Checking out BackTrack Linux

For this blog I decided to take a look at BackTrack Linux and see what I could learn. BackTrack Linux is a suite of tools used for penetration testing. I downloaded an ISO and created a live boot disk. I tested the GNOME version 5R3. There was an impressive array of tools available. My goal here was just to take a cursory view of what tools are available. BackTrack Linux is available at http://www.backtrack-linux.org/.  I plan to load BackTrack Linux to a USB drive since some programs take a long time to load off of the DVD.

When I opened up the Firefox browser I noticed a link to http://www.exploit-db.com/. This a database of a wide range of exploits, both local and remote, hardware and software based. The most recently posted new exploits are shown on the homepage. New exploits are being found all the time. Exploits are listed by hardware and software types.

I looked at random tools to see what some of them do. One of the tools is called WebSploit. It can be used to set up a variety of DoS attacks. It can be used for man in the middle and XSS attacks as well. It even has a tool to load a backdoor on to a USB drive.

Another program I found was Aircrack-ng. This program is a cracking program for WEP and WPA Wifi keys.

There were a whole bunch of online and offline password crackers such as John the Ripper and Ophcrack. There are also several tools for creating backdoors and rootkits. There was also about every type of scanning and monitoring tool imaginable.

It did also have quite a range of forensic tools but I didn't get too far in figuring out how to use them.

Metasploit looked like an interesting tool. It scans systems and networks for vulnerabilities and then allows the user to attack the system using a database of exploits.

There are so many tools. It would take time to research and figure out how to use them but it could be done. There is an amazing amount of power stuffed into on DVD. But along with that power comes a great deal of moral responsibility. The creators of these tools are arming both side of the battle. Both the good guys and the bad guys can use the same tools. If I took the time to learn these tools I could do some really unethical or even criminal things with them. With much power comes much responsibility. This exercise makes me much more aware of the need for good security. Anyone can get all these tools in a single download. If the good guys don't get their systems and networks first the bad guys will.

8 Most Common Causes of Data Breaches

The 8 Most Common Causes of Data Breaches

By Fahmida Y. Rashid

May, 2013

http://www.darkreading.com/attacks-breaches/util/10944/download

This whitepaper by InformationWeek discusses the eight most common types of data breaches based on research by Verizon. Verizon researched 621 data breaches. It found that 78% of all data breaches were low difficulty. Most of these breaches could have been prevented with better security policies. Verizon found that 92% of all data breaches were the work of external parties. Another 14% were done by insiders and only 1% were done by business partners. Verizon found that 71% of the attackers targeted the end user’s computers. Verizon described 75% of the attacks as opportunistic, that is, the attacker exploited weaknesses he knew how to take easy advantage of.

Weak and stolen security credentials remain the biggest means of security breaches. Verizon found the 76% of breaches were cause by weak credentials. This includes guessing passwords and cracking weak passwords. Stealing passwords from another site is another common means. People will often use the same password on multiple sites. Passwords are also compromised through keylogging malware or phishing. Verizon estimated that multifactor authentication could have stopped 80% of these attacks.

The second category of common data breaches Verizon found were back doors and application vulnerabilities. Some of these methods are well known, such a SQL injection attacks, and yet still widely effective. Many of these attacks can be done by amateurs with scripts and automated tools.

The third common types of attack are done through malware. Directly installed malware made up 74% of all malware cases. Many times it was done by simply downloading the malware on to an unattended computer.

Verizon found the social engineering made up a third of the cases. Verizon noticed that there was a big upswing in these types of attacks. Phishing was by far the most common method of social engineering, making up 77% if these attacks. The increasing amount of personal information on social sites is making social engineering easier.

Verizon found that many security breaches could have been eliminated by properly managing data permissions. Users are too commonly given access to data they have no real need for.

Another category of data breaches was misuse of data by insiders. This is a challenge because users think that they are entitled to the data. Insiders commonly transfer data to personal devices. One survey said that 56% of people did not think it was wrong to take company information with them when they left the job. Much of this information could end up with a competitor.

Physical attacks make up 35% of the attacks in Verizon’s survey. One growing type of physical attack is ATM skimming and another is tampering with point of sales devices.

Data breaches can sometimes happen through user error or improper system configuration. These errors are rarely reported outside the organization. 

Using malware for penetration testing.

Penetration Testing With Honest-To-Goodness Malware

By Gunter Ollmann

October 01, 2013

http://www.darkreading.com/attacks-breaches/penetration-testing-with-honest-to-goodn/240162078

Gunter Ollman encourages uses specially designed malware for penetration testing. This malware would be especially designed to report back and then remove itself. This type of testing is important because malware attacks are one of the main ways networks are compromised. Unskilled attackers using very average malware programs often succeed. Networks are increasing layers of network security but are still leaving themselves open to malware attack. Malware is often installed using social engineering methods. This penetration testing would replicate the actual methods that malware attackers would use. This type of testing would not be easy, because a range of different attack methods would have to be used. Malware threats are increasing as more people are bringing their personal devices into the workplace.  

10 Emerging Threats Your Company May Not Know About

10 Emerging Threats Your Company May Not Know About

By Debra Donston-Miller

May 2013

http://www.darkreading.com/vulnerability-threats/util/10937/download

In this white paper Debra Donston-Miller discusses some emerging threats that many companies are not aware of.

At the top of the list of emerging new threats are imbedded systems. An increasing number of these devices have Internet systems imbedded into them. For the network standpoint these devices act like just another PC or server. These devices have the potential for an attacker to use them to compromise or penetrate a network. Network administrator likely do not even know the location of all these devices. One research stated, “Companies have been further integrating mobile devices into their networks, into their environments. You basically have this little computer that you use to [for example] make phone calls that also has access to all of your corporate resources.”

The increasing use of mobile devices will become a major security threat. Employees bring their personal devices into the workplace and use them to access company resources. There is often little security controls over these devices. It is especially important is to educate users on security with mobile devices. Many of these devices have 3G/4G service. These devices can give access to the company's network that bypasses all companies security controls. Administrators would have no idea what traffic is flowing outside of the company. Hackers could install malware to give then access to the network through the device's 3G/4G access.

App stores are another security threat to mobile devices. Every device maker has its own app store. Not all vendors make sure that these apps are properly vetted for security. Apple requires that all its apps are signed by the vendor but Android apps can be self-signed. The app stores could be a means of installing malware.

A growing threat to network security is what the paper calls the “comsumeriztion of IT”. As the price of equipment comes down and cloud service are becoming widely available, more and more people are gaining access to what were once enterprise only applications. These users can set their own networks systems up but have little understanding of the security issues involved. There is a danger that these users could set up their own hardware, software, and services without the company's IT department knowing it.

There will also be a growing risk of what is referred to as “accidental cyber threats”. This is caused when company data users expose company data through carelessness. This could happen when someone takes sensitive data home on a USB drive, sends it to a cloud service like Dropbox, or sends it to a personal email account. Users could be working remotely on an unsecured network.

Another risk that few companies consider is the risk from the equipment supply chain. Many companies are buying equipment on the “gray market” through places like Ebay. Besides the risk of getting defective or substandard equipment, there are serious security risks. The seller could install malware or backdoors on this equipment.

Cyber espionage is a growing danger. The Pentagon has accused the Chinese government of targeting US computer systems for intrusion. The Chinese aren't just targeting the US government but a wide range of businesses. They are stealing a wide range of valuable technology and trade secrets. Other actors are also involved in cyber espionage. These attacks are highly advanced and difficult to guard against. Even smaller companies are being attacked.

With the growing popularity of social media, there is a danger that people will expose confidential company information on their personal sites. For instance, someone could let out the release data of a new product while talking about work on Facebook.

A new type of malware called ransomware is emerging. Ransomware either locks the screen up or encrypts the data on the system. Companies often will quietly pay the attacker to unlock the system rather than go through a long legal battle.

The paper also describe the growing use of “watering hole attacks”. Hacker injects code into sites their targets are likely to visit. There is no need for direct contact that way. Tibetan sympathizers have been spied on this way.

As technology advances, the attack surface on network systems is growing. Average users have the means to seriously compromise a network system, even if it is done unintentionally. The paper stresses the need to educate the users on security issues.

Are industrial control systems are vulnerable?

'Project SHINE' Illuminates Sad State Of SCADA/ICS Security On The Net

Kelly Jackson Higgins

Oct. 16, 2013

Project SHINE is a global Internet-scanning project that searches for SCADA/ICS devices and systems. Over a million devices have been found. Another 2,000 to 8,000 devices are being found on the public Internet each day. SCADA stands for supervisory control and data acquisition. ICS stands for industrial control systems. These devices cover a wide ranger of consumer electronics, routers, and industrial systems. Researchers on this project estimate that a quarter to a third of these devices are open to malware attacks or other types of attacks such as cross-site scripting or buffer overflows. One commonly used protocol on these systems, Universal Plug and Play (UpnP), is known to be vulnerable. Some of the device have administrator passwords set to default. Others have known backdoors left by the device's manufactures. The state of security for SCADA/ICS devices was said to be alarming. Of greatest concern is the security of industrial and infrastructure controllers.

User-Selected Passwords Still Getting Cracked

User-Selected Passwords Still Getting Cracked

By Robert Lemos

http://www.darkreading.com/advanced-threats/user-selected-passwords-still-getting-cr/240162756

Robert Lemos gives warning that passwords are becoming increasing vulnerable to attacks. Password cracking utilities can leverage the power of the processor on an off the shelf graphics card in order to do 26 billion password tries per second. Graphics card are very good at making parallel calculations. When Statford's password hash were stolen, most were recovered within 24 hours. These passwords were eight randomly selected characters. 630,000 passwords were cracked. Research are developing advanced real world lists of passwords for dictionary attacks. Researchers are also getting smarter at understanding the patterns people use when choosing their passwords. One expert stated, "Smart guessing is relevant when passwords are not totally random but when there was used some technique to create a password. In case of totally random passwords, only brute-force attack can help and that is when speed" becomes most important. The technique of substituting numbers and symbols for letters offers poor protection. Password crackers are aware of these methods and try them first. It is also important to use different passwords for different sites. Even with advances in password cracking most passwords are stolen using social engineering methods.  

Security issues during the government shutdown.

US Government Shutdown Creates Serious Cyber Risks: Experts

By Brian Prince on October 10, 2013

Top security experts are expressing grave concern that the government shutdown will seriously compromise the security of the government's information systems. Many agencies have only skeleton crews running the IT departments. There are too few people monitoring the governments sites. The shutdown also degrades the morale of the government IT workers. Even after the shutdown ends, there will be a backlog of work, such as reviewing security logs and installing patches. So security will be weakened for some time after the shutdown ends. Some government websites have completely shutdown.

One expert described the danger in this way, "Another weakness during times like this is that people are easily fooled given that nothing is normal. Traffic patterns are different, the person staffing the desk may be different, with all this change, social engineering attacks can be very effective."

One expert stated that the government could lessen the risks if it had a continuity of business plan to handle such emergencies. The main take away I got from this article is the need to have emergency plans for unusual situations. This article discussed doing risk evaluation in making decisions during a crisis.

Generational changes.

Combatting Today's Attacks: It's a Generational Thing

By Marc Solomon on October 10, 2013

http://www.securityweek.com/combatting-todays-attacks-its-generational-thing

Marc Solomon expresses concern that while today's attackers are using next generation tools, those that are the defenders are still using last generation tools. Many in the security field are not keeping up with changes in the networking environment, such as the growing use of mobile devices, SaaS, virtualization, and cloud computing.

New attack methods make it increasingly difficult to detect. Older generational defensive tools lack the historical data and intelligence to detect advanced attack methods.

As networks reach muli-gigabit speeds, network security devices have too keep up with the traffic. Older device just don't have the speed.

He gives some suggestions of key questions to ask when talking to vendors of security equipment.

The first question is to ask about is visibility. Can the equipment see all applications working in the environment regardless of protocol? Can it see hosts, infrastructure, and users? Does it have the ability to monitor changes in the IT environment? Can it provide site reputation information? Can it monitor network activity based on user, application, or device?

The second area of questions is to ask about threat effectiveness. Can the technology protect against known and emerging threats? Can it remain effective even under times of peak load? How does the technology detect threats? Can it detect and block specific types of threats? Can it compare baseline behavior against current behavior to detect anomalies?

The third area to ask about is the granularity of the system controls. Can the system allow fine-grained policies? If the policies don't allow sufficient flexibility, employees will be tempted to work around the security controls, thus making them worthless.

A fourth area to ask about is automation. Security systems can generate vast amounts of data. Can the process of shifting through all this data be automated allowing the security person to focus on key events?

A fifth concern is the availability of advanced malware protection. Can malware be detected in cloud based systems? Is the system able to gather information on emerging threats? Does it automatically update all connection points?

A sixth area to evaluate is the performance, scalability and flexibility of the system. Can it handle the speed of today's traffic. Can it be upgraded to handle the increased traffic of the future? Does the system have third party performance results available?

A final area to evaluate is the management and extensibility of the system. Does the system allow for easy central management? Can I extend the system as needed? How well does it work with third party solutions?

As an IT person, I may likely need to participate in system design, purchase, and upgrade decisions. These are important questions to ask in evaluating a system. I will need to consider not just current needs but future needs as well. As a IT person, I will need to keep both my systems and my knowledge up to date.  

Israel's army chief concerned about cyber-attack.

Israel Army Chief: Future War Possible on Many Fronts

http://www.securityweek.com/israel-army-chief-future-war-possible-many-fronts

October 10, 2013

In this article the Chief of Israel Army expressed concern that a future war could be conducted on many fronts. Besides missile and terrorist attacks the army chief is gravely concerned with the possibility of cyber-attacks. He stated, "It is possible that there will be a cyber-attack on a site supplying the daily needs of Israeli citizens; that traffic lights would stop working or the banks would be paralyzed." A cyber-attack although hypothetical was said to be in the realm of the possible.

Israel may sense a great danger of imminent attack due to its geo-political position, but such an attack could happen against the US as well.  

Is privacy impossible?

Interview: "It's Pretty Much Impossible" To Protect Online Privacy

https://www.schneier.com/news-148.html

April 8, 2013

This article contains a radio interview with Bruce Schneier by Radio Free Europe.  In this interview he describes the limits of privacy in the digital age. The interview starts by describing how major Internet players such as Google, Facebook, and Twitter are created detailed profiles on each person.  Not only do marketers buy this information, but government bodies are subpoenaing this information. Google publishes how many letters of request it is getting from national security agencies or other government bodies. He made an interesting quote, “So basically it's used to judge people. Either judge them for marketing purposes or judge them for political purposes.”

He stated how difficult it is to protect ones privacy against well-funded, skilled, and motivated adversaries. He expressed that there may be more danger from governments and corporations misusing the Internet than from its misuse by criminals and terrorists.  He gave an interesting example that he believed that Microsoft was allowing different governments to spy on Skype users. Businesses have to obey the law. They are primarily focused on making profit and so have little motivation to fight the government.  He sees a great danger of “those in power using the Internet to stay in power.”

NSA spy servers.

The NSA's New Risk Analysis

https://www.schneier.com/

This interesting article describes how the NSA has a series of servers around the Internet designed to break into other computers. These servers are designed to lure other computers to them. Once the targeted computer connects with the NSA server, the target is evaluated as to value and vulnerability. An appropriate exploit this then used on the target computer. The NSA has profiles on target computers, evaluating the risks to take on the target, its value, what data is desire, and what methods to use. For high value targets the NSA reserves zero-day exploits. The NSA does place a high value on keeping its intrusions undetected. The report states that Microsoft gives advanced warning to the NSA before it patches any of its vulnerabilities. Big Brother is watching you.

McAffee Virus Alert Website.

McAffee Virus Alert Website.

http://home.mcafee.com/virusinfo

As an IT professional, it will be necessary to keep track of on going threats. For this blog I decided to look at the McAffee virus alert website. The site contains listings of recently discovered new malware programs. This includes virus, worms, fake virus, and trojans. It also has a listing for recently update virus. Each threat is ranked as to the relative danger. The site includes a general threat alert indicator, indicating the overall level of danger. Currently it is set to elevated. It also includes a world map showing the hot spots for virus attacks. The user can drill down to find more information on a specific threat, such as type of program, method of infection and indication of infection. This sight is useful to give a quick and ready overview of new dangers.  

Breaking passwords is kiddie script stuff.

How I became a password cracker

by Nate Anderson - Mar 24 2013, 5:55pm PDT

In this article, the author describes how his editor came him a challenge to see how many password he could steal and crack in a day. He had never cracked a password before. He was limited to using only information, resources and free tools that were available on the Internet. He described password cracking as “kiddie script stuff”. He said he was someone who “can't hack my way out of the proverbial paper bag” but by the end of the day he was able to crack over 8,000 passwords. This was done on an ancient dell laptop.

His first challenges was to find a set of passwords to crack. He found this was easy. There are entire forms on the Internet dedicated to swapping lists of stolen user names and password hashes and assisting each other in cracking them. I found this alarming. It made me wonder if any of my personal information is just floating around on the Internet somewhere waiting to be stolen. He picked a 15,000 entry long password file which used unsalted MD5, a weaker hashing method. Most password cracking is not done online by repeatedly trying to log on to a website. Most websites limit the number of logons attempts. Rather lists of password hashes are stolen and the cracking takes place offline.

He experimented with available free password cracking utilities, such as John the Ripper and Hashcat. He picked Hashcat because it had an easy to use GUI. He found the instructions to use it on a Wiki. He used a dictionary attack, which tries to break passwords by trying passwords one at a time from a list. This method works because people often use common words and easy to remember passwords. He found a list of 14.5 million commonly used passwords, called RockYou. The RockYou list is based on research into commonly used password patterns. Password lists are getting smarter. Tricks like substituting letters for numbers won't work anymore. New lists take that into consideration. He failed at first to set things up correctly until he found step by step instructions from a famous hacker on how to do it. He could add rules to the dictionary attack such as appending two numbers to the end of the word in the dictionary. This extends the power of the dictionary. This is a common way that people create passwords. Password hackers understand common patterns people use to create passwords and can use rules to test those patterns. Hashcat included a number of predefined rules. After working through some set up issues he was able to crack over 7,500 passwords in 16 minutes.

He also used the brute force method. This tries every combination of a set of characters, one at a time. It can be the most time consuming method. He was able to find a number of passwords using this method. To speed the attack up he used only lower case letters. He found 334 in password in a minute. This shows the danger of using short and simple passwords.

He realized he could have cracked even more passwords had he used a more powerful computer or even multiple computers. Some password crackers will also tap into the processing power of the Graphics Processing Unit. There are other advanced cracking methods such as rainbow tables that he did not try.

The author suggested that salted hashes with a stronger algorithm than MD5 be used. Increasing processing power and growing sophistication of cracking tools are making passwords more vulnerable.

The main take away I got from this article is that commonly given advice for picking creating strong passwords may not give people the protection they think. The author was able to crack passwords that would have passed a test of password strength. What makes passwords so vulnerable? To be useful a password has to be remembered. People pick words and patterns that are easy to member. Crackers are learning these patterns. For security other methods of authentication, such as biometrics or security keys may offer better protection. If passwords are to be used a long randomly generated string would be stronger, although they would hard to remember.

New York Times DNS attack.

"How To Avoid Getting Your DNS Hacked Like The New York Times"

http://readwrite.com/2013/08/28/avoiding-dns-hacks-new-york-times#awesm=~ojdzZGYmUSzmqN

A few weeks ago the New York Times Website suffered from a DNS attack. The hack was done by a militant group in Syria. The attack redirected viewers to the group';s website. Matthew Prince, CEO of CloudFlare, stated that we should expect criminals to use DNS attacks more in the future. The article recommends choosing a domain name registrar with a strong reputation for good security. It also recommends using a strong password for logging on to the registrar and keeping it safe.

The hackers of Times attacked attacked Melbourne IT, which registrars the name for the Times. They were able to overwrite the Times domain name information. This was surprising because Melbourne IT has a strong reputation for security. It is used by other large organizations on the web, including Twitter. Why wasn't Twitter attacked? Twitter had registrar lock in place unlike the Times. Registrar locks are restrictive controls that make it more difficult to make changes in the registrar. Many user avoid using the locks because they are a hassle.

Registrars may have security features available that the users are often not aware of. Some offer two factor authentication such as requiring both a password and a code sent to a cellphone. Another security setup is to allow changes to only be made from one IP address, such as the one from the businesses office.