+ , Pinterest, Instagram have attracted millions of users, many have integrated these sites into their daily practices. There are many sites, with various technological features which support a wide range of interests and practices. Most of them can be linked to their pre-existing social networks which help strangers connect and interact based on shared interests or activities.

This interaction reveals a lot of information, often including personal information visible to anyone who wants to view it. Hence privacy is often a key concern by the users.

Since millions of people are willing to interact with others, it is also a new attack ground for malware authors. They can spread malicious code and send spam messages by taking advantage of the user’s inherent trust in their relationship network.

Here are some of the threats targeting different social networks today.

  • Social engineering:

Social engineering refers to the method of influencing and persuading people to reveal sensitive information in order to perform some malicious action. It is easier to fool someone than to find vulnerabilities to hack a system.

An attacker chats with someone and then try to elicit information. By using a fascinating picture while chatting, the attacker can try to lure the victim. Then, slowly the attacker can ask certain questions by which the target can elicit information. They ask different questions to get the target’s email and password. Attackers first create deep trust with the target and then make the final attack. Gaining Trust is one of the phases in social engineering.

Common attacks:

Email with a link or an attachment that has malicious code embedded. Clicking or Downloading it will run the code and infect the target system.

This is one serious problem people face online today. Do not trust anyone online. Avoid sharing personal information.

 

  • Identity Theft:

It Is easy to access an account when the attacker has some personal information. For example, a common technique used is by clicking on “forgot password” and trying to recover the information through email or security questions. Once they have access to your email account, they then have access to all information on your social networking sites.

This can be prevented using 2FA (Two Factor Authentication).

Never share your personal information online.

 

  • Phishing bait :

Phishing is the attempt to obtain sensitive information such as usernames, passwords, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. Phishing is an example of social engineering techniques used to deceive users.

Attacker could create a clone of a website that is infected with malware and tell you to enter personal information. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.

Always make sure the URL’s are legitimate  before opening them.

 

  • Shortened links / URLs:    

Always be careful while opening a shortened URL.

URL shortening services such as bit.ly ,tinyurl, goo.gl are used to fit long URLs into tight spaces. They also do a nice job of obfuscating the link so it isn’t immediately apparent to victims that they’re clicking on a malicious link. These shortened links are easy to share.

 

Only click on links from trusted sources. This may not always protect you, but helps lower the risk.

Update browsers and operating systems regularly with the latest security updates.

 

 

  • Apps :

Try not to use apps like :

  • Facebook color changer
  • Celebrity Face Match
  • Who viewed your facebook profile
  • NSFW videos
  • Twitter instant followers
  • Pinterest bogus pins
  • Instagram free likes

These things asks you to post it on your profile or share it with your friends or watch a video tutorial. And some provide those functions. But what it actually does is allow attacker to obtain access to your profile and spam. Which can also infect mobile devices.

Change your passwords regularly. Delete unnecessary apps. Do not trust third party notifications. Be cautious about giving unverified apps or services access/permission to your account. Download apps from trusted source.

 

  • CSRF – cross site request forgery:

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

When you click on a link on a webpage, your browser sends a request to the Web server. These requests can broadly be categorized into two types: GET and POST.  A GET request is simply a request for a page, e.g. When you browse www.google.com. A POST request is sent when you send data to the server, e.g. if you search anything on Google, this would be sent as a POST request.

But what if it were possible to send a request from a user’s browser without the user’s consent?

It’s possible.

It’s simple and it’s called Cross Site Request Forgery.

Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.

The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.

PREVENTING CSRF :
The most common method to prevent Cross-Site Request Forgery attacks is to append unpredictable challenge tokens to each request and associate them with the user’s session. Tokens should be unique per user session, but it can also be unique per request. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from a source other than the user.

 

  • Clickjacking :

Clickjacking (UI redress attack) is a malicious technique of tricking a user into clicking on something different from what the user perceives they are clicking on, thus taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of a script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

For example, imagine an attacker who builds a web site that has a button on it that says “click here for a free iPod”. However, on top of that web page, the attacker has loaded an iframe with your mail account, and lined up exactly the “delete all messages” button directly on top of the “free iPod” button. The victim tries to click on the “free iPod” button but instead actually clicked on the invisible “delete all messages” button.

To prevent, keep your browser updated.

Digital Forensics Comparison of Data Source Relevance per Investigations

Digital Forensics Comparison of Data Source Relevance

Many different sciences are grounded in the fact that certain information will never change.  For instance, gravity never changes, water molecules can be a liquid, solid, and a gas, and DNA can help match identity in human beings.  In digital forensic this is different because the medium in which they work is technology and technology changes all the time.  Keeping up on the latest in technological advances and their data sources which are common places to get specific information can be the difference between winning and losing a case.  Knowing where to look and in which order can change based on the type of investigation that a digital forensic investigator is working on.  We will look at the collection and examination of data sources based on the more common investigation that have been seen.

Network Intrusion Investigation

Network intrusions are a continual problem and will be for some time.  There won’t be a shortage of network intrusion investigations happening anytime soon.  (Fung 2013) says, “The Pentagon reports getting 10 million attempts a day.”  Which is scary and incredible statistic on its own.  But this isn’t just at the government agency level.  BP the energy company has been experiencing 50,000 attempts of cyber intrusion per day, (Fung 2013). In a recent report from Verizon not only are network intrusions steadily moving up, but it shows the time to compromise decreasing, (Verizon, 2016, p. xx).  This puts a large amount of pressure on the digital forensics community to speed their time for discovery.

Some of the different types of data that would need to be collected in a network intrusion investigation would be:

  • IDS and Firewall logs
  • HTTP, FTP, SMTP logs
  • Network Applications logs
  • Backtracking Transmission with TCP connections
  • Artifacts and remnants of network traffic on hard drives of seized systems
  • Live traffic captured by packet sniffer
  • Individual systems ARP tables, SNMP messages

Collection

Collecting data from these different areas are more challenging than other data in other areas of the system.  The data given will differ in all investigation but the object is to find any time of consistency in network intrusion investigations.  Many of the network intrusion investigations deal with network state.  Discovering the network state allows forensic experts to find possible entry points.  One of the first things that needs to be done is painting a picture of the network configuration.  Knowing a blue print of external facing applications and or api’s.  A beneficial tool in this scenario will be the ability to create an accurate timeline of events.  So, the number one priority of this investigation would be obtaining system and application logs.  This will allow a forensic expert to formulate a timeline. In Table 1 we can see that there are numerous types of data sources to pull data from.  However, the internal network and system logs which include Firewall, IDS, and Active Directory logs proves the most viable data sources to look for in this specific type of investigation.  There is also a very high probability of collection since most of the information is obtained by taking a snapshot of the logs from a cooperative network administrator.

Table 1. Shows the different data sources in a network intrusion investigation

In a network intrusion investigation, a forensic expert wants visibility at the packet level.  Both in bound and out bound.  The below prioritization of data sources is as follow:

  1. Internal Network System Logs
  2. ISP Service Logs
  3. Computer and or server hard drives

Examination

Examining the data that was found is a separate story.  Internal logs will contain the information that a forensic expert needs to build the important event timeline, however there will be could be large amount of data to examine.  Thanks to tools like encase this becomes slightly easier for the forensic expert.  This is where IDS systems play a huge role.  Intrusion Detection Systems can capture anomaly based events or statistical based events.  These will be flagged by an alert.  Focusing on the alerts that were presented can give a great starting point in the examination of a network intrusion investigation.  This is not the end all be all data source to look at in a network intrusion investigation in fact many things could change the type of data that a forensic expert gets back.  (Forensic Mag, 2013) says “any number of activities or events might influence or affect the collected data in unknown ways, including TCP relaying, proxy servers, complex packet routing, Web and e-mail anonymizers, Internet Protocol (IP) address or e-mail spoofing, compromised third party systems, session hijacking and other person-in-the-middle attacks, and domain name system (DNS) poisoning.”  Also, if there is a sophisticated network intrusion logs have the potential in being deleted or cleared.  The examination of the internal network logs is invaluable in this type of investigation.

ISP server logs also pose a great data source primarily because they can give you a general location of where the network intrusion came from.  Ultimately leading to an arrest.  Obtaining this session data can be done by obtaining a warrant for a specific customer.  This will give a forensic expert all pertinent data that an ISP has to a specific investigation, (Forensic Mag, 2013).

Malware Intrusion Investigation

Malware intrusion investigations include but not limited to worms, Trojans, botnets, rootkits and ransomware.  Malware is a huge problem in the United States and abroad.  (Panda Labs, 2016) says, “18 million new malware samples were captured in this quarter alone, an average of 200,000 each day.”  As seen below in Figure 1.  The most unbelievable part of this statistic is that this is based on just one quarter.  Malware investigations are on the rise.  Understanding how malware enters a computer and how it communicates gives the forensic expert a huge advantage in locating the exact places on a compromise system to look.  Which in turn increases the efficiency of the investigation.

Figure 1. Malware identified over the years.

Collection

Malware investigations unlike the network intrusion investigation predominantly looks at the malware itself.  Understanding how the malware was introduce may lead to a conviction.  Understand the level of complexity, damage and data leakage will be found on the hard drive of the infected computer or server itself.  More importantly at the RAM level.  As a matter of fact, (SANS Digital Forensics and Incident Response Blog, 2016), says “Investigators who do not look at volatile memory are leaving evidence at the crime scene.” Much like the data collected for the network intrusion investigation forensic experts need to understand a basic knowledge of what the operating system considers normal behavior.  For this network, golden images and IDS solutions may help identify normal behavior.  But the volatile memory on disk will be the number one for this type of investigation.  (SANS Digital Forensics and Incident Response Blog, 2016), continues by saying “It is this evidence that often proves to be the smoking gun that unravels the story of what happened on a system.”

Table 2. Depicts the order of data sources in a Malware installation investigation.

 

Examination

The examination of the volatile memory on the compromised computer or server will yield user actions, as well as evil processes and furtive behaviors implemented by malicious code, (SANS Digital Forensics and Incident Response Blog, 2016).  As RAM, would be the top data source that a forensic expert would be looking at, the Registry if this is a windows machine would also be of interest.  Time zone information, audit policy, wireless SSIDs, locations of auto-start programs, user activities and mounted devices can all be obtained from the windows registry, (Nelson, Phillips, & Steuart, 2010, p. xx).  As demonstrated in figure 2 below.  In figure 3 there is usb device information that can be obtain from the registry.  This would all be valuable information when studying if the malware moved from computer to computer on the internal network and it behaves in general.  Also, studying network logs to see if the malware is communicating with an external server would also be a data source to examine.  The prioritized list of all of the data sources for the malware installation investigation would like as followed:

  1. Computer / Server HD
  2. Internal Network System Logs
  3. ISP Server Logs

Figure 2. Shows the history obtained from a Windows 7 registry.

Figure 3. Depicts a registry value where USB device that was plugged into the computer

 

Figure 4. Shows the created date and last access date of a wireless network

 

Insider File Deletion Investigation

One of the biggest threats to a business is the insider threat. Insiders include anyone authorized beyond the authority of the public.  (Cohen, 2012, p. xx) says, “Specifically, 76% of disloyal insiders were identified after being caught to have taken steps to conceal their identities, actions, or both, 60% compromised another’s user’s account to carry out their acts, and 88% involved either modification or deletion of information.”  This includes a disgruntled employee that has possibly turned or a possible hired employee planted in the company working on behalf of another company.  One of the main reasons that this is such a difficult threat to detect is largely because the employee is given regular access to a company’s network.  Which allows for them to know where sensitive data is kept.

Collection

In this insider deletion investigation access to an offender’s hard drive of their computer would be a great first step.  Collection of this would more than likely show nothing since the insider more than likely would try and cover his or her tracks.  But using the person’s hard drive would give a forensics expert the ability to see if there are more devices that need to be considered in the investigation such as removable devices and remote storage.  In the event of file deletion, access to the computers that the data was deleted from can tell information about what account deleted the file.  (Cohen, 2012, p. xx) continues by saying, “While it is possible that an insider might use known malicious attack methods typically detected by intrusion detection methodologies and system, doing things that trigger such systems is rarely if ever necessary for an authorized insider.”  So as the network and system logs still might prove useful this would be very difficult to identify.

Figure 4. Shows Active directory of a user and his/her last login.

Examination

The data that will be gained from the registry of the insider’s computer HD registry would be the best starting point here.  Allowing a forensic expert to gauging a since of normal computer usage and seeing if there are any anomalies.  Using the data from the network active directory that controls the user accounts for the entire company would allow forensic experts to pin point the account that was used in the deletion.  In an examination combining the physical sensors, key card access, and account access from system logs proves to be invaluable.  In figure 4 above there is useful information that can be gotten from Active directory as well.  Examiner use this to combine this data together to understand consistencies and inconsistencies.  This could also give a forensic expert an approximate time of when this happened allow the examiner to build a potential timeline for the investigation.  As seen below in table 3 the starting point would be the compromised files on the hard drive of the given computer or server.

Table 3.  Data sources ranking in an insider deletion investigation

Conclusion

As we can see there are many different areas where a forensic expert can look for data.  As technology continues to advance these numbers will grow.  The amount of time that it takes to compromise a system versus the amount of time it takes to discover is still very far apart.  Which leads to the ultimate consensus in my findings that to be the forensic investigator on anyone of these investigations one would have to look everywhere.  Having a general understanding of the crime does help in many scenarios but not all.  When certain security measures aren’t put into place there is little an examination can do specifically in the insider threat scenario.  The forensic examination is only as good as the carelessness of the insider and the security that was in place at the time.  Having general guidelines, a clear understanding of the investigation, and a priority list of known data source places can go a very long way.

References

National Institute of Justice (U.S.). (2004). Special report, forensic examination of digital evidence: a guide for law enforcement (199408). Retrieved from publisher not identified website: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

National Institute of Justice (U.S.). (2007). Report, investigations involving the internet and computer networks. Retrieved from website: https://www.ncjrs.gov/pdffiles1/nij/210798.pdf

SANS Digital Forensics and Incident Response Blog. (2016, October 29). Digital forensics and incident response blog | malware can hide, but it must run. Retrieved from https://digital-forensics.sans.org/blog/2016/10/29/malware-can-hide-but-it-must-run/

Cohen, F. (2012). Forensic methods for detecting insider turning behaviors. 2012 IEEE Symposium on Security and Privacy Workshops. doi:10.1109/spw.2012.21

Forensic Mag. (2013, May 28). The case for teaching network protocols to computer forensics examiners: part 1. Retrieved from http://www.forensicmag.com/article/2013/05/case-teaching-network-protocols-computer-forensics-examiners-part-1

Fung, B. (2013, March 8). How many cyberattacks hit the united states last year? Retrieved from http://www.nextgov.com/cybersecurity/2013/03/how-many-cyberattacks-hit-united-states-last-year/61775/

Panda Labs. (2016, October 20). Cybercrime reaches new heights in the third quarter. Retrieved from http://www.pandasecurity.com/mediacenter/pandalabs/pandalabs-q3/

Shephard, D. (2015, March 16). 84 fascinating & scary it security statistics. Retrieved from https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/

Verizon. (2016). 2016 data breach investigations report. Author.

 

The latest development in Router Attacks. – What you need to know about people attacking your router.

Router Attacks – DNS Redirect

Routers are vulnerable to different types of attacks.  The first attack is the DNS Rebinding and Cross-Site Request Forgery attack.  This attack was demonstrated at the 2010 DEFCON as a modern attack against home routers.  The attack is fairly intricate in that it uses multiple parts in the actual attack.  The attack works in three parts.  The first part of the attack the attacker needs to be able to modify the DNS records.  Next the attacker must be able to create various pages on the target domain and link these with DNS.  The attack happens when the victim visits the malicious site.  Where the attacker obtains a user’s public IP address.  Then the attacker quickly creates a subdomain on the attack domain with two “A records”.  With one a record pointing to the server and the other points to the public IP address of the victim’s router, the web server redirects the victim’s browser to a page with JavaScript code that will execute the CSRF portion of the attack, (Trend Labs Security, 2010).   After both these steps are done the attacker has control of the Web Server meaning the attacker can send TCP reset (RST) commands on demand.  Finally, the browser begins to execute the JavaScript code which tries to connect to the temp subdomain, the attacking server will reply with an RST command and end the session.  The user’s system will try the other IP address that it knows about for the hostname, which happens to be the external IP address of the victim’s router, (Trend Labs Security, 2010).  Results are then channeled to the attacking server via a portal.  The attacker can then try different credential until they have success and fully connects.

 

DNS Redirect Prevention

There are a few ways to protect a router from this flavor of attack.  The first and foremost make sure one uses HTTPS and disable the HTTP console if this is a configuration setting.  Always use strong passwords for routers.  Remove factory default passwords always.  Also adding a firewall rule preventing devices on the local network from sending packets to the IP block that your public IP address is a member of.  Also keeping your firmware up to date is a huge help.  Using a No Script plugin can also protect against malicious JavaScript since this is a part of the attack.

 

CDP Attacks

Another attack happens to be in the Cisco Discovery Protocol which can be used by default with all cisco devices.  First off this protocol is enabled by default.  CDP contains information about the network device such as the software version, IP address, platform, capabilities, and the native VLAN, (Popeskic, 2011).  This information is also sent in complete clear text.  When this information is sniffed off of the VLAN internet traffic an attacker can use this to find other exploits to orchestrate an attack such as Denial of Service (DoS) attack.  CDP is also unauthenticated meaning an attacker can craft fraudulent CDP packets and have them received by the attacker’s directly connected Cisco device.  If an attacker can get access to the router via SNMP or Telnet an attacker can find the entire topology of a network at Layer 2 and Layer 3.  Which also includes IOS levels, router and switch model types, and IP addressing schema.

 

CDP Prevention

The way of preventing against the CDP attack is to simply disable the default configuration which allows this on the router.  Most administrators need to not just focus on disabling on a single interface which allows the CDP table to stay populated, but to disable on the entire device.  (Redscan, 2013) says, “CDP can be useful and, if it can be isolated by not allowing it on user ports, then it can help make the network run more smoothly.”

 

router

Figure 1. Warning message displayed on HTTP website from infected router.

 

References

Popeskic, V. (2011, December 16). cdp attacks – cisco discovery protocol attack. Retrieved from https://howdoesinternetwork.com/2011/cdp-attack

Redscan. (2013, December 19). Ten top threats to vlan security – redscan. Retrieved from https://www.redscan.com/news/ten-top-threats-to-vlan-security/

TrendLabs Security. (2010, August 10). trend labs security intelligence blog protecting your router against possible dns rebinding attacks – trend labs security intelligence blog. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/protecting-your-router-against-possibl-dns-rebinding-attacks/

TrendLabs Security. (2015, May 20). trend labs security intelligence blog new router attack displays fake warning messages – trend labs security intelligence blog. Retrieved from http://blog.trendmicro.com/trendlabs-security-intelligence/new-router-attack-displays-fake-warning-messages/

Securing Databases

Securing Databases

Database security is very important to consider in any organization or company.  It’s where an entities most valuable data is stored.  Personal identifiable information has been stolen from databases over and over in the last decade.  (Blackhat, n.d.) says, “By one estimate, 53 million people have had data about themselves exposed over the past 13 months.”  This was in 2006 after large data breaches from Bank of America, Time Warner, and Marriott International.  Today you could only imagine that there are many more.  A few suggested things to consider when securing any database or distributed system.  Separate the database from the web servers.  Encrypt any stored files in the database.  Keep patches current.

Keep the database server’s separate from the web servers is a great help.  Usually software when installed on a server will include a database and install it on the same server.  If an attacker can compromise the administrator account of the webserver he then has access to the database files.  (Applicure Technologies, n.d.) suggests, “instead, a database should reside on a separate database server located behind a firewall, not in the DMZ with the web server.”  Agreed this would increase the complexity of the installation but the benefits on the security are well worth it.

Another factor to consider is the way in which the data will be stored.  Encryption is an option for all data but will decrease performance in certain areas.  Knowing the kind of data like car information color, make, and model versus vin number and license plate number would help in determining the information that needs to be encrypted and does not.  Depending upon the business compliance whether HIPAA, SOX, and PCI may make this decision for us.  Encryption of also website files for instance a web configuration file may contain information to the databases the website needs to connect to.  Many times this is in clear text. (Applicure Technologies, n.d.) says, “WhiteHat security estimates that 83 percent of all web sites are vulnerable to at least one form of attack.”  These types of attacks are very frequent in number.

Lastly keep databases patched regularly.  Many databases have many other third party plugins that create other entry points into databases. At the time of their publication there were 8 DB2, 2 Informix and greater than 50 Oracle 0day vulnerabilities, (Blackhat, n.d.).  So the general consensus would be to keep the need for third party vendors and databases to a minimum.

Overall there is no exact method of database security it’s a practice and everyones implementation will be different based off of the needs of each business and the regulatory requirements that the business is subject to.

 

costofdata

Figure 1. Shows the cost of different types of data on the blackmarket.

topcompanies

Figure 2. Shows the top companies with data breaches in 2005.

 

References

Applicure Technologies. (n.d.). Best practices for database security. Retrieved from http://www.applicure.com/blog/database-security-best-practice

Blackhat. (n.d.). Hacking databases for owning your data. Retrieved from https://www.blackhat.com/presentations/bh-europe-07/Cerrudo/Whitepaper/bh-eu-07-cerrudo-WP-up.pdf