Friday, 20 June 2014

CodeSpace and protecting your intellectual property

The recent attack on CodeSpaces as reported by Help Net Security http://www.net-security.org/secworld.php?id=17028 shows how cyber attacks can be damaging to an organisations intellectually property. The attack was about availability, the DDoS was designed to prevent access by the clients of CodeSpaces but evolved into the permanent deletion of artefacts. The Incident Response process of CodeSpaces and its Business Continuity and Disaster Recovery (BC&DR) policy was found wanting.

So what happened


The attack on CodeSpaces was an extortion attempt, it is not clear from the CodeSpaces statement when the attacker had gained access to the Amazon EC2 control panel. What is known is that a DDoS attack was launched and a blackmail attempt was initiated with the attacker using a Hotmail account. CodeSpaces currently have no indication that a malicious insider was involved.

When CodeSpace started to investigate they found the attacker had control panel access but not the private keys.  According to their statement on the incident they believed that protected machines had not been accessed. However this did not prevent artefact’s being deleted via the control panel when the attacker realised CodeSpace was attempting to regain control. Codespace reported "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted." The attackers have now appeared to of delivered what is a fatal blow to CodeSpaces .

How could it of happened


The critical factor to the attacker delivering a fatal blow was the attackers privileged access to the control panel for the hosted environment.

How and when the access was gained is not clear. Access to the Amazon EC2 control could have been obtained through a vulnerability within the control panel, knowledge of the credentials or brute forcing the password. It is unlikely since there has not been a spate of attacks on Amazon EC2 control panel that a vulnerability in the panel was exploited, but rather a social engineering attack on an administrator during the DDoS attempt or the password was brute forced prior to the attack indicating potential a weak password was used are the more likely options.

It could be a credible explanation that whilst trying to prevent the DDoS attack, an administrator might respond to a phishing attempt for credentials when in normal circumstances they more be more suspicious.  It is a common technique of attackers is to launch a DDoS attack to distract the administrators from the activities of hackers trying to break into a site. Whilst administrators are distracted during firefighting the DDoS attack and normal business activities such as responding to log events are ignored, these everyday activities would indicate additional malicious activities are underway.

Incident Response and BC&DR

A key part of any organisations BC&DR activities involves back up and protecting the back up files. CodeSpaces proudly discussed the Backups, Security and Continuity on their web site.

They claimed full redundancy; with data centres in 3 continents, they guaranteed 99% uptime.  For backups they claimed to backup clients data every time a change was made at multiple off-site locations. The backups were supposedly in real-time as they had invested a great deal of time and effort in developing a real-time backup solution that allows us to keep off-site, fully functional backups of clients data. They did state that backups are only as good as the recovery plan and claimed they had a recovery plan that it is well-practiced and proven to work time and time again.

However the password was gained, by having access to the EC2 Control panel the attacker was able to create multiple backdoor access routes and had full control over the artefacts including deleting them, affecting the availability. The attacker may of not been able to breach the confidentiality of the artefacts as they didn't gain access to private keys according to CodeSpaces.

Incident response procedures should of attempted to prevent remote access to the affected systems, in an in-house operation the network cable can be pulled and access obtained via a console. With hosted and cloud services this style of brute force disconnect from the internet is not possible. A better strategy would of been to create a new administrator level account, throw off all logged in users and disable all other accounts from login.

For BC&DR backups not only need to offsite but also stored offline, CodeSpaces were providing resiliency for clients rather than BC&DR for themselves.


Preventing it


With regard to the credentials to the EC2 Control panel, Amazon Web Services customers are responsible for credential management according to Amazon's terms and conditions. Amazon, however, has built-in support for two-factor authentication that can be used with AWS accounts and accounts managed by the AWS Identity and Access Management tool. AWS IAM enables control over user access, including individual credentials, role separation and least privilege.

A key part of any organisations BC&DR activities involves back up and protecting the back up files. Amazon do provide white papers and the tools and services to run BC&DR for an organisation, but it appears not only CodeSpaces ignoring the stronger authentication mechanisms that Amazon provide but they did the same for the support Amazon give to a BC&DR architectures.

The use of the cloud is not a replacement for a well thought out and implemented BC&DR policy.

What's Next


This attack could be conducted against a large number of organisations and not necessarily restricted to those hosted in the cloud. Organisations are not helping themselves in protecting sensitive data, in a recent survey by a  team of researchers from Columbia University (http://www.cs.columbia.edu/~nieh/pubs/sigmetrics2014_playdrone.pdf) who discovered by reverse engineering  880,000 applications found on Google Play that the developers had hard coded secret authentication keys in the apps, which can lead to attackers stealing server resources or user data available through services such as Amazon Web Services

Extortion or Blackmail are common threats on the Internet, the BBC have recently reported that Nokia 'paid blackmail hackers millions' (http://www.bbc.co.uk/news/technology-27909096) to keep source code and keys secret. Previously it was the gambling industry that were prone to blackmail attempts via DDoS, however increasingly with organisation dependent on the internet anyone could become a victim.

As it appears that password compromise was the key factor, the secure use of strong passwords must be part of the culture of an organisation, staff awareness combined with strong computer generated random passwords with technology such as passwords vaults and two factor authentication would mitigate attacks on passwords.

Additionally, well designed and implemented disaster recovery an business continuity plans that are tested should be in place. Cyber attacks and the results need to be catered for in the plan.

Wednesday, 4 June 2014

How is your password attacked?

We protect most of our systems and information with authentication credentials consisting of a username and a password. This is single-factor authentication using something we know (the password).

The passwords we use are open to attack, either by guessing the password and using it to log in, or as a result of a breach where user credentials have been stolen and the lists are subsequently attacked.

Below are some common attack methods used against passwords, along with potential countermeasures.


Social engineering

Attackers will attempt to gain your authentication credentials simply by asking. This can also be combined with other attacks to make them more effective. Most passwords are based on something personal; by discovering details about you, the attacker can build a profile of likely words. Think of the film Wargames, in which Matthew Broderick discovers that the creator of WOPR has left a publicly accessible backdoor with his dead son’s name as the password.

Here, the countermeasures are to educate the user about the danger of social engineering and how attackers use social media as a profiling tool.


Sniffing/Logging

There are various forms of password sniffing or logging that can be used by an attacker. Typically, sniffing is where credentials sent over the network – in particular over wireless networks – can be intercepted (sniffed) by an attacker recording the transmitted packets. An additional method - Software Keyloggers -  relies on infecting computers with malware that captures key strokes being typed (key logging). This can be combined with screen capture to record the use of virtual keyboards and drop-down boxes (such as the selecting of letters of your password), typically used by banking Trojans. Finally, there are physical key loggers that can be attached or built into a keyboard to capture key strokes. The latest versions of these have wireless interfaces built-in. Physical key loggers were mentioned in some of the reports about the Sumitomo Mitsui Banking Corporation in 2004. Wireless accessible KVM (Keyboard, Video and Mouse) over IP were installed in attacks on Santander and Barclays branches in 2013.

Encryption of traffic over the network, up to date anti-malware on devices and awareness of attempts to install hardware are important countermeasures. The PCI DSS mandates looking for rogue wireless access points, so physical inspection can be combined with checks for malicious hardware.


Password brute forcing


There are various brute force attacks, including attacks on the login screen or against the stored credentials.


Single account


Login screens can be attacked by repeatedly guessing the password and submitting the guess until it is accepted. Lockout mechanisms, such as only allowing four guesses before freezing an account permanently or for a defined period of time, can prevent or slow down these attacks. Captcha can also be used to prevent most automated attacks. Log analysis of failed login attempts should indicate that a potential attack is underway.


Stolen password lists


Stolen passwords lists are often protected by a cryptographic function called a ’hash’; popular forms of hash algorithms are MD5 and SHA1. A hash converts the input into a fixed length message digest; the same input generates the same message digest. An attack will take a guess at a password, which is then hashed using the appropriate algorithm and the resulting message digest is then compared to those in the list of stolen password hashes: a match indicates a correct guess. This is a time consuming process which can be sped up using various techniques including Rainbow Tables, which are pre-computed message digests that can be compared to the stolen password list. If a match is detected, then the plain text version of the password can be found.

To prevent the use of pre-computed hash tables, passwords are often concatenated with a random value (‘salt’) unique to a system before being hashed. Other techniques to protect against brute forcing include using a hash algorithm multiple times: the attacker must know how many iterations were used. The Linux shadow password file contains a line per account; the password field consists of a number of elements that include the hash algorithm, the salt, and the message digest. Linux also applies the selected hash thousands of times.

Password brute forcing can make use of parallel and distributed processing. Some attack methods make use of multiple GPUs in a machine, and each GPU can have thousands of cores. A 25 GPU cluster can process 95^8 combinations in just 5.5 hours, enough to brute force every possible eight-character password containing upper- and lower-case letters, digits, and symbols.

Stolen password lists are often posted on bulletin boards for other hackers to crack, and some hackers offer password cracking services.


Botnets


Hackers can also use botnets, which can consist of tens of thousands to millions of machines, to attack passwords. They can be deployed to brute force passwords lists, or to brute force account credentials with each machine sending a few guesses to the login page to stay within the account lockout rules – of course, when millions of machines are used, accounts can be guessed and accessed.
Prevention

Given sufficient resources it is always possible to brute force a password, but a high work factor (defined as the amount of effort – usually measured in units of time – needed to break a cryptosystem) will make it impractical to complete a brute force attack.

Strong passwords are able to resist attempts to crack a user’s credentials. The strength is measured in its effectiveness in resisting guessing and brute-force attacks; this is a function of length, complexity, and unpredictability of the password.

Length


The longer the password, the larger the combination space will be. If we assume just lower case letters then the following applies; as the length of the password increases, the number of potential combinations increases exponentially.

Number of lettersSampleCombination space
1a26
2aa676
3aaa17576
8aaaaaaaa208827064576
10aaaaaaaaaa141167095653376

For more complex passwords (by adding upper case and numbers) the combination space increases further.

Number of lettersSampleCombination space
1A62
2A93844
3A9a238328
8A9aA9aA9218340105584896
10A9aA9aA9aA839299365868340224

Complex does not mean strong

A complex password is not necessarily a strong password, if we look at a typical complex password rule, such as:
  • Minimum eight characters
  • Must use upper and lower case
  • Must use numeric characters
  • Must use symbols
This can result in a password such as:
 
P4s5W0rd#
 
This is not a strong password, even though it meets the complexity rules. The complexity of a password depends on the combination of the symbols used within the password not being used in a predictable way. The number of available symbols is dependent on the characters accessible through the keyboard and accepted by the application.


Unpredictability


Part of preventing a password being broken is its unpredictability. A predictable password would be one found in a dictionary, for example. There is a class of password attacks known as a dictionary attack, in which word lists – often from a dictionary – are used as the source of guesses in the attack. Word lists are not just dictionary lists, but could be lists of football teams or players; the potential source of lists is vast with the Internet having lists of just about every topic from girl’s names to the top million used passwords. This means that, for those Manchester United fans who use a player’s name as their password, there is a list of every player that has ever been in their squad. The tools that perform these attacks automatically switch numbers and symbols for letters based on well accepted rules and will automatically append sequences of numbers to the end of the word. If you used the player’s name Ryan Giggs as the basis of your password – i.e. Ry4nGi66s1973 – this can be guessed by most tools that will accept a list of Man Utd players.

Don’t forget that social engineering or looking at your Facebook page could reveal information that may help an attacker select a word list to use in an attack; you could be making your password more predictable by what you say about yourself online.


Conclusion


In order to create a strong password that is resistant to attack a user must select a password that is long, complex and not based on dictionary words or using ‘leet speak’ to convert letters to numbers or symbols. The longer and more complex it is the more resistant the password will be to attack. Combining passwords (something you know) with a second factor, such as a token (something you have, like your mobile phone), will create a strong authentication system.

Tuesday, 3 June 2014

Do I have to change my password again!!!

Over the last few months we seemed to be bombarded with advice to change our passwords, but did we need to change passwords and did we need to rush out and do it immediately!

For the last three major vulnerabilities and breeches, listed below, we have been advised to change passwords, some of those advising password changes were clamming we do it immediately, others were more specific in the advice

  1. Heartbleed
  2. eBay
  3. GameoverZeus
Taking each of these in turn, what should we of done in each case..

Heatbleed

I heard advice very early on about changing passwords immediately, however it was not long before the media took advice from the experts and modified the initial advice.

Heartbleed infected the servers provide the services we used, often we need to authenticate (logon) to these services. Heartbleed could allow attackers to compromise servers and gain access to passwords. Changing passwords before the server had been fixed, meant attackers could still get on to the machines and get the passwords. The advise from security experts was once your service provider advised the server was no longer vulnerable, then change your password. The good service providers did advice their clients when to change passwords.

eBay

This was a lot simpler, if you used eBay you should of changed your password, very slowly eBay did advice its users to change their password. In this case attackers compromised eBay and stole a list of credentials, whether the attackers can crack all the passwords is a matter for debate. The point is they could, therefore you should change your password as quick as possible.

GameoverZeus

Seen and heard advice from many media outlets today, especially radio where the advice was change your password. This is very poor advice. Changing your password will not stop you being infected, if your are infected changing the password just gives the attackers your new password.

If you have a Windows machine you will need to take note, otherwise those using other operating systems can sit back and relax as GameoverZeus attacks Microsoft Operating Systems

GameoverZeus is a financial trojan, it affects client computers i.e. our home computers where we store our financial records and login to our online banking from, it is typically our personal home computer.

What users need to do is firstly ensure they have not been infected by running tools available from most reputable anti-malware / anti-virus vendors. These tools can detect and remove the infection. A list of tools is available from the UK governments get safe online website http://www.getsafeonline.org/nca

If you are not infected or have successful removed the infection you should stop your computer from being vulnerable to GameoverZeus, the malware uses vulnerabilities in the operating system and applications to infect your computer, patching and keep up to date. Automatic updates and tools such as Secunia Personal Software Inspector (PSI) can help with this.

If you were infected you will need to change your passwords, in this particular case the authorities and ISPs are trying to identity infected machines and advise the owners to disinfect their machines and change passwords. So if your ISP contacts your officially, or you discover you have been infected, change your password.

Watch out for

Scams, phishing emails etc trying to catch out the unaware and take advantage of those trying to keep out with the official advice. Every major vulnerability, breach and malware outbreak will be exploited by scammers trying to infect you. Don't open email attachments and don't follow web links in suspicious emails.

Good Practice

Good practice is to use strong passwords and change them regularly. Follow advice from the security experts on the strength of passwords, no dictionary words, no names. Use upper case, lower case, numbers and symbols and use long passwords.

Don't use the same username / password combination for all your accounts, a compromise of one could lead to all your accounts being compromised,

Cryptolocker and GameoverZeus

National Crime Agency Announcement

On 2 June the UK’s National Crime Agency warned that people have just two weeks to protect themselves against the Cryptolocker ransomware and a strain of the ZeuS (GameoverZeus) password sniffing malware – before both rise from the dead. The FBI disrupted the command and control systems for these pieces of malware, but the National Crime Agency thinks it is only a matter of time before a new command and control system is in place and attackers regain control of the malware.

Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit, offered the following advice, “Our message is simple: update your operating system and make this a regular occurrence, update your security software and use it and, think twice before clicking on links or attachments in unsolicited emails.”

What are Cryptolocker and GameoverZeus?

Both these pieces of software are described as Malware, GameoverZeus is an advanced financial fraud Trojan and Cryptolocker extortion tool. Both are described in detail by the article published by Symantec
http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network which describe both items of software, how they work and gives details on removing GameoverZeus.

How does this affect John or Jane Smith ?

Over the last two days it has been widely report in the media (TV, Radio, Internet, Newspaper) that people have two weeks to protect themselves from the malware and this is generating concern. A number of my colleagues have asked me about protecting their computers.

An important point to remember is not to panic, there are going to be phishing and malware campaigns designed to engineer the panicked individual into downloading malware. These campaigns will offer advice and tools on fighting the oncoming onslaught of malware and try and get your to open an attachment or visit a website, both of which will infect your machine.

It is important to get people to protect their computers, the advice given by Andy Archibald is sound security advice and should be what everyone is doing.

One of the points in an article published by the Register http://www.theregister.co.uk/2014/06/02/nca_gameoverzeus_cryptolocker_warning/ was that "More than 15,000 computers in Blighty alone have been hit by the ZeuS malware". In terms of infection this is a small proportion of personal computers in the UK. The Office for National Statistics report on "Internet Access - Households and Individuals, 2013" says that in Great Britain, 21 million households (83%) had Internet access in 2013. Although this does not give a accurate number of the number of computers in the UK it does indicate that they are tens of millions of computers in households across the UK. The actual infection rate of the Zeus malware is quite small.

It is important that people check their machines for infection, if they have been infected it needs to be removed and Symantec along with the other anti-virus companies have tools to do this. I do recommend that if you are not sure about your own anti-virus is to use a reputable online anti-malware tool that can be run from a website. Again all the reputable companies offer this type of software.

Protecting your machine

My advice is to ensure your operating system is updated and patched. The mechanism for doing this varies according to the operating system; for example, for Microsoft Windows 7, typing Windows Update into the search box in the start menu brings up the Update application so you can check for installed updates and see if there are any outstanding. Most operating systems allow a form of silent automatic update for critical issues.

A number of applications will allow you to check for updates: a useful tool is the Secunia Personal Software Inspector (PSI) https://secunia.com/vulnerability_scanning/personal/, which is a free computer security solution that identifies vulnerabilities in non-Microsoft (third-party) programs.

There is a vast selection of anti-virus and anti-malware software available and selection is down to personal preference. We do recommend that you select a reputable piece of software, and the top 100 list produced by Virus Bulletin has a summary of the performance of the most common antivirus/anti-malware software https://www.virusbtn.com/vb100/archive/summary. Selecting any of the software from the top quadrant https://www.virusbtn.com/vb100/RAP/RAP-quadrant-Aug13-Feb14-1200.jpg will protect your machine.

Conclusion

In summary to protect against malware you need to protect your machine, part of this is not falling for the phishing and malware email campaigns.
  • You need to ensure you are not already infected, there are a number of reputable online scanning tools that don't rely on binaries installed on your machine.
  • If infected, remove the infection. The well know anti-virus companies have the tools to this.
  • Install reputable anti-malware from a well know company
  • Ensure Operating systems, browsers and anti-malware are up to date
  • Keep the anti-virus definitions up to date.