Aujas US

An IDG Ventures Company

How I Hacked My Car Manufacturer

There are very few articles that I would consider ‘rerunning” in Risky Business however this is one that is worth repeating. 

How-I-HackedWhen I read there was going to be a social engineering competition at this year’s Defcon (the annual hacker gathering held every summer in Las Vegas) I knew I had to enter. It was the perfect chance to hone my sweet talking skills in a judged and neutral setting, and also to test my hypothesis that not only is social engineering a risk to regular end users in an enterprise, but that even corporate InfoSec teams are not immune from the threat.

Social engineering is essentially “pretexting” yourself into getting people either to divulge sensitive information or getting into areas you otherwise shouldn’t be in. You’re a sprinkler inspector who shows up unannounced at the front desk or the harried internal auditor racing to meet a deadline who calls an employee seeking information about their computer system. Given most people’s inherently trusting and helpful nature, social engineering attacks are surprisingly successful, which is why most corporate information security training programs address the threat. One would assume this would mean the InfoSec groups should be aware of any such attempt. As Gershwin would say, “it ain’t necessarily so.”

For the Defcon contest, each entrant was randomly assigned a major corporation as a target. Mine just so happened to be the manufacturer of my car. Sweet revenge. The first task was to create a dossier on the target company, solely from information gleaned from the Internet and public sources. There were to be no pre-contest calls, visits to the company’s headquarters, or contact with the company in any way whatsoever.

After crawling various search engines for email addresses, phone numbers, addresses, press releases, and other valuable information, I moved onto social networking sites like LinkedIn and Facebook. Soon I had accumulated almost 1,000 email addresses, hundreds of recent press releases, and a couple of employee handbooks as a good starting point. Next, any email addresses not correlated to a name were cut, as were any that couldn’t be verified as current or recent employees. The remaining email addresses were then fed into the various search engines to pick out only employees that worked in my target’s information security group. These were in turn fed back into the search engines to see if anything interesting fell out; information like hobbies, school affiliation, etc.

Soon the file was whittled down to approximately 75 people that I had gathered at least two points of information with which I could engage them during my pretexting in order to gain an elevated level of trust. If the target person had an interest in flying, I’d be sure to work a local air show into the conversation. Building any sense of familiarity or commonality with a target boosts the success rate of a social engineering attack exponentially.

Next I had to develop the attack vector I would use. Since I was targeting the InfoSec group, I knew I couldn’t use the old standby of posing as an auditor for the company. That is such a commonly used ploy that most if not all InfoSec employees should be able to sniff that attack out a mile away. Instead, I settled on posing as a survey taker for CSO Magazine. That would give me cover for calling the security group and asking questions about their security environment.

Three weeks later I was in the soundproof booth at Defcon, dialing through my list of numbers in front of a live audience as I perused the list of “flags” the judges had given me to collect; essentially pieces of information useful for a hacker attack. The first number to answer gave me hope that my hypothesis might be wrong. The security engineer at the other end of the line was very hesitant to speak with me, and very quickly shut me down, refusing to answer any questions that would reveal any technical information about the company. That was a promising sign – perhaps training of InfoSec personnel was starting to become effective.

Not so much. My next target was another security engineer, who, although initially having misgivings about speaking with me, was quickly convinced to participate through both my pleading that I only needed 10 minutes of his time and that I was risking losing my job if I didn’t meet my daily target, but more importantly, that there was a $25 iTunes gift card waiting for him upon completion of the “survey”. Greed is always a good motivator. Within 15 minutes I had sweet talked the guy into revealing everything from the OS version and service packs installed, browser type and version, to his anti-virus engine and signature version. Basically anything needed to launch a successful targeted attack.

So much for training

In the end I had proven my point; InfoSec people are no different from other end users. While they may have more security awareness training than others, they are still susceptible to the same weaknesses of others; greed, a desire to assist, and a fear of getting in trouble or creating delays in “mission critical” tasks. More important is that they suffer from the same weakness that everyone seems to suffer from – the belief that they would know if they were ever being “snookered.”

So what can be done to protect against social engineering attacks? To prevent on-site attacks make this the golden rule that is *never* broken – “unannounced visitors aren’t let in if their corporate sponsor isn’t reachable to validate the visit.” To prevent general social engineering attacks focus your efforts on ongoing awareness training (once a year is not enough), routine testing of personnel to see how effective the training is, and most important of all, reducing information leakage. The amount of information that companies allow employees to post about their jobs and corporate environment is shocking (not to mention the information the companies themselves leak). Take an hour and peruse the various social networking sites liked LinkedIn and Plaxo and see what information you can glean about your employees, the projects they are working on, and what software they are using. Regularly run your company’s name through the various search engines to look for information coming from unlikely sources (it’s not unusual for contractors or suppliers to post information about dealings with other companies which inadvertently leaks helpful information to an attacker). Doing this exercise from the point of view of an attacker or competitor who knows nothing about your company will allow you to quickly see how many pieces of seemingly disparate information can eventually form a cookbook for a successful attack.

Train and monitor your staff, plug the leaks, monitor the web. Take these three steps and you will be on your way towards reducing (but never eliminating) the threat of social engineering attacks.

Shane MacDougall is a principal partner in Strategic Intelligence, a Canadian-based corporate intelligence gathering firm. He has been a professional white hat hacker, security consultant, and speaker since 1989.

Advertisements

November 8, 2010 Posted by | Risk management, Social Engineering, White Hat Hacking | , , , | Leave a comment

Number of Breaches Going Up and Up!

Identity TheftInformation management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In issue 17 of Risky Business, I posted this brief article and supporting statistics for you to read.  I was curious to see in one month how the data changed, I assumed it would go up, but by how much.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043
2010 Breach List (as of 10-5-10): Breaches: 533 Exposed: 13,517,866

2010 Breach List (as of 11-2-10): Breaches: 571 Exposed: 14,000,609

November 8, 2010 Posted by | Cyber Crime, identity and access management, Identity Theft, Risk management | , | Leave a comment

Understanding the Need for Converged Access Control

Access managementAccording to a study conducted by Carnegie Mellon University – critical system disruptions, loss of information of customers and partners, loss of confidential intellectual property,  brute-force attacks, fraud, reputation risk, etc. were mostly attributed to actions by insiders.

The grave dangers of insider threats, arising from employees retaining their system and/or having physical access even after job termination, can be understood from a shocking incident that took place recently. A US-based Water Service Company auditor, who resigned from his post, sneaked into the company’s building and accessed a former coworker’s computer to transfer $9 million from the company’s fund to his personal account. 

Insider threats, in which the disgruntled employees or ex-employees, gain access to computer systems or networks of the enterprise, is one of the cases of improper Identity Management!

Proliferating Disconnected Identities – Root Cause for Mismanagement of Identities!

In most organizations, it is seen that logical and physical identities often see excessive increase in numbers, making it difficult for the organization to track and manage all the identities effectively. 

On the logical side, an employee may have one identity within the enterprise HR system, such as a SAP system. That identity typically consists of salary, benefits, insurance and other specific employee details. Then there is a logical identity, for the same employee, within the information technology department’s directory software – such as those from Microsoft, Novell, CA, Sun Microsystems, or Oracle. This directory controls the permissions for network, database and software applications for the logical identity. Within the organizations’ Intranets, databases and applications, the user may have still more identities, in the form of different user IDs and passwords or PINs he/she uses to log into each logical resource of organization. This employee will have at least one more identity: a physical credential of some sort used for access to organization infrastructure –workstations, buildings, floors, parking garages, warehouses, research lab etc.

Then, there are cases of merger or acquisitions of organizations which often results in more than one brand of Physical Access Control System (PACS) in the organization. In enterprises with more than one brand of PACS and several facilities or areas users must enter, a user may have more than one physical access credential—and therefore, more than one physical identity.

Unconverged identity management systems either result in error-prone manual interventions or security issues!

Next: The Need for Converging Identities

November 4, 2010 Posted by | Access control, identity and access management, Risk management | , , , | Leave a comment

Stuxnet Accelerates Exponential Decay!

Exponential-decayOften, change within the technology arena is seen through the lens of Moore’s Law; computer power doubles every eighteen months.  Many predictions of the Law’s demise have come and gone.  As technology approaches the physical limitations inherent in Moore’s Law, innovation has accelerated.  Moore’s Law was convenient for expressing technology’s exponential growth.

However, the Law’s converse – exponential decay – has eclipsed the “Law” and is unrestrained.  The broader concept of exponential decay operates unreservedly.  Exponential decay spurs innovation, is unrestrained by the present, and arises from the half-life of earlier developments. 

Information Security solutions are following a similar construct: exponential decay.  The perimeter defense built to address external threats has degraded to also-ran status.  Expanding business needs and active circumventing the perimeter, rendering it less-and-less effective.

The progression of security threats, similarly, follows an exponential decay model.  Hacking has given way to monetization attacks and espionage; sophistication grows, barriers to entry decrease, and specialization rises.  Exponential decay, also, produces geometric increases in records and funds lost in breaches.

Stuxnet’s introduction to the world represents the next stage of exponential decay.  It epitomizes a militant threat capable of incapacitating industrial production.  However, such a sophisticated cyber capability encourages derivatives. 

Stuxnet’s independent mutation ability and intra-communication has profound considerations.  An enterprise (military, government, academic, industrial, etc.) should consider themself compromised, irrespectively, by some form of cyber-malice capable of harvesting or destroying value.  Intra-communication is difficult to detect.

One enterprise defense from mutation and intra-communication within the enterprise is layered protection (versus layered defense).  While the enterprise perimeter an anachronism, externally, it has value inside the enterprise.  Tightly controlling access by limiting access gives the protection and time to address such attacks. 

Emerging technologies that allow enterprise to build layered, trusted perimeters, a ring-within-rings, are the exponential decay’s response to these new threats.  Watch for DLP, SIEM, and GRC applications to add layered perimeter capabilities and tracking of intra-communication.  Include intra-communication monitoring within perimeters as a required feature in product selection or expansion.

Authored by Charles King, CISSP – King Information Security, LLC

November 4, 2010 Posted by | Access control, identity and access management, Risk management | , , | Leave a comment

The Need for Converging Identities

Access managementPart 2 in the Converged Identity and Access Management Series

One of the most important reasons for converging identities is that logical and physical identities multiply when they are disconnected; it’s time-consuming, expensive and inefficient to manage them. And this applies across the organizations domain – IT, physical security, business units and risk managers.

Another equally pressing issue is that security can be more easily compromised when physical and logical identities are separated. A physical identity may appear legitimate to a standalone PACS but it might no longer be trusted by the enterprise network. That’s what happens when an employee is terminated in the logical systems and that information isn’t immediately relayed to a PACS. If the enterprise has more than one PACs, and they are not integrated with each other, it may take several more steps to ensure all PACs block the ex-employee’s credentials.

Physical or logical credentials that are kept alive even after an employee has left an enterprise can be the cause for compliance gap and, at worst, can leave the virtual or physical door open for fraudulent attacks.  The federal government has acknowledged the importance of converging technologies and has been a significant driver for the development of these technologies. For example, in 2004, the Homeland Security Presidential Directive -12 (HSPD-12) was passed, requiring all federal government employees and agencies to use a converged physical and logical ID badge. Standards were created for how the badge is designed, what identity elements are present inside the card, and how the card is used for physical and logical access. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.

November 4, 2010 Posted by | identity and access management, Risk management | , , | Leave a comment

Cyber Crime: The Ominous Writing on the Wall

Cyber-crimeWith the increased media scrutiny and attention that cyber crime attracts today, it is clearly evident that there has been an exponential increase in the sophistication, intensity and frequency of digital attacks. Technological advancements, changes in social behavior and the popularity of the Internet have permitted cyber criminals to make considerable financial gains, usually staying a couple of steps ahead of law enforcement agencies.

As the digital economy has evolved both in size and sophistication, so has the degree and intent of skilled cyber criminals and the nature of their attacks. Some of the more common technical forms of attack include: Virus, Malware & Spyware, Spam, Denial of Service, Phishing, and Password attacks.

While cyber crime encompasses a broad range of illegal activities, these can be categorized depending on the political, economic, socio-cultural and technical overtones of the attack.

Political Threats
A growing political concern among countries is the increasing use of cyberspace to carry out terrorist activities. Cyber terrorists not only intimidate governments and create panic but they also use the Internet to coordinate attacks and communicate threats. An example is Mujahideen Secrets, the jihadist themed encryption tool released ostensibly to aid Al- Qaeda and other cyber jihadists encrypt their online communications. Another example is the use of virtual world sites such as Second Life to conduct and participate in terrorist training camps. Additionally, political activism can be combined with hacking to target a country or group in order to achieve a political goal. Hacktivism, as this is called, is gradually gaining popularity as is illustrated by the attacks on the Estonian government following protests after the relocation of a Soviet World War II memorial. The attacks swamped websites of Estonian organizations, including the parliament, banks, ministries, newspapers and broadcasters.

Economic Threats
The relative anonymity of the Internet has led to a thriving online black market trading in an underground economy of stolen goods, identity theft and rogue businesses. These rogue businesses use the Internet to deal in illegal products or practices as exemplified by the Russian Business Network or RBN based in St. Petersburg. This is a notorious organization that provides hosting services for websites devoted to child pornography, phishing, spam, malware distribution and illegal pharmaceuticals. Identity theft is also becoming an increasing concern with sophisticated tactics such as vishing (Voice Phishing) used to obtain personal identities that are sold on the black market and used to commit credit card fraud and other illegal activities. Additionally, though corporations have always faced the threat of espionage, the opportunity to steal trade and corporate secrets has never been higher. With hackers, pressure groups, foreign intelligence services, organized crime groups and fraudsters willing to deal and trade with illegitimate or stolen material, illegal economic activity online will continue to accelerate and progress.

Socio-cultural Threats
Cyber crime also has far-reaching socio-cultural repercussions with social networking sites and virtual worlds increasingly used for tax free commerce, child porn distribution and other unsavory activities. This reality is catching up with Second Life, the much hyped virtual world that let users create avatars that can walk, chat, fly and buy and sell virtual stuff for real money. The social networking site is running into trouble with authorities over its gambling casinos, questionable virtual real-estate deals and alleged trade in pornographic photos of real children.

Technical Threats
As technology advances, cyber crime has to keep pace with modern and multifaceted changes. Technical cyber attacks include software piracy, botnets and threats against personal area networks in addition to the more popular spam, malware and computer virus threats. Software piracy is the copyright infringement of computer software, mainly for financial gain, such as websites that allow music to be downloaded for free. With the growing use of mobile devices such as Blackberry, PDA or laptops, attacks on Personal Area Networks (PAN) are leading businesses to encrypt or protect sensitive information.

While the threats of cyber crime are real and multifold, there is no single way to mitigate these combined risks. The simplest way to combat cyber crime would be to provide formal education as a little knowledge and precaution goes a long way in preventing cyber crime. Counter measures, such as password protection, firewalls and safe banking practices among others, can be followed depending on the threats and vulnerabilities.

November 4, 2010 Posted by | Cyber Crime, Risk management | , , , , , | Leave a comment

Converged Identity and Access Management

Access managementPart 3 in the Converged Identity and Access Management series

Converged IAM (Identity and Access Management) can be understood as a system which converges together disparate physical and logical access control system, to create a singular trusted identity and one credential to match rights and access them across the enterprise.

Converged IAM can’t exist without network connections – preferably automatic, software driven ones – between these logical and physical identity systems.

The most typical use-case right now involves the uses of a card reader integrated with an identity management or directory system such as Active Directory of LDAP. Users swipe the access card at the door and use that same access card to log on to network resources.

Logical identity integrations for a user usually begin with links between human resources systems, an IT network component and the enterprise directory. The directory software, such as Microsoft’s Active Directory or similar tools based on the Lightweight Directory Access Protocol (LDAP), ensures that any employee has the network, software and database access — the virtual provisions — they’ll require to do their work.

Many large enterprises already use identity management tools from vendors like IBM, Novell, Oracle and Sun, to provision users from the HR system into the directory. That process is fairly well-automated. The disconnection between logical and physical identity usually appears when it’s time to provision a user’s physical access rights—at the most basic, where and when that person is allowed to be within the enterprise. In many enterprises, this task is typically still manual: A phone call, email or fax from HR alerts the physical security department to put the new employee into the PACS and create an access badge for him.

Integrating the PACS with the enterprise directory enables enterprises to address the issue of disconnected physical and logical identities. Here the value for the organization is that integration allows them to have a better understanding of who has rights to their network and their physical facilities. It allows them to manage access rights and people’s responsibilities within the organization more efficiently.

Next: The Importance of IT in Convergence

November 3, 2010 Posted by | Access control, Risk management | , | Leave a comment

Secure File Uploads – Risky?

Risky file downloadsRecently we have had several inquiries into the risks surrounding uploading files.  Here’s some how you can think about this risk:

File uploads have become a critical feature in today’s application security. As the availability of human resources and systems continues to be critical to business operations, file upload usage will continue to escalate as will the features these devices offer. For example, to allow an end user to upload files to the websites such as social networking sites, web blogs, forums, e-banking sites, video blogs, or corporate support portals, gives the opportunity to the end user to efficiently share files with corporate employees. These all open the door for a malicious user to compromise your server.  These users are allowed to upload images, videos, avatars and many other types of files.

The more access controls provided to the end user, the greater the risk of having a vulnerable web application and the chance that such functionality will be abused from malicious users, to gain access to a specific website, or to compromise a server is very high.

It is, therefore, imperative that proper risk management be applied and security access controls, policies implemented to maximize the benefits while minimizing the risks associated with such features.

A list of best practices that should be enforced when file uploads is allowed on websites or any applications. These practices will help you securing file upload forms used in web applications. Few of the recommended practices include:
• Restrict the user to upload the files in a directory outside the server root.
• Prevent overwriting of existing files (to prevent the .htaccess overwrite attack).
• Create a list of accepted mime-types (map extensions from these mime types).
• Generate a random file name and add the previously generated extension.
• Don’t rely on client-side validation only, since it is not enough. Ideally one should have both server-side and client-side validation implemented.

As seen above, there are many ways how a malicious user can bypass file upload form security. For this reason, when implementing a file upload form in a web application, one should make sure to follow correct security guidelines and test them properly. Enterprises that have been considering the use of file uploads in their environment should calculate the benefits that the technology can offer them and the additional risks that are incurred. Once benefits and risks are understood, businesses should utilize a governance framework to ensure that process and policy changes are implemented and understood, and that appropriate levels of security are applied to prevent data loss.

If you have additional questions regarding Secure Development Lifecycle contact Karl Kispert at karl.kispert@aujas.com.

November 3, 2010 Posted by | Access control, File upload security, Risk management | , , , , , | 1 Comment